mrblack | 5803553052a81f6a0a7c79fafd26be7a0a23c01bf3d1d53fc9cf6360e73ae03b

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
28-09-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc7157213488275cdd9b82b59ab15657_JaffaCakes118
Size

1.1MB
MD5

fc7157213488275cdd9b82b59ab15657
SHA1

3c0b0b4b4408adc8022e96ae83daf38da01dd9fa
SHA256

5803553052a81f6a0a7c79fafd26be7a0a23c01bf3d1d53fc9cf6360e73ae03b
SHA512

b77568dd49d00c866c1a9abd2a2b0de489471676f9dd062fadf44f62a420eedefd0a1d0ef584570d59b4a488a3c65c41e766c8a7f83852a6c4c61ae626cded6a
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfaQI+gIGYuuCol7r:4vREKfPqVE5jKsfaQRHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
/usr/bin/bsd-port/knerl	family_mrblack

File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

shchmodshchmodshchmodshchmod

pid process

1635 sh
1636 chmod
1644 sh
1645 chmod
1650 sh
1653 chmod
1658 sh
1659 chmod
Executes dropped EXE 2 IoCs

Processes:

knerlpythno

ioc pid process

/usr/bin/bsd-port/knerl 1600 knerl
/usr/bin/pythno 1608 pythno

pid	process
1635	sh
1636	chmod
1644	sh
1645	chmod
1650	sh
1653	chmod
1658	sh
1659	chmod

ioc	pid	process
/usr/bin/bsd-port/knerl	1600	knerl
/usr/bin/pythno	1608	pythno

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

fc7157213488275cdd9b82b59ab15657_JaffaCakes118knerl

description	ioc	process
File opened for modification	/etc/init.d/VsystemsshMdt	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for modification	/etc/init.d/selinux	knerl

Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
discovery

Internet Connection Discovery
T1016.001

Processes:

fc7157213488275cdd9b82b59ab15657_JaffaCakes118

description ioc process

File opened for reading /proc/net/route fc7157213488275cdd9b82b59ab15657_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/route	fc7157213488275cdd9b82b59ab15657_JaffaCakes118

Write file to user bin folder 9 IoCs

persistence

Processes:

cpfc7157213488275cdd9b82b59ab15657_JaffaCakes118knerlcpcpcpcpcp

description	ioc	process
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/knerl.conf	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/knerl.conf	knerl
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/bsd-port/udevd.conf	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/knerl	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/ps	cp

Writes file to system bin folder 2 IoCs

Processes:

cpcp

description ioc process

File opened for modification /bin/lsof cp
File opened for modification /bin/ps cp
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

fc7157213488275cdd9b82b59ab15657_JaffaCakes118knerl

description ioc process

File opened for reading /proc/cpuinfo fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for reading /proc/cpuinfo knerl

description	ioc	process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

description	ioc	process
File opened for reading	/proc/cpuinfo	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for reading	/proc/cpuinfo	knerl

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

fc7157213488275cdd9b82b59ab15657_JaffaCakes118knerl

description	ioc	process
File opened for reading	/proc/net/dev	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for reading	/proc/net/route	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for reading	/proc/net/arp	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for reading	/proc/net/dev	knerl

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

cpmkdircpcpknerlcpfc7157213488275cdd9b82b59ab15657_JaffaCakes118mkdircpmkdirmkdirmkdirinsmodcpmkdircpinsmodmkdircppythno

description	ioc	process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	knerl
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	knerl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for reading	/proc/meminfo	knerl
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	pythno

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

pythnofc7157213488275cdd9b82b59ab15657_JaffaCakes118

description	ioc	process
File opened for modification	/tmp/vga.conf	pythno
File opened for modification	/tmp/idus.log	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for modification	/tmp/apsh.conf	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for modification	/tmp/vga.conf	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for modification	/tmp/notify.file	fc7157213488275cdd9b82b59ab15657_JaffaCakes118
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/conf.n	fc7157213488275cdd9b82b59ab15657_JaffaCakes118

/tmp/fc7157213488275cdd9b82b59ab15657_JaffaCakes118
/tmp/fc7157213488275cdd9b82b59ab15657_JaffaCakes118
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1558
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt"
  2⤵
  PID:1584
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
    3⤵
    PID:1585
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt"
  2⤵
  PID:1586
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
    3⤵
    PID:1587
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt"
  2⤵
  PID:1588
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
    3⤵
    PID:1589
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt"
  2⤵
  PID:1590
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
    3⤵
    PID:1591
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt"
  2⤵
  PID:1592
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
    3⤵
    PID:1593
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1594
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1595
- /bin/sh
  sh -c "cp -f /tmp/fc7157213488275cdd9b82b59ab15657_JaffaCakes118 /usr/bin/bsd-port/knerl"
  2⤵
  PID:1596
- - /usr/bin/cp
    cp -f /tmp/fc7157213488275cdd9b82b59ab15657_JaffaCakes118 /usr/bin/bsd-port/knerl
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1597
- /bin/sh
  sh -c /usr/bin/bsd-port/knerl
  2⤵
  PID:1599
- - /usr/bin/bsd-port/knerl
    /usr/bin/bsd-port/knerl
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1600
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1615
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1616
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1617
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1618
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1619
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1620
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1621
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1622
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1623
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1624
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1625
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1627
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1628
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1629
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1630
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1631
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /bin/lsof"
      4⤵
      PID:1632
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1633
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1635
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1636
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1637
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1638
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1639
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1640
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /bin/ps"
      4⤵
      PID:1641
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1642
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1644
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1645
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1646
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1647
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof"
      4⤵
      PID:1648
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1649
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1650
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1653
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1654
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1655
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/ps"
      4⤵
      PID:1656
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1657
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1658
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1659
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1660
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1661
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1602
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1603
- /bin/sh
  sh -c "cp -f /tmp/fc7157213488275cdd9b82b59ab15657_JaffaCakes118 /usr/bin/pythno"
  2⤵
  PID:1604
- - /usr/bin/cp
    cp -f /tmp/fc7157213488275cdd9b82b59ab15657_JaffaCakes118 /usr/bin/pythno
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1605
- /bin/sh
  sh -c /usr/bin/pythno
  2⤵
  PID:1607
- - /usr/bin/pythno
    /usr/bin/pythno
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1608
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1610
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1611

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/VsystemsshMdt

Filesize
64B

MD5
9220437c334accbb9024461a9af144bc

SHA1
9431262b38656fa93a1d059b21434a1e16498558

SHA256
79d17aeb56e85133d01957335084871b1dc6acb59eeae19f6ea0ddf6e721bae5

SHA512
028db239b519e020a88aab33891d4b6cce605472a227a6cb995be755b1f8bb209a147da344d2a24433435a81b7a621fdbc7e561d8766379ec86fbb8b25cf1c38

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
caa27b819c9303446f702929874a00e8

SHA1
d24199c0e376edea3f822b215148cc0dc78364bf

SHA256
da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b

SHA512
dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e

Download Submit
/tmp/conf.n

Filesize
69B

MD5
604505bdb332c569c386564d9872c1ee

SHA1
29c2263d0bca4b18b722a9d1d11bebca1f2f3c6c

SHA256
b1dae2591ec0b392e4e817bd316aca149a24c2d4440e13ba48656417c4bd28a2

SHA512
29420e607ba82cb429896d71449ccedd7161a97e3b37f661f64d996e90464a69345f7f01a2c3fa52798a8a4cba3c9c9c3ca4428fc03caa686bbcd695b357aaa3

Download Submit
/tmp/idus.log

Filesize
4B

MD5
a2cc63e065705fe938a4dda49092966f

SHA1
ead98e0e365d07598a35ba682210564193928571

SHA256
8cd6cb7e1601eb5dcd0a0d3d8f62c2dd8ee483819f9130a34259a217e927679f

SHA512
559d67c6c601d021a8418fe53112d732aa3ad5d24c01ab5f9bb92f823b2db05e4e22eb759b93f29ee07b385da811edce44e84ed5f7fa5eec0839198c20aeda23

Download Submit
/tmp/notify.file

Filesize
51B

MD5
1f5533c330f66e167696705e3293b71c

SHA1
35928b5dae8260c283fbc7f9e6bb50752063b44e

SHA256
6dd591323c9819443fe7a1e7dd9b74eb01deb95be8a3f9da6efbffe81badb6cc

SHA512
ea26371f8762e66d47411a3feb8e656e089dfacdc6e5158394e7e02159104dc3513e4a66663a63063a0e57207c4e5787fcd71e3c7cad8cd01f6fe3a1e7b2324d

Download Submit
/tmp/vga.conf

Filesize
4B

MD5
020c8bfac8de160d4c5543b96d1fdede

SHA1
f19483c6a9fbacfebff05eb372439d8c0403745f

SHA256
1e797595727addd0e2663019e48d48a6f1dd555174ab126d482d40a5c752988b

SHA512
09558996264f3665690e53af9a71eefa8ebc52edd31f3b6d1565256d6b0baa6cf9fef16d9a29dcf1dfc2bae3f9aa935d9f15c76530e62d4b98975c57fb2b567e

Download Submit
/usr/bin/bsd-port/knerl

Filesize
1.1MB

MD5
fc7157213488275cdd9b82b59ab15657

SHA1
3c0b0b4b4408adc8022e96ae83daf38da01dd9fa

SHA256
5803553052a81f6a0a7c79fafd26be7a0a23c01bf3d1d53fc9cf6360e73ae03b

SHA512
b77568dd49d00c866c1a9abd2a2b0de489471676f9dd062fadf44f62a420eedefd0a1d0ef584570d59b4a488a3c65c41e766c8a7f83852a6c4c61ae626cded6a

Download Submit
/usr/bin/dpkgd/lsof

Filesize
163KB

MD5
ab57b66cc531ae0f996963223e632b60

SHA1
bf7e5becd33f21c2539f5a75ffa0ab61c49c8795

SHA256
2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df

SHA512
908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

Download Submit
/usr/bin/dpkgd/ps

Filesize
138KB

MD5
8146139c2ad7e550b1d1f49480997446

SHA1
074db8890c3227bd8a588417f5b9bde637bcf3af

SHA256
207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f

SHA512
b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

Download Submit