mrblack | caa57c5014f455447a880d1f9553845a81d39e3edc1ac5b8ba4254018fb81062

Analysis

max time kernel
150s
max time network
151s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
29-09-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
Size

1.1MB
MD5

ff5e84897e3bf9df890972e0b222c3cd
SHA1

77a937ecf2b0fbf34a3427758653c0671c33393a
SHA256

caa57c5014f455447a880d1f9553845a81d39e3edc1ac5b8ba4254018fb81062
SHA512

9bb766f87208417387c67a58277031453734334667dcf2ced68d4cf35bb062b18b6df701fd9beab5b07476eea68ff6490cf279e88cb02e8b2951a5e0eb16f786
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfa5I+gIGYuuCol7r:4vREKfPqVE5jKsfa5RHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
/usr/bin/bsd-port/knerl	family_mrblack

File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

shchmodshchmodshchmodshchmod

pid process

1493 sh
1494 chmod
1501 sh
1502 chmod
1507 sh
1508 chmod
1513 sh
1514 chmod
Executes dropped EXE 2 IoCs

Processes:

knerlpythno

ioc pid process

/usr/bin/bsd-port/knerl 1455 knerl
/usr/bin/pythno 1463 pythno

pid	process
1493	sh
1494	chmod
1501	sh
1502	chmod
1507	sh
1508	chmod
1513	sh
1514	chmod

ioc	pid	process
/usr/bin/bsd-port/knerl	1455	knerl
/usr/bin/pythno	1463	pythno

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118knerl

description	ioc	process
File opened for modification	/etc/init.d/VsystemsshMdt	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for modification	/etc/init.d/selinux	knerl

Write file to user bin folder 9 IoCs

persistence

Processes:

cpcpcpff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118cpknerlcpcp

description	ioc	process
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/knerl.conf	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.conf	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/knerl	cp
File opened for modification	/usr/bin/bsd-port/knerl.conf	knerl
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/dpkgd/ps	cp

Writes file to system bin folder 2 IoCs

Processes:

cpcp

description ioc process

File opened for modification /bin/lsof cp
File opened for modification /bin/ps cp
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118knerl

description ioc process

File opened for reading /proc/cpuinfo ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for reading /proc/cpuinfo knerl
Reads system network configuration 1 TTPs 2 IoCs
Uses contents of /proc filesystem to enumerate network settings.
discovery

Internet Connection Discovery
T1016.001

Processes:

ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118knerl

description ioc process

File opened for reading /proc/net/dev ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for reading /proc/net/dev knerl

description	ioc	process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

description	ioc	process
File opened for reading	/proc/cpuinfo	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for reading	/proc/cpuinfo	knerl

description	ioc	process
File opened for reading	/proc/net/dev	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for reading	/proc/net/dev	knerl

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118cpcpmkdircpmkdircpknerlinsmodmkdirmkdircpcpcppythnocpinsmodmkdirmkdirmkdir

description	ioc	process
File opened for reading	/proc/stat	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for reading	/proc/meminfo	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	knerl
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	knerl
File opened for reading	/proc/sys/kernel/version	pythno
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	knerl

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118pythno

description	ioc	process
File opened for modification	/tmp/vga.conf	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for modification	/tmp/notify.file	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/vga.conf	pythno
File opened for modification	/tmp/idus.log	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
File opened for modification	/tmp/apsh.conf	ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118

/tmp/ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
/tmp/ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1392
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt"
  2⤵
  PID:1439
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
    3⤵
    PID:1440
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt"
  2⤵
  PID:1441
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
    3⤵
    PID:1442
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt"
  2⤵
  PID:1443
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
    3⤵
    PID:1444
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt"
  2⤵
  PID:1445
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
    3⤵
    PID:1446
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt"
  2⤵
  PID:1447
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
    3⤵
    PID:1448
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1449
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1450
- /bin/sh
  sh -c "cp -f /tmp/ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118 /usr/bin/bsd-port/knerl"
  2⤵
  PID:1451
- - /usr/bin/cp
    cp -f /tmp/ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118 /usr/bin/bsd-port/knerl
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1452
- /bin/sh
  sh -c /usr/bin/bsd-port/knerl
  2⤵
  PID:1454
- - /usr/bin/bsd-port/knerl
    /usr/bin/bsd-port/knerl
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1455
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1472
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1473
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1474
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1476
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1477
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1478
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1479
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1480
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1481
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1482
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1483
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1484
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1486
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1487
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1488
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1489
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /bin/lsof"
      4⤵
      PID:1490
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1491
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1493
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1494
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1495
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1496
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1497
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1498
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /bin/ps"
      4⤵
      PID:1499
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1500
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1501
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1502
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1503
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1504
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof"
      4⤵
      PID:1505
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1506
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1507
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1508
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1509
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1510
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/ps"
      4⤵
      PID:1511
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1512
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1513
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1514
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1515
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1516
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1457
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1458
- /bin/sh
  sh -c "cp -f /tmp/ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118 /usr/bin/pythno"
  2⤵
  PID:1459
- - /usr/bin/cp
    cp -f /tmp/ff5e84897e3bf9df890972e0b222c3cd_JaffaCakes118 /usr/bin/pythno
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1460
- /bin/sh
  sh -c /usr/bin/pythno
  2⤵
  PID:1462
- - /usr/bin/pythno
    /usr/bin/pythno
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1463
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1466
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1467

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/VsystemsshMdt

Filesize
64B

MD5
4d3aae4bf1e0fbd2ca3e60467a559fe1

SHA1
c9a1a77537828396a28873b57cc8d4a3a76332b8

SHA256
067e6a000e5b7f37de204e2f7904f44a1b8c785b050eb6b4da2d0740be54cc81

SHA512
ec392b9befa46e3c0c3fda4e4c05634ba463718d0783b3f5a6824f46e8c89c95c1f9f05c83fa1d4708908ab95fbf79b75f860e46def78285a53212869ddb05ca

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
caa27b819c9303446f702929874a00e8

SHA1
d24199c0e376edea3f822b215148cc0dc78364bf

SHA256
da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b

SHA512
dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e

Download Submit
/tmp/idus.log

Filesize
4B

MD5
c913303f392ffc643f7240b180602652

SHA1
655030540aed981b558d2f880b20cca6217d24e6

SHA256
4753e699ede615170936d7dd4c55a57c11c2965a2f8854e9d5738a387aa11e3a

SHA512
a5d67239eab15f51fa903435b3ecee59cdfde6a92eb1c79a294ad0b8d70eb9af1edf0950b6006f6cb41bd2ff7c8624b0b9c99bf0ce1b9393c3e6387888479c3e

Download Submit
/tmp/notify.file

Filesize
51B

MD5
f40cfbd5ba6f9fdebf4d7945382d0051

SHA1
e3d132103ff1ef143b3896420dd4411af3a902df

SHA256
8d50e34031c8c43549eb0af19cfb95fde94ec8b5c3272c3928b3494b19813158

SHA512
a7c087bfa37b4963bd3ef986d67a0f0706ae1587f715338790d0746d43c9e1f3ebc0ad0a6f52a71c79f846fb541a233c2a4afa2c4707f8dfb2784db3683a6619

Download Submit
/tmp/vga.conf

Filesize
4B

MD5
ad3019b856147c17e82a5bead782d2a8

SHA1
44fda320f16c8b2ef198c0000449f9c3cca1d126

SHA256
6fef307f9c8a3fb0ad69aea55b3d9c74c652a858c61b235e70ce2e2d490eb34c

SHA512
b13ad58e98b35554c354bf9cec0b4dca5e385f89eab9172dd7bf029b068b3c3fca86db9255e747379d0b6291c5c9967fdb7b274a0539300d7bdbb7cfa5037d05

Download Submit
/usr/bin/bsd-port/knerl

Filesize
1.1MB

MD5
ff5e84897e3bf9df890972e0b222c3cd

SHA1
77a937ecf2b0fbf34a3427758653c0671c33393a

SHA256
caa57c5014f455447a880d1f9553845a81d39e3edc1ac5b8ba4254018fb81062

SHA512
9bb766f87208417387c67a58277031453734334667dcf2ced68d4cf35bb062b18b6df701fd9beab5b07476eea68ff6490cf279e88cb02e8b2951a5e0eb16f786

Download Submit
/usr/bin/dpkgd/lsof

Filesize
171KB

MD5
061386937ec7acf924438a2643a32be0

SHA1
01a044b9e58839bea3e58c66cb32acc16241bf91

SHA256
8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

SHA512
2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

Download Submit
/usr/bin/dpkgd/ps

Filesize
134KB

MD5
d194576b899af45b1d2a448612ec21e5

SHA1
492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

SHA256
a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

SHA512
b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

Download Submit