Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240522.1-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
18-10-2024 07:58
Behavioral task
behavioral1
Sample
490eb7a7e1e1ed361801e18128206ab9
Resource
ubuntu2204-amd64-20240522.1-en
General
-
Target
490eb7a7e1e1ed361801e18128206ab9
-
Size
1.2MB
-
MD5
490eb7a7e1e1ed361801e18128206ab9
-
SHA1
ed40d1d0313b032b5cf12ed43fbf01e3d4a83bbe
-
SHA256
29f2a7e4500ae2f34dd7b62d6616e2de3ca89d5c87b1e76184f2e4ab52e002f5
-
SHA512
605fc001e7cc8cfe1346e9e0cd2ad544b0834d49b3023d4ab58bf574d53cc52ce5d0e853a8e4acadffd948bed1f7ec936cf919a714a2fa91e163d546325d8fd8
-
SSDEEP
24576:e845rGHu6gVJKG75oFpA0VWeX462y1q2rJp0:745vRVJKGtSA0VWeo5u9p0
Malware Config
Signatures
-
MrBlack trojan 1 IoCs
resource yara_rule behavioral1/files/fstream-4.dat family_mrblack -
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1654 sh 1655 chmod 1665 chmod 1673 chmod 1681 chmod 1688 sh 1644 sh 1645 chmod 1664 sh 1672 sh 1680 sh 1691 chmod -
Executes dropped EXE 2 IoCs
ioc pid Process /usr/bin/bsd-port/getty 1613 getty /usr/bin/.sshd 1635 .sshd -
description ioc Process File opened for modification /etc/init.d/DbSecuritySpt 490eb7a7e1e1ed361801e18128206ab9 File opened for modification /etc/init.d/selinux getty -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route 490eb7a7e1e1ed361801e18128206ab9 -
Write file to user bin folder 11 IoCs
description ioc Process File opened for modification /usr/bin/bsd-port/getty cp File opened for modification /usr/bin/bsd-port/getty.lock getty File opened for modification /usr/bin/.sshd cp File opened for modification /usr/bin/dpkgd/lsof cp File opened for modification /usr/bin/dpkgd/ss cp File opened for modification /usr/bin/ss cp File opened for modification /usr/bin/bsd-port/getty.lock 490eb7a7e1e1ed361801e18128206ab9 File opened for modification /usr/bin/bsd-port/udevd.lock 490eb7a7e1e1ed361801e18128206ab9 File opened for modification /usr/bin/dpkgd/ps cp File opened for modification /usr/bin/lsof cp File opened for modification /usr/bin/ps cp -
Writes file to system bin folder 3 IoCs
description ioc Process File opened for modification /bin/lsof cp File opened for modification /bin/ps cp File opened for modification /bin/ss cp -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo 490eb7a7e1e1ed361801e18128206ab9 File opened for reading /proc/cpuinfo getty -
Reads system network configuration 1 TTPs 4 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/dev 490eb7a7e1e1ed361801e18128206ab9 File opened for reading /proc/net/dev getty File opened for reading /proc/net/route 490eb7a7e1e1ed361801e18128206ab9 File opened for reading /proc/net/arp 490eb7a7e1e1ed361801e18128206ab9 -
description ioc Process File opened for reading /proc/stat 490eb7a7e1e1ed361801e18128206ab9 File opened for reading /proc/cmdline insmod File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/meminfo getty File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/sys/kernel/version 490eb7a7e1e1ed361801e18128206ab9 File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/stat getty File opened for reading /proc/sys/kernel/version getty File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/sys/kernel/version .sshd File opened for reading /proc/filesystems mkdir File opened for reading /proc/meminfo 490eb7a7e1e1ed361801e18128206ab9 File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/cmdline insmod -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/moni.lod .sshd File opened for modification /tmp/notify.file .sshd File opened for modification /tmp/conf.n 490eb7a7e1e1ed361801e18128206ab9 File opened for modification /tmp/gates.lod .sshd File opened for modification /tmp/moni.lod 490eb7a7e1e1ed361801e18128206ab9 File opened for modification /tmp/bill.lock 490eb7a7e1e1ed361801e18128206ab9 File opened for modification /tmp/gates.lod 490eb7a7e1e1ed361801e18128206ab9 File opened for modification /tmp/notify.file 490eb7a7e1e1ed361801e18128206ab9
Processes
-
/tmp/490eb7a7e1e1ed361801e18128206ab9/tmp/490eb7a7e1e1ed361801e18128206ab91⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1569 -
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"2⤵PID:1595
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt3⤵PID:1596
-
-
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"2⤵PID:1597
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt3⤵PID:1598
-
-
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"2⤵PID:1599
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt3⤵PID:1600
-
-
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"2⤵PID:1601
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt3⤵PID:1602
-
-
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"2⤵PID:1603
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt3⤵PID:1604
-
-
-
/bin/shsh -c "mkdir -p /usr/bin/bsd-port"2⤵PID:1605
-
/usr/bin/mkdirmkdir -p /usr/bin/bsd-port3⤵
- Reads runtime system information
PID:1606
-
-
-
/bin/shsh -c "mkdir -p /usr/bin/bsd-port"2⤵PID:1607
-
/usr/bin/mkdirmkdir -p /usr/bin/bsd-port3⤵
- Reads runtime system information
PID:1608
-
-
-
/bin/shsh -c "cp -f /tmp/490eb7a7e1e1ed361801e18128206ab9 /usr/bin/bsd-port/getty"2⤵PID:1609
-
/usr/bin/cpcp -f /tmp/490eb7a7e1e1ed361801e18128206ab9 /usr/bin/bsd-port/getty3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1610
-
-
-
/bin/shsh -c /usr/bin/bsd-port/getty2⤵PID:1612
-
/usr/bin/bsd-port/getty/usr/bin/bsd-port/getty3⤵
- Executes dropped EXE
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
PID:1613 -
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"4⤵PID:1621
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc1.d/S99selinux5⤵PID:1622
-
-
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"4⤵PID:1623
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc2.d/S99selinux5⤵PID:1624
-
-
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"4⤵PID:1625
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc3.d/S99selinux5⤵PID:1626
-
-
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"4⤵PID:1627
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc4.d/S99selinux5⤵PID:1628
-
-
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"4⤵PID:1629
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc5.d/S99selinux5⤵PID:1630
-
-
-
/bin/shsh -c "mkdir -p /usr/bin/dpkgd"4⤵PID:1631
-
/usr/bin/mkdirmkdir -p /usr/bin/dpkgd5⤵
- Reads runtime system information
PID:1632
-
-
-
/bin/shsh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"4⤵PID:1636
-
/usr/bin/cpcp -f /bin/lsof /usr/bin/dpkgd/lsof5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1637
-
-
-
/bin/shsh -c "mkdir -p /bin"4⤵PID:1638
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1639
-
-
-
/bin/shsh -c "mkdir -p /bin"4⤵PID:1640
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1641
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /bin/lsof"4⤵PID:1642
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /bin/lsof5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1643
-
-
-
/bin/shsh -c "chmod 0755 /bin/lsof"4⤵
- File and Directory Permissions Modification
PID:1644 -
/usr/bin/chmodchmod 0755 /bin/lsof5⤵
- File and Directory Permissions Modification
PID:1645
-
-
-
/bin/shsh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"4⤵PID:1646
-
/usr/bin/cpcp -f /bin/ps /usr/bin/dpkgd/ps5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1647
-
-
-
/bin/shsh -c "mkdir -p /bin"4⤵PID:1648
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1649
-
-
-
/bin/shsh -c "mkdir -p /bin"4⤵PID:1650
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1651
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"4⤵PID:1652
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /bin/ps5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1653
-
-
-
/bin/shsh -c "chmod 0755 /bin/ps"4⤵
- File and Directory Permissions Modification
PID:1654 -
/usr/bin/chmodchmod 0755 /bin/ps5⤵
- File and Directory Permissions Modification
PID:1655
-
-
-
/bin/shsh -c "cp -f /bin/ss /usr/bin/dpkgd/ss"4⤵PID:1656
-
/usr/bin/cpcp -f /bin/ss /usr/bin/dpkgd/ss5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1657
-
-
-
/bin/shsh -c "mkdir -p /bin"4⤵PID:1658
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1659
-
-
-
/bin/shsh -c "mkdir -p /bin"4⤵PID:1660
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1661
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /bin/ss"4⤵PID:1662
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /bin/ss5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1663
-
-
-
/bin/shsh -c "chmod 0755 /bin/ss"4⤵
- File and Directory Permissions Modification
PID:1664 -
/usr/bin/chmodchmod 0755 /bin/ss5⤵
- File and Directory Permissions Modification
PID:1665
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1666
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1667
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1668
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1669
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"4⤵PID:1670
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /usr/bin/lsof5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1671
-
-
-
/bin/shsh -c "chmod 0755 /usr/bin/lsof"4⤵
- File and Directory Permissions Modification
PID:1672 -
/usr/bin/chmodchmod 0755 /usr/bin/lsof5⤵
- File and Directory Permissions Modification
PID:1673
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1674
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1675
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1676
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1677
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ps"4⤵PID:1678
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /usr/bin/ps5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1679
-
-
-
/bin/shsh -c "chmod 0755 /usr/bin/ps"4⤵
- File and Directory Permissions Modification
PID:1680 -
/usr/bin/chmodchmod 0755 /usr/bin/ps5⤵
- File and Directory Permissions Modification
PID:1681
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1682
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1683
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1684
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1685
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ss"4⤵PID:1686
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /usr/bin/ss5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1687
-
-
-
/bin/shsh -c "chmod 0755 /usr/bin/ss"4⤵
- File and Directory Permissions Modification
PID:1688 -
/usr/bin/chmodchmod 0755 /usr/bin/ss5⤵
- File and Directory Permissions Modification
PID:1691
-
-
-
/bin/shsh -c "insmod /usr/bin/bsd-port/xpacket.ko"4⤵PID:1694
-
/usr/sbin/insmodinsmod /usr/bin/bsd-port/xpacket.ko5⤵
- Reads runtime system information
PID:1695
-
-
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"2⤵PID:1615
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
PID:1616
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"2⤵PID:1617
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
PID:1618
-
-
-
/bin/shsh -c "cp -f /tmp/490eb7a7e1e1ed361801e18128206ab9 /usr/bin/.sshd"2⤵PID:1619
-
/usr/bin/cpcp -f /tmp/490eb7a7e1e1ed361801e18128206ab9 /usr/bin/.sshd3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1620
-
-
-
/bin/shsh -c /usr/bin/.sshd2⤵PID:1634
-
/usr/bin/.sshd/usr/bin/.sshd3⤵
- Executes dropped EXE
- Reads runtime system information
- Writes file to tmp directory
PID:1635
-
-
-
/bin/shsh -c "insmod /tmp/xpacket.ko"2⤵PID:1692
-
/usr/sbin/insmodinsmod /tmp/xpacket.ko3⤵
- Reads runtime system information
PID:1693
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Privilege Escalation
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD596329015732cac37c9654718bc42a394
SHA1fa254af7cb1937fa3df97e936c310d2fd51c4c5d
SHA256a07abcf19047e7a8be54826c6137c46644f6962bef0a47200c5a0a70bfc31baa
SHA512c769d8b91245a5c1f83eacfe9e4aea5d13ed06f4c06a6430af55194180130dd9f4b5f38741815a0dc641d74a35fac83c7346e3019cdc45a2c670fd8f134c0b15
-
Filesize
36B
MD5993cc15058142d96c3daf7852c3d5ee8
SHA10950b8b391b04dd3895ea33cd3141543ebd2525d
SHA2568171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208
SHA5120c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928
-
Filesize
73B
MD58dd6beb4a02b7ac3e6b7c7f81d7e1dcc
SHA165e9a38b3be8da33ccf6895f2c1d460cd14932aa
SHA2561a00d1a79f0fbbca4a6956fe4c648f4c31fed8488c29930aab9c89d4ee7cde8b
SHA512fb5fcc80271146cf3fd882767865278a14c245859139d0fa578475a81b3ed5f4957a395bc731a8eeebbc84df593171ad2ea27f9a374f050be862691eb3433d9c
-
Filesize
4B
MD57949e456002b28988d38185bd30e77fd
SHA18eac9d03673ad3fa86c1c815275470ec81580e0a
SHA2563a481e728390d89c6843c180dc18ca8d693de5f5421e6240711c5dad483c72b3
SHA51286ffa374c2572cf61c670ec5469b80a9f71db097a87e45393aac98ac96a1c019325f360ccbaa6509acd366045c871b0e2ce76503942603228cf87b5c18105586
-
Filesize
4B
MD57c4ede33a62160a19586f6e26eaefacf
SHA1db8770342fdf063d3128150901ea357f68bb9001
SHA25641e32284df1a73272655a26bfe6d4919ed6504972cc47461330a26e90cd9ddc3
SHA5126d7f64fcddff389eb6251671e1c53d761e0d21b0e7a4fe4c872ed60f80f11fa97f18b5799435da306820cbf33dc88d94f0e6a707bcc834051101230f752be974
-
Filesize
37B
MD5208b0b2deb0d2ba289a442701d88da0c
SHA1bd3378fd142502c318e8e14f4a5f1bd3ca5c76d3
SHA2562547c737e04449b7a4bfecd92cb3e6b36f726be476e70da9242555641cfa70bb
SHA51272d96fbecd9f948ad38e669448a726a8055ade88b64c8628260d182e8173e8a807994caf0f6dd045d913fe33415a828ade5d4c12b233696110625813c06d88f7
-
Filesize
1.2MB
MD5490eb7a7e1e1ed361801e18128206ab9
SHA1ed40d1d0313b032b5cf12ed43fbf01e3d4a83bbe
SHA25629f2a7e4500ae2f34dd7b62d6616e2de3ca89d5c87b1e76184f2e4ab52e002f5
SHA512605fc001e7cc8cfe1346e9e0cd2ad544b0834d49b3023d4ab58bf574d53cc52ce5d0e853a8e4acadffd948bed1f7ec936cf919a714a2fa91e163d546325d8fd8
-
Filesize
163KB
MD5ab57b66cc531ae0f996963223e632b60
SHA1bf7e5becd33f21c2539f5a75ffa0ab61c49c8795
SHA2562484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df
SHA512908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6
-
Filesize
138KB
MD58146139c2ad7e550b1d1f49480997446
SHA1074db8890c3227bd8a588417f5b9bde637bcf3af
SHA256207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f
SHA512b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de
-
Filesize
125KB
MD51b25ac945efae8520ba112b500e2d561
SHA18324c4d1d1427829266e82f203386232ff82af15
SHA2565eb16d9a8bc81fe767725874e3f67623b8e86b46ec93546be49c5b09d3ab4636
SHA512e191f967170ea4844f736c5ab75b7bf45fef3af34f0a4bef0d36475d646b0b089449fe39806664b9f6ce1984037687930cc368892230662c8c30f67fa3ac216e