Analysis Overview
SHA256
a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60
Threat Level: Known bad
The file a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 was found to be: Known bad.
Malicious Activity Summary
MrBlack Trojan
Mrblack family
MrBlack trojan
Executes dropped EXE
File and Directory Permissions Modification
Reads system routing table
Write file to user bin folder
Modifies init.d
Writes file to system bin folder
Reads system network configuration
Checks CPU configuration
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 18:27
Signatures
MrBlack trojan
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Mrblack family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 18:27
Reported
2024-11-25 18:29
Platform
ubuntu2204-amd64-20240729-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
MrBlack Trojan
MrBlack trojan
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Mrblack family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/bin/bsd-port/recei | /usr/bin/bsd-port/recei | N/A |
| N/A | /usr/bin/oracle | /usr/bin/oracle | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/VsystemsshMmt | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for modification | /etc/init.d/selinux | /usr/bin/bsd-port/recei | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/bin/bsd-port/recei.conf | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for modification | /usr/bin/bsd-port/udevd.conf | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for modification | /usr/bin/bsd-port/recei | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/lsof | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/ps | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/bsd-port/recei.conf | /usr/bin/bsd-port/recei | N/A |
| File opened for modification | /usr/bin/oracle | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/dpkgd/lsof | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/dpkgd/ps | /usr/bin/cp | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/lsof | /usr/bin/cp | N/A |
| File opened for modification | /bin/ps | /usr/bin/cp | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/bsd-port/recei | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/bsd-port/recei | N/A |
| File opened for reading | /proc/net/route | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for reading | /proc/net/arp | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/stat | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/meminfo | /usr/bin/bsd-port/recei | N/A |
| File opened for reading | /proc/cmdline | /usr/sbin/insmod | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/sys/kernel/version | /usr/bin/bsd-port/recei | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/sys/kernel/version | /usr/bin/oracle | N/A |
| File opened for reading | /proc/meminfo | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for reading | /proc/cmdline | /usr/sbin/insmod | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/sys/kernel/version | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/stat | /usr/bin/bsd-port/recei | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/conf.n | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for modification | /tmp/Dest.cfg | /usr/bin/oracle | N/A |
| File opened for modification | /tmp/appd.log | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for modification | /tmp/appd.conf | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for modification | /tmp/Dest.cfg | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for modification | /tmp/notify.file | /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 | N/A |
| File opened for modification | /tmp/appd.log | /usr/bin/oracle | N/A |
| File opened for modification | /tmp/notify.file | /usr/bin/oracle | N/A |
Processes
/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60
[/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60]
/bin/sh
[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt]
/bin/sh
[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt]
/bin/sh
[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt]
/bin/sh
[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt]
/bin/sh
[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt]
/bin/sh
[sh -c mkdir -p /usr/bin/bsd-port]
/usr/bin/mkdir
[mkdir -p /usr/bin/bsd-port]
/bin/sh
[sh -c cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 /usr/bin/bsd-port/recei]
/usr/bin/cp
[cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 /usr/bin/bsd-port/recei]
/bin/sh
[sh -c /usr/bin/bsd-port/recei]
/usr/bin/bsd-port/recei
[/usr/bin/bsd-port/recei]
/bin/sh
[sh -c mkdir -p /usr/bin]
/usr/bin/mkdir
[mkdir -p /usr/bin]
/bin/sh
[sh -c cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 /usr/bin/oracle]
/usr/bin/cp
[cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 /usr/bin/oracle]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]
/bin/sh
[sh -c mkdir -p /usr/bin/dpkgd]
/usr/bin/mkdir
[mkdir -p /usr/bin/dpkgd]
/bin/sh
[sh -c /usr/bin/oracle]
/usr/bin/oracle
[/usr/bin/oracle]
/bin/sh
[sh -c insmod /usr/lib/xpacket.ko]
/usr/sbin/insmod
[insmod /usr/lib/xpacket.ko]
/bin/sh
[sh -c cp -f /bin/lsof /usr/bin/dpkgd/lsof]
/usr/bin/cp
[cp -f /bin/lsof /usr/bin/dpkgd/lsof]
/bin/sh
[sh -c mkdir -p /bin]
/usr/bin/mkdir
[mkdir -p /bin]
/bin/sh
[sh -c cp -f /usr/bin/bsd-port/recei /bin/lsof]
/usr/bin/cp
[cp -f /usr/bin/bsd-port/recei /bin/lsof]
/bin/sh
[sh -c chmod 0755 /bin/lsof]
/usr/bin/chmod
[chmod 0755 /bin/lsof]
/bin/sh
[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]
/usr/bin/cp
[cp -f /bin/ps /usr/bin/dpkgd/ps]
/bin/sh
[sh -c mkdir -p /bin]
/usr/bin/mkdir
[mkdir -p /bin]
/bin/sh
[sh -c cp -f /usr/bin/bsd-port/recei /bin/ps]
/usr/bin/cp
[cp -f /usr/bin/bsd-port/recei /bin/ps]
/bin/sh
[sh -c chmod 0755 /bin/ps]
/usr/bin/chmod
[chmod 0755 /bin/ps]
/bin/sh
[sh -c mkdir -p /usr/bin]
/usr/bin/mkdir
[mkdir -p /usr/bin]
/bin/sh
[sh -c cp -f /usr/bin/bsd-port/recei /usr/bin/lsof]
/usr/bin/cp
[cp -f /usr/bin/bsd-port/recei /usr/bin/lsof]
/bin/sh
[sh -c chmod 0755 /usr/bin/lsof]
/usr/bin/chmod
[chmod 0755 /usr/bin/lsof]
/bin/sh
[sh -c mkdir -p /usr/bin]
/usr/bin/mkdir
[mkdir -p /usr/bin]
/bin/sh
[sh -c cp -f /usr/bin/bsd-port/recei /usr/bin/ps]
/usr/bin/cp
[cp -f /usr/bin/bsd-port/recei /usr/bin/ps]
/bin/sh
[sh -c chmod 0755 /usr/bin/ps]
/usr/bin/chmod
[chmod 0755 /usr/bin/ps]
/bin/sh
[sh -c insmod /usr/lib/xpacket.ko]
/usr/sbin/insmod
[insmod /usr/lib/xpacket.ko]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 192.207.62.45:1688 | tcp | |
| US | 192.207.62.45:1688 | tcp |
Files
/tmp/Dest.cfg
| MD5 | 7949e456002b28988d38185bd30e77fd |
| SHA1 | 8eac9d03673ad3fa86c1c815275470ec81580e0a |
| SHA256 | 3a481e728390d89c6843c180dc18ca8d693de5f5421e6240711c5dad483c72b3 |
| SHA512 | 86ffa374c2572cf61c670ec5469b80a9f71db097a87e45393aac98ac96a1c019325f360ccbaa6509acd366045c871b0e2ce76503942603228cf87b5c18105586 |
/etc/init.d/VsystemsshMmt
| MD5 | f90e9abecef631a29abd65e381fafdab |
| SHA1 | 5859bb1f2e934ff5d34ce43f2b88e61e7c860445 |
| SHA256 | 37fbeb68c2552a6439295d755f77145e7f3a0072d9a56a9202ad5eb5d2cd4d14 |
| SHA512 | 5e8f1f072d471437f16f1a10dad33668a11726272b53105f4cdf13ed0ed18d5e32f9cdeb337adc71b32eac5442ac81bbab9e5f08ba92f534190594cbd5173d7e |
/usr/bin/bsd-port/recei
| MD5 | f57f99f56834d73211bac97f4ec2dc5c |
| SHA1 | 314fff2c301fb120ce100e812e3ef4b31580551d |
| SHA256 | a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 |
| SHA512 | c2785a0b3231ccd5c217f6ec38aa8ca3ece2cc3a3364a3271582ba49cf9ac8a5dfd163765c6284ba72c9bd4e711cc059ba328e6a7ad0b1adeb7e85447b9350a8 |
/tmp/notify.file
| MD5 | 830fecbd08ef05059315cbcad7735639 |
| SHA1 | a178557cb7efc7e62a28071fdb464e982a8c254b |
| SHA256 | 83a6029fd731a7c3581fdc37d650d679f934c9944decfffcd786f8cf7e02dfae |
| SHA512 | 39cd0d035a01c32e9debf33771f56d9afa442f5d5d5365f3b93b84ec11e348321aa4c08a40109cfc520a9c9e8e8d58df64dd233852323eea7ac2a26fe78c8019 |
/etc/init.d/selinux
| MD5 | 57cde9c165195cfb90c212057795ed49 |
| SHA1 | d77d9895306eb09ad9b54588fb7998c79c671563 |
| SHA256 | 3e3488e9c63dfadffd594301e2192418b158238bfb8f83d6702123d72892cf36 |
| SHA512 | de9af53a508167cbbb820a99c2742918ec5b8c83877b77e43e4b441019311685647f47fb4666ba53ecef4e6a2d5514eb67981d471ddf173b04848609b3c0c00d |
/usr/bin/dpkgd/lsof
| MD5 | ab57b66cc531ae0f996963223e632b60 |
| SHA1 | bf7e5becd33f21c2539f5a75ffa0ab61c49c8795 |
| SHA256 | 2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df |
| SHA512 | 908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6 |
/usr/bin/dpkgd/ps
| MD5 | 8146139c2ad7e550b1d1f49480997446 |
| SHA1 | 074db8890c3227bd8a588417f5b9bde637bcf3af |
| SHA256 | 207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f |
| SHA512 | b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de |
/tmp/conf.n
| MD5 | 0d4750fec88f900553a9e4c96401dc0d |
| SHA1 | e10dde0a5028e3fd300fb85b50ff4e0e228eae4a |
| SHA256 | 4cfb90ff9316f4c96aca3e9bf13ff354de99c6b31bc3451a810a0fffebcfb176 |
| SHA512 | 63ef47b7279afe6bd17028e03f5c124de78dc817fdd4607ffb0a51be0c8c95a76318435b5f0b883d4d20ff54d7f52fbd1877f2952bbfaaeddcc7417f842f840c |