mrblack | a81f677c5e70b1031e5faddd50ba3492e6d536ce672fa17c173f916b88e45d46

Resubmissions

02/01/2025, 21:38

250102-1hhjqszkgl 10

15/12/2024, 00:39

241215-az46ys1kbl 10

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240729-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
15/12/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
Size

1.1MB
MD5

f17b36cfddb5242cb530ee6f62fd72ad
SHA1

1dad9668f72f681c865d058027d0eb474f920613
SHA256

a81f677c5e70b1031e5faddd50ba3492e6d536ce672fa17c173f916b88e45d46
SHA512

c0edc007a5030e95cc63467e5de00ba3152f3150dc9247850553fbf0542e2c6bf59543d6cca1e38dd8fdc490a2984d515a6d984e6d8833e64c90e07383d7fa16
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfamI+gIGYuuCol7r:4vREKfPqVE5jKsfamRHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

Mrblack family
mrblack

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1502	chmod
1508	sh
1509	chmod
1514	sh
1515	chmod
1492	sh
1493	chmod
1501	sh

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/agent	1456	agent
/usr/bin/acpid	1476	acpid

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/DbSecurityMdt	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for modification	/etc/init.d/selinux	agent

Write file to user bin folder 9 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/agent.conf	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/agent	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/udevd.conf	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/agent.conf	agent
File opened for modification	/usr/bin/acpid	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/ps	cp

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	agent
File opened for reading	/proc/cpuinfo	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/dev	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for reading	/proc/net/dev	agent

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	agent
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	agent
File opened for reading	/proc/sys/kernel/version	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for reading	/proc/stat	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	acpid
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/meminfo	agent

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/notify.file	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for modification	/tmp/moni.note	acpid
File opened for modification	/tmp/notify.file	acpid
File opened for modification	/tmp/gates.note	acpid
File opened for modification	/tmp/moni.note	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for modification	/tmp/bill.note	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
File opened for modification	/tmp/gates.note	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118

/tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
/tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1399
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt"
  2⤵
  PID:1440
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt
    3⤵
    PID:1441
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt"
  2⤵
  PID:1442
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt
    3⤵
    PID:1443
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt"
  2⤵
  PID:1444
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt
    3⤵
    PID:1445
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt"
  2⤵
  PID:1446
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt
    3⤵
    PID:1447
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt"
  2⤵
  PID:1448
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt
    3⤵
    PID:1449
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1450
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1451
- /bin/sh
  sh -c "cp -f /tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118 /usr/bin/bsd-port/agent"
  2⤵
  PID:1452
- - /usr/bin/cp
    cp -f /tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118 /usr/bin/bsd-port/agent
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1453
- /bin/sh
  sh -c /usr/bin/bsd-port/agent
  2⤵
  PID:1455
- - /usr/bin/bsd-port/agent
    /usr/bin/bsd-port/agent
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1456
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1462
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1463
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1464
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1465
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1466
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1467
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1468
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1469
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1470
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1471
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1472
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1473
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1481
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1483
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1487
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1488
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/agent /bin/lsof"
      4⤵
      PID:1490
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/agent /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1491
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1492
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1493
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1494
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1495
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1497
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1498
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/agent /bin/ps"
      4⤵
      PID:1499
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/agent /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1500
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1501
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1502
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1503
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1504
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/agent /usr/bin/lsof"
      4⤵
      PID:1505
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/agent /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1506
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1508
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1509
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1510
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1511
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/agent /usr/bin/ps"
      4⤵
      PID:1512
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/agent /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1513
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1514
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1515
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1516
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1517
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1458
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1459
- /bin/sh
  sh -c "cp -f /tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118 /usr/bin/acpid"
  2⤵
  PID:1460
- - /usr/bin/cp
    cp -f /tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118 /usr/bin/acpid
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1461
- /bin/sh
  sh -c /usr/bin/acpid
  2⤵
  PID:1475
- - /usr/bin/acpid
    /usr/bin/acpid
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1476
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1479
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecurityMdt

Filesize
64B

MD5
4b28dd51490de8e95c780ae9561e1255

SHA1
71912a13d958ba296fea6a71df500bfc64ac95be

SHA256
4c5053f7a5bf93fc510ea44d82208ccf2429fe4e5789e52fcab3d6a8c5eb2bab

SHA512
7dfe9547d9b335259a80469bb8a0b9fa399f89f868c140448099f890fa67c4b92899e590558d25f8435ff556975e93e0e148068323dc2ea6c480ed7a67b08462

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
c6a80f08539a4c3176762f514976dd24

SHA1
bbc5826b01d20f5c4d315ff5dbc3f216760c64ef

SHA256
ea47e885ae227059ce55d020335f7869c565ec6d85f484497e83cd4998149d5d

SHA512
9a1e3b0142876305fe389e07880bd586e97bf709273a66299d9128ff2861459104054d4e5d836aecdf73f2c11886fa3a2a8498741adb3211b96116658b856175

Download Submit
/tmp/gates.note

Filesize
4B

MD5
f0dd4a99fba6075a9494772b58f95280

SHA1
6f34a3e0e1af181e8a78e70c146682b7ead12846

SHA256
55fdec963805de594b61b2c1692cadc2c1dfb844d6ac10c5bfed33c842087b2e

SHA512
f4bb86b6c71c4d8f66a6186d96159e2e700c259b8ef5cb1534bcaa5c7a6950354e9419a220aba836a4e91624f519412a94361f857e370d3dbbe722a370db46c1

Download Submit
/tmp/moni.note

Filesize
4B

MD5
78b9cab19959e4af8ff46156ee460c74

SHA1
7c8d848f32fa1c53815556ee08aa8ee5994c5a51

SHA256
e5ce886c0b0869006dc9a2da28fcd4f1f291f4a90835b75edb74587b66e5acc9

SHA512
adf7e3718491f26a2853ea8e397727be1f0cb8abcae556f9e2acfeab0ccfdef721614361a09c84d9cfbcea9533d1d6a93be3f870611a13d8e0cbf9ca192e2987

Download Submit
/tmp/notify.file

Filesize
51B

MD5
79088c38abb3a242f72d3bef40de7e71

SHA1
dae965ccd8e9598f28d41f637aa0d26ed27fe254

SHA256
cb231b01ee637b58abe40914373e8eb921e5de1f3bca2a4f64e1e5ae001c273c

SHA512
5d4e06c1a9a3b40c8397f78beb7173dddefc8737fdc649a40e6e59c3df387c4e02d3c3cfa0d1c794d8b1e16d0e1a4f47e854bf602044fce7db48aff00ce4cf04

Download Submit
/usr/bin/bsd-port/agent

Filesize
1.1MB

MD5
f17b36cfddb5242cb530ee6f62fd72ad

SHA1
1dad9668f72f681c865d058027d0eb474f920613

SHA256
a81f677c5e70b1031e5faddd50ba3492e6d536ce672fa17c173f916b88e45d46

SHA512
c0edc007a5030e95cc63467e5de00ba3152f3150dc9247850553fbf0542e2c6bf59543d6cca1e38dd8fdc490a2984d515a6d984e6d8833e64c90e07383d7fa16

Download Submit
/usr/bin/dpkgd/lsof

Filesize
171KB

MD5
061386937ec7acf924438a2643a32be0

SHA1
01a044b9e58839bea3e58c66cb32acc16241bf91

SHA256
8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

SHA512
2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

Download Submit
/usr/bin/dpkgd/ps

Filesize
134KB

MD5
d194576b899af45b1d2a448612ec21e5

SHA1
492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

SHA256
a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

SHA512
b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads