Analysis
-
max time kernel
99s -
max time network
111s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
-
submitted
18-04-2024 13:57
General
-
Target
https://www.kinitopet.com
Malware Config
Signatures
-
Changes its process name 64 IoCs
-
Reads user data of web browsers 56 IoCs
Reads stored browser data which can include saved credentials.
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 11 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 60 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/usr/bin/xdg-openxdg-open https://www.kinitopet.com1⤵
-
/usr/bin/dbus-senddbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager2⤵
-
/usr/bin/dbus-launchdbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr3⤵
-
/bin/grepgrep " = \\\"xfce4\\\"\$"2⤵
-
/usr/bin/xpropxprop -root _DT_SAVE_MODE2⤵
-
/bin/grepgrep -i "^xfce_desktop_window"2⤵
-
/usr/bin/xpropxprop -root2⤵
-
/bin/grepgrep -q "^Enlightenment"2⤵
-
/bin/unameuname2⤵
-
/bin/grepgrep -q "^file://"2⤵
-
/bin/egrepegrep -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/local/sbin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/local/bin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/sbin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/bin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/sbin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/bin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/bin/xdg-mimexdg-mime query default x-scheme-handler/https2⤵
-
/usr/bin/dbus-senddbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager3⤵
-
/usr/bin/dbus-launchdbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr4⤵
-
/bin/grepgrep " = \\\"xfce4\\\"\$"3⤵
-
/usr/bin/xpropxprop -root _DT_SAVE_MODE3⤵
-
/bin/grepgrep -i "^xfce_desktop_window"3⤵
-
/usr/bin/xpropxprop -root3⤵
-
/bin/grepgrep -q "^Enlightenment"3⤵
-
/bin/unameuname3⤵
-
/usr/bin/whichwhich firefox2⤵
-
/usr/bin/firefox/usr/bin/firefox https://www.kinitopet.com2⤵
-
/usr/bin/whichwhich /usr/bin/firefox3⤵
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox https://www.kinitopet.com2⤵
- Reads user data of web browsers
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dbus-launchdbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr3⤵
-
/usr/bin/dbus-daemon/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/sedsed -n "s/\\(^[[:alnum:]+\\.-]*\\):.*\$/\\1/p"1⤵
- Reads runtime system information
-
/bin/sedsed "s/:/ /g"1⤵
- Reads runtime system information
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/cutcut -d "=" -f 21⤵
-
/usr/bin/cutcut -d ";" -f 11⤵
-
/bin/grepgrep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache1⤵
-
/usr/bin/cutcut -d ";" -f 11⤵
-
/usr/bin/cutcut -d "=" -f 21⤵
-
/usr/bin/headhead -n 11⤵
-
/bin/grepgrep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache1⤵
-
/usr/bin/cutcut -d ";" -f 11⤵
-
/usr/bin/cutcut -d "=" -f 21⤵
-
/usr/bin/headhead -n 11⤵
-
/bin/grepgrep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache1⤵
-
/usr/bin/cutcut -d ";" -f 11⤵
-
/usr/bin/cutcut -d "=" -f 21⤵
-
/usr/bin/headhead -n 11⤵
-
/bin/grepgrep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache1⤵
-
/usr/bin/cutcut -d ";" -f 11⤵
-
/usr/bin/cutcut -d "=" -f 21⤵
-
/usr/bin/headhead -n 11⤵
-
/bin/grepgrep "x-scheme-handler/https=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache1⤵
-
/bin/sedsed "s/:/ /g"1⤵
- Reads runtime system information
-
/bin/sedsed -e "s|-|/|"1⤵
- Reads runtime system information
-
/bin/sedsed -e "s|-|/|"1⤵
- Reads runtime system information
-
/usr/bin/cutcut "-d=" -f 2-1⤵
-
/usr/bin/cutcut "-d=" -f 2-1⤵
-
/usr/bin/cutcut "-d=" -f 2-1⤵
-
/usr/bin/cutcut "-d=" -f 2-1⤵
-
/usr/bin/lsb_release/usr/bin/lsb_release -idrc1⤵
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -parentBuildID 20230522134052 -prefsLen 19257 -prefMapSize 230809 -appDir /usr/lib/firefox/browser "{bc29a24a-173c-4c51-a329-5d4880b95868}" 1655 true socket1⤵
- Changes its process name
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/local/sbin/dbus-launchdbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr1⤵
-
/usr/local/bin/dbus-launchdbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr1⤵
-
/usr/sbin/dbus-launchdbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr1⤵
-
/usr/bin/dbus-launchdbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr1⤵
-
/usr/libexec/xdg-desktop-portal/usr/libexec/xdg-desktop-portal1⤵
- Reads runtime system information
-
/usr/libexec/xdg-document-portal/usr/libexec/xdg-document-portal1⤵
- Reads runtime system information
-
/usr/libexec/xdg-permission-store/usr/libexec/xdg-permission-store1⤵
- Reads runtime system information
-
/usr/libexec/xdg-desktop-portal-gtk/usr/libexec/xdg-desktop-portal-gtk1⤵
-
/usr/lib/gvfs/gvfsd/usr/lib/gvfs/gvfsd1⤵
- Reads runtime system information
-
/usr/lib/gvfs/gvfsd-fuse/usr/lib/gvfs/gvfsd-fuse /root/.gvfs -f -o big_writes1⤵
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 21684 -prefMapSize 230809 -jsInitLen 238780 -parentBuildID 20230522134052 -appDir /usr/lib/firefox/browser "{d0971fa5-c327-41a4-a441-29eccfa7bd8e}" 1655 true tab1⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 21352 -prefMapSize 230809 -jsInitLen 238780 -parentBuildID 20230522134052 -appDir /usr/lib/firefox/browser "{10bc4515-991f-4ba3-8995-abadd34716da}" 1655 true tab1⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 21701 -prefMapSize 230809 -jsInitLen 238780 -parentBuildID 20230522134052 -appDir /usr/lib/firefox/browser "{fa04a668-2968-42bd-a779-ec659619522e}" 1655 true tab1⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 27758 -prefMapSize 230809 -jsInitLen 238780 -parentBuildID 20230522134052 -appDir /usr/lib/firefox/browser "{092a303c-b85d-47be-bbfc-ca2c3916c79e}" 1655 true tab1⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/root/.cache/dconf/userFilesize
2B
MD5a885273c8732bd3ba5dbed43bc254411
SHA1852e83bba4675ebebf92e4ecdefca6efe9fa9712
SHA2568c0e4ed1d0667f60c52c3cdc43e01aec868b140e8c3485e2aada52b5e40859fc
SHA512e4085ac3c32c3484be3061a78b480ffcad18ef6bdddf1d95147664055b849b07a9a901edc024fe41ca8fc01134ddee1f37d74b54de48b03c1cfd327045d51b1d
-
/root/.dbus/session-bus/11c67417355f45d397f6be11f62e85a6-0Filesize
466B
MD5d9838e57c691abdc0ceaed0611484086
SHA136143a561ce80731f1c292dd2222ed103acabbd2
SHA2565a5867e0190813aebcc40d64f1de44d69ec106d4e87179c9073189ab887b5b95
SHA512b8fafd1c0e3cb222fa193b03a644394cc430c0b72c4776ce4b92c2ece2116d316264491c87dbea97a9a0620268ed9fdee05dc790659dabd0e07ddfae203de587
-
/root/.mozilla/firefox/00yfqa4o.default-release/cert9.dbFilesize
224KB
MD53cb9773be6d81859a41fdcb18f628d99
SHA176a986c20052b6a9bb8ca49380aa2315192efd95
SHA25609dc5906db9aa2245db97925bd4f645301523f311b7366fcfd3386bb15bc4507
SHA5125d9b104300d55638eb4dbee85768cc7aef442ceec3b833caf23bdbbb5738837c9151f54bbbffca2c24df750ded6bd62a7b05c63e6adc05bcf9e0472d6e473d07
-
/root/.mozilla/firefox/00yfqa4o.default-release/compatibility.iniFilesize
163B
MD5fe452b7294d5928a9a5863b89ee0a6bd
SHA1a5d4c245071fa96476ba48b4725bdae7f1b7940f
SHA256d5bfb07561606a19aa96557ea109b175050dc0eb805cbef9c813503587d77900
SHA512dc37d8507f08849e3382d2dbafd4a64555dbd57a288c95131e9aefb366630f1585811a9e1456b861bb9d2b816ed88b18ffb7580cd92b41bb9b0227ce1363843e
-
/root/.mozilla/firefox/00yfqa4o.default-release/cookies.sqliteFilesize
96KB
MD59535f5fe817accc769c2c1d3354db39f
SHA16af62cf08717cf3bfa84eb1a7b311acf522ce560
SHA256c53c15fcfac2bb57fdc88d23f932fc244dbaf4020f0f6eaecf0f77a37c21f8c5
SHA512dc9c2c32eb42dda0a7a711e143aea58c603c1e9d885c3677e9fe86f525e1b0b32a46e240756263e56510b07e764ba69f2de13b90ec18210678242e10cfe17837
-
/root/.mozilla/firefox/00yfqa4o.default-release/cookies.sqliteFilesize
96KB
MD55caa766855d5613a999f71b7812d6451
SHA1ad0d9a52a0d5cc7f11858301dbe47377ed99ee37
SHA2563a8ce2b07e3e8678a13aa58ef5b942c4dccd8f9c84511bdeb8847ef270797e27
SHA51217bb0f4c87ec178910795b25ce85e74cf599190c769592472c3e872f42930c93f28faf0ff3e448816a9abcc8af0459852bed52bee08cfe25d068879c6dfd8eba
-
/root/.mozilla/firefox/00yfqa4o.default-release/key4.dbFilesize
288KB
MD596b8093750877844911ea85673b9b07f
SHA15620b1a4e46766421170bed2da72ab0361da7c27
SHA25650094fe156430710ac2541f14bcd0216b9fe0f2846872e91db907ad17675e2a3
SHA512891c05c874be897a13b165952d1aa7de0fe2b31e81ed55dedeb215730bd859a06c4e22eea8d90f3ed02ccd1d326a975d20becf8c2c52f3ae8cdaf4885cf184d2
-
/root/.mozilla/firefox/00yfqa4o.default-release/permissions.sqliteFilesize
96KB
MD5232fbc22dd03a8ec41edde02bdbea61c
SHA16ab4b39bca95418c52f7f861fd39e5fddb9cc7b6
SHA256d88bf367aaf79efbb2e8fbdb1dc5bde1c1c3a53e0f4d8188027a63ec55d5f5f0
SHA512055f1595f4a327347671db53cec8d89a310109d3f871c567e3d5b654b956fc0369d12437f7dc6d9327b973008f1327ee0dfdb5504f1b3cbe00da29941b1e5892
-
/root/.mozilla/firefox/00yfqa4o.default-release/prefs-1.jsFilesize
1KB
MD52285b28d74c331340a5e395c8534aa22
SHA1540e8d7321015ae9e5898950e9d53b2e7f5f9b81
SHA2563fe8045415c4f06510fab9d5e26680c432a20e07637463cd7a6eeea2c4cf740f
SHA51259e2cb3b106b0b037b6ad1f5ff1a77a159d9ec3093dc0f1c91838de9b5928d0c25e110fc728c3332e11f9370de45df3d228bd01a4309ff7dbc77b3ce02aacf31
-
/root/.mozilla/firefox/00yfqa4o.default-release/prefs-1.jsFilesize
2KB
MD51cb10ec2c6e7a1d09ea71bc5b4fa3196
SHA17153c26154e6ce63655bfe96f879bccd94d20add
SHA256e1bd71a931e5cd20ab8789531c22e23f1c80079aae268f10e34114395c0e5083
SHA512afb45d46d61b17c9b61bbfb3ed26586baed8298fc42a28930ccf9c451cf5b730e8a8df18632ea8b70669f02a3629517a56cf126e354787430b7e67b74948b94c
-
/root/.mozilla/firefox/00yfqa4o.default-release/prefs-1.jsFilesize
3KB
MD5d72ff30514752af0ac2ea5e103dde708
SHA193eea3cd7dfbabf5c6f929c3f3bc3654327adf5e
SHA25603fd967e70309d3b9d5fe125ab01cc6987586b5c816c72f25130f10da709b7a0
SHA512e2c614a6a193d0c14ab2b473f8d2ce05917a123eeb51d99262b9d6db4f4f8096e1a3f162a98e63dfcc6f2e9fa4ce1a2088877aa1a0877b05e56c0cd2bea66d27
-
/root/.mozilla/firefox/00yfqa4o.default-release/prefs.jsFilesize
1KB
MD59360f7a002748bacc3ac1fe0da138ace
SHA1f3ab9fe222236d13a4d1b927db5be6051f52cc1a
SHA256c16c3ec822b4ed9d14a854cc80f0803bf4f5b006d5c8aa7232a8aa1c4723ca43
SHA5128ad1b9059bb83fcba5a0e940a772a5eda2ed9e8d55aec8acd8f4d155afe5a1a77974225ce8f421c15fb60f45b8c855c13b676245ce995febe9122242726ee998
-
/root/.mozilla/firefox/00yfqa4o.default-release/storage/ls-archive.sqliteFilesize
96KB
MD5e0c613bfd69956a19ce2dc5e925aa223
SHA114accb230edcd6cb76967cdc6d4e5686db96b5df
SHA2560d4cb11f6364c46a75f9eaddfca5c660b90dfd515df3afcd5e0baeca28a0f1ab
SHA51201643c0131a392be92b3f281d7f633c1f502bff19090b0d716f1ac66aefecc3fcf92f393bef66b03089c9b9c6d8aaeb711b6a4f29d5a6729dd188c838f2272d1
-
/root/.mozilla/firefox/00yfqa4o.default-release/storage/ls-archive.sqliteFilesize
128KB
MD5178d71e5529d637ac62f7e75fdd75896
SHA1339f2b949cc4c207b66aea11137448ba28d36dcb
SHA2567b0050f1bfaab85c8f9067ae7d7369056ff752c0c852ef1462a96c22169004d4
SHA512ec0e0105fcfbbae356dd55efbcf92975f35bbe5cb93fcabf4c08443e871957635d14830b27c4e1ddefbbaff8f9b7ec3590bf417a9442e1d7ee3607d14d56f664
-
/root/.mozilla/firefox/00yfqa4o.default-release/storage/permanent/chrome/.metadata-v2-tmpFilesize
42B
MD5fceb4f2ff7d53140ed2494a6872b54a1
SHA1ee5bc81c5ec6e6748091f23c2b7930505237fe73
SHA256e2a4665308079e734ae9989bb1bb53ff48d1b8465905cde4883d7a3ba1e1fb26
SHA5121517c56570354d2fc59a72016c2fe7ded774e5f8057ba55a563b4dbc98d7dcb0b929251d2463979ddf4e02c21792a13e4183763fcdff6a31e11dd3023f044875
-
/root/.mozilla/firefox/00yfqa4o.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqliteFilesize
44KB
MD507a412e08825220262ad2890757ff779
SHA1f46c127dbc070ded87a6078b3c1c761955f96de8
SHA256da640f8b665841b520d2262a21cc3f82aeaa881cf81a1ddae27ef501d66544e4
SHA5120134c783bf3293848e479b478ac57a1e0f4202cddfb8b57bc6275aada7345f398cf8a627e9b1c34fd618192c2f0c9737b1da487daf33f9c557ebc1377105582b
-
/root/.mozilla/firefox/00yfqa4o.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqliteFilesize
12KB
MD52b741a3325d66de4f177ce0eb030644c
SHA1c9d459b4ab657c6f31fcc332923dd72230f64677
SHA2565bb3032c0c7fda7c8153246b1f743777b28f6c28fd4b39ab29949fa58e883d0f
SHA5126a08f388872203e4cd25dbe9608b5fc9c0cb2085c5e05611d71b6284381454d8aa1a54c7abb92a45ec1bae117fdf6742637ee9f5a41005738ef1d8de9b9a25b0
-
/root/.mozilla/firefox/00yfqa4o.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqliteFilesize
164KB
MD52740e90fd6c8cbc3c2eabb43c7da5c56
SHA1f577fff3598a72faad86b8eeaa0e6a43c4af77af
SHA256c2d9a1f07df91beb9bb05bb1af53d0456a072b4075ab4ed40a6df986df89046a
SHA51245e8f3cdc5b6cbaef73204bb9853866f5a16df3f0819e315b231708ad3c42e93a63e5b44b12508759e69093044904f9737a117d1158d1e7fc9fab74424c10c7d
-
/root/.mozilla/firefox/00yfqa4o.default-release/times.jsonFilesize
50B
MD5031bac755bd552416b655ad55da13e5c
SHA1ac5443b7fa9359dcef43723be8ad33b4a8e327b5
SHA256757119d0b7e3597bc1d6511fd4caa742c09029ad138b54dd8a44f72af932ad33
SHA5124d93a682682a44b56b58ab5ed886ccc264350d59ee53b51b464b914dc3ab11edd6f86a9a34e36eee6cc378f4a21684976570169beebc3e0e3c63e48581918a23
-
/root/.mozilla/firefox/00yfqa4o.default-release/times.jsonFilesize
47B
MD5946b7cb5ab4c0c971c7d00d69b3e7487
SHA10a8ac13d0bdcf944678f1fcc5280467f1f64f81a
SHA256b75a004bb7e28c8ff617efa754095efed78d8b5bf2b78b7aee5a32bbb3344a5c
SHA512c211e254938f584b3d78a6f3484e00cc8967305f42df7d5412e512da11c4d1d9b96114df84bba7521c53fe81023d5a24c188357c435432ed3449d64cdd7d8b82
-
/root/.mozilla/firefox/0vhnh9s4.default/times.jsonFilesize
47B
MD5db2645905154753a852b07f373edb7d0
SHA1a1c29899ed260bdc87e82d07b9484d5de8e4b75e
SHA256dafc53ba2f1f66dc64837ba7a2e0b97b82fc03eac95e1585987f4b0298b84299
SHA51238625aad6e3d222b474f45f7b3d4fc29f1b8132bfd726745389de7a5343613c1b38b39f7cdf771dffbcc3dd19dc1f808ebcd3534fd85ae0bde9f4da76491ccad
-
/root/.mozilla/firefox/Crash Reports/InstallTime20230522134052Filesize
10B
MD5931700f554cfaae928a6e11c3a9d44ad
SHA1cf946a78b294061703e719f34019147d884dc301
SHA25686583e7821bedbcae268ec800528291bfa6d3bd96c922015091e82a5c7b3a918
SHA51297d0662551384964d676728ea166c1ec266bb96bc51286ffe95bd284e8abfe714538ec3a1bb33cda214fc3fb333dc5d5f722b740708b45255f2ed356d7c3d4a1
-
/root/.mozilla/firefox/installs.iniFilesize
62B
MD5c3262ea41c9c2a230cae390004f42446
SHA16e230754e0028599fe4ac667a9db61e10e15ed26
SHA256792ac253db0453d6278569bac8b0c6b90689fe370aab56261ea959ad85bd38cb
SHA51296c74730e09e4bd2b14944b3d7926d6bd8d228afec0e82d6cc88ac9c9a09ee5081db491ef77d86b5369b1c1547028bf3dbfd523c33d1f5f398680af18d6eaad2
-
/root/.mozilla/firefox/profiles.iniFilesize
259B
MD5c36003411f420e9ad7e177ad7f7535c9
SHA10311c031bc948de86a6718297acf20f0e9353df4
SHA256cd47755db45fe95e69145ca5b180005fc76069091398dd92cfe8fc903d838fb1
SHA51219687ba29e991e4b6834a853faa392540547e7bbce6a9988a2d07c6376475810e70e80da9e4721991f3769d3dd0d1acc16c7c1493295cea3e99c958953b6835a