hxxps://shop[.]pe/widget/main/init/params?siteid=605b561993f3c33a0f851b38&product=Honor%20Society&product_url=https%3A%2F%2Fmembership[.]honorsociety[.]org%2Fmember%2Fdues&image=&price=&currency=undefined&rating=0&rating_count=0&review_count=0&stock_status=&description=&update_product=true&subcategory=&url=https%3A%2F%2Fmembership[.]honorsociety[.]org%2Fmember%2Fdues%3Fwelcome_back_mail%3Dlouise_arnaud%40mteen[.]net&callback=AddShoppersWidget[.]load_widget&no_cookie_callback=AddShoppersWidget[.]load_no_cookie&sos=false&rand=82306&cookie=&referer=

General

Target

https://shop.pe/widget/main/init/params?siteid=605b561993f3c33a0f851b38&product=Honor%20Society&product_url=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues&image=&price=&currency=undefined&rating=0&rating_count=0&review_count=0&stock_status=&description=&update_product=true&subcategory=&url=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues%3Fwelcome_back_mail%3Dlouise_arnaud%40mteen.net&callback=AddShoppersWidget.load_widget&no_cookie_callback=AddShoppersWidget.load_no_cookie&sos=false&rand=82306&cookie=&referer=

Score

4^/10

antivm

Malware Config

Signatures

Changes its process name 64 IoCs

Processes:

firefox

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	gmain	1626
Changes the process name, possibly in an attempt to hide itself	gdbus	1628
Changes the process name, possibly in an attempt to hide itself	glean.dispatche	1629
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1631
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1631
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1631
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1637
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1637
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1636
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1636
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1635
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1635
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1634
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1634
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1633
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1633
Changes the process name, possibly in an attempt to hide itself	Timer	1632
Changes the process name, possibly in an attempt to hide itself	Timer	1632
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1639
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1638
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1641
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1641
Changes the process name, possibly in an attempt to hide itself	glxtest:disk$0	1643
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1644
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1644
Changes the process name, possibly in an attempt to hide itself	Cache2 I/O	1645
Changes the process name, possibly in an attempt to hide itself	Cookie	1646
Changes the process name, possibly in an attempt to hide itself	Cookie	1646
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1647
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1647
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #1	1649
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #0	1648
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1650
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1650
Changes the process name, possibly in an attempt to hide itself	QuotaManager IO	1651
Changes the process name, possibly in an attempt to hide itself	QuotaManager IO	1651
Changes the process name, possibly in an attempt to hide itself	IndexedDB #1	1652
Changes the process name, possibly in an attempt to hide itself	IndexedDB #1	1652
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1655
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1655
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1654
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1654
Changes the process name, possibly in an attempt to hide itself	Breakpad Server	1653
Changes the process name, possibly in an attempt to hide itself	DOM Worker	1657
Changes the process name, possibly in an attempt to hide itself	Sandbox Forked	1656
Changes the process name, possibly in an attempt to hide itself	DOM Worker	1657
Changes the process name, possibly in an attempt to hide itself	Chroot Helper	1658
Changes the process name, possibly in an attempt to hide itself	StreamTrans #3	1661
Changes the process name, possibly in an attempt to hide itself	StreamTrans #3	1661
Changes the process name, possibly in an attempt to hide itself	StreamTrans #2	1660
Changes the process name, possibly in an attempt to hide itself	StreamTrans #2	1660
Changes the process name, possibly in an attempt to hide itself	MainThread	1656	firefox
Changes the process name, possibly in an attempt to hide itself	IPC I/O Child	1662
Changes the process name, possibly in an attempt to hide itself	IPC I/O Child	1662
Changes the process name, possibly in an attempt to hide itself	IPC I/O Child	1662
Changes the process name, possibly in an attempt to hide itself	Socket Process	1656	firefox
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1663
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1664
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1664
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1663
Changes the process name, possibly in an attempt to hide itself	Timer	1665
Changes the process name, possibly in an attempt to hide itself	Timer	1665
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1666
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1666

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

firefox

description ioc process

File opened for reading /proc/cpuinfo firefox

description	ioc	process
File opened for reading	/proc/cpuinfo	firefox

Reads CPU attributes 1 TTPs 14 IoCs

System Information Discovery

T1082

Processes:

firefoxfirefoxfirefoxfirefoxfirefoxfirefoxnautilusfirefoxfirefoxfirefoxfirefox

description	ioc	process
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/online	nautilus
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

glxtestgvfs-mtp-volume-monitorgvfs-gphoto2-volume-monitordbus-daemonfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxfirefox

description	ioc	process
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/device	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/vendor	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/resource	glxtest
File opened for reading	/sys/bus	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/irq	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/irq	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/class	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/device	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/resource	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/uevent	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/usb/devices	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/usb/devices	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/vendor	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/class	gvfs-mtp-volume-monitor
File opened for reading	/sys/class	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/resource	glxtest
File opened for reading	/sys/devices/system/cpu	glxtest
File opened for reading	/sys/bus	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	glxtest

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

firefoxgvfs-afc-volume-monitorfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxxdg-desktop-portalsedfirefoxgvfs-gphoto2-volume-monitorsedsedfirefoxfirefoxdconf-servicedbus-daemongvfs-udisks2-volume-monitordbus-sendgvfsd-trashgnome-keyring-daemon

description	ioc	process
File opened for reading	/proc/self/fd/90	firefox
File opened for reading	/proc/1847/statm	firefox
File opened for reading	/proc/filesystems	gvfs-afc-volume-monitor
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/cgroup	firefox
File opened for reading	/proc/self/cgroup	firefox
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/1851/smaps	firefox
File opened for reading	/proc/self/cgroup	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/mounts	xdg-desktop-portal
File opened for reading	/proc/self/fd/36	firefox
File opened for reading	/proc/filesystems	xdg-desktop-portal
File opened for reading	/proc/self/fd/83	firefox
File opened for reading	/proc/1847/smaps	firefox
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd/102	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/filesystems	gvfs-gphoto2-volume-monitor
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/task/1773/stat	firefox
File opened for reading	/proc/self/task/1857/stat	firefox
File opened for reading	/proc/1622/root	xdg-desktop-portal
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/fd/49	firefox
File opened for reading	/proc/filesystems	dconf-service
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/fd/32	firefox
File opened for reading	/proc/cmdline	dconf-service
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/task/1793/stat	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/1961/cgroup	gvfs-udisks2-volume-monitor
File opened for reading	/proc/self/fd/44	firefox
File opened for reading	/proc/1677/cmdline	dbus-daemon
File opened for reading	/proc/1683/cmdline	dbus-daemon
File opened for reading	/proc/1726/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/fd/101	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/fd/35	firefox
File opened for reading	/proc/filesystems	gvfs-udisks2-volume-monitor
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/fd/50	firefox
File opened for reading	/proc/self/fd/53	firefox
File opened for reading	/proc/1710/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/1766/statm	firefox
File opened for reading	/proc/1961/cmdline	dbus-daemon
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/1688/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	gvfsd-trash
File opened for reading	/proc/self/fd/52	firefox
File opened for reading	/proc/sys/kernel/cap_last_cap	gnome-keyring-daemon
File opened for reading	/proc/1/cgroup	gvfs-udisks2-volume-monitor
File opened for reading	/proc/self/stat	firefox

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

firefox

description ioc process

File opened for modification /tmp/firefox/.parentlock firefox

description	ioc	process
File opened for modification	/tmp/firefox/.parentlock	firefox

/usr/bin/xdg-open
xdg-open "https://shop.pe/widget/main/init/params?siteid=605b561993f3c33a0f851b38&product=Honor%20Society&product_url=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues&image=&price=&currency=undefined&rating=0&rating_count=0&review_count=0&stock_status=&description=&update_product=true&subcategory=&url=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues%3Fwelcome_back_mail%3Dlouise_arnaud%40mteen.net&callback=AddShoppersWidget.load_widget&no_cookie_callback=AddShoppersWidget.load_no_cookie&sos=false&rand=82306&cookie=&referer="
1⤵
PID:1524

/usr/bin/dbus-send
dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
2⤵
PID:1525

/usr/bin/dbus-launch
dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
3⤵
PID:1526

/usr/bin/dbus-daemon
/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1528

/usr/libexec/xdg-desktop-portal
/usr/libexec/xdg-desktop-portal
5⤵
- Reads runtime system information
PID:1677

/usr/libexec/xdg-document-portal
/usr/libexec/xdg-document-portal
5⤵
PID:1683

/usr/libexec/xdg-permission-store
/usr/libexec/xdg-permission-store
5⤵
PID:1688

/usr/libexec/xdg-desktop-portal-gtk
/usr/libexec/xdg-desktop-portal-gtk
5⤵
PID:1698

/usr/libexec/gvfsd
/usr/libexec/gvfsd
5⤵
PID:1705

/usr/libexec/gvfsd-trash
/usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
6⤵
- Reads runtime system information
PID:1729

/usr/libexec/dconf-service
/usr/libexec/dconf-service
5⤵
- Reads runtime system information
PID:1721

/usr/bin/nautilus
/usr/bin/nautilus --gapplication-service
5⤵
- Reads CPU attributes
PID:1726

/usr/bin/gnome-keyring-daemon
/usr/bin/gnome-keyring-daemon --start --foreground "--components=secrets"
5⤵
- Reads runtime system information
PID:1954

/usr/libexec/gvfs-udisks2-volume-monitor
/usr/libexec/gvfs-udisks2-volume-monitor
5⤵
- Reads runtime system information
PID:1961

/usr/libexec/gvfs-afc-volume-monitor
/usr/libexec/gvfs-afc-volume-monitor
5⤵
- Reads runtime system information
PID:1968

/usr/libexec/gvfs-mtp-volume-monitor
/usr/libexec/gvfs-mtp-volume-monitor
5⤵
- Enumerates kernel/hardware configuration
PID:1974

/usr/libexec/gvfs-gphoto2-volume-monitor
/usr/libexec/gvfs-gphoto2-volume-monitor
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1979

/usr/bin/grep
grep " = \\\"xfce4\\\"\$"
2⤵
PID:1532

/usr/bin/xprop
xprop -root _DT_SAVE_MODE
2⤵
PID:1531

/usr/bin/grep
grep -i "^xfce_desktop_window"
2⤵
PID:1534

/usr/bin/xprop
xprop -root
2⤵
PID:1533

/usr/bin/grep
grep -q "^Enlightenment"
2⤵
PID:1536

/usr/bin/uname
uname
2⤵
PID:1537

/usr/bin/grep
grep -q "^file://"
2⤵
PID:1541

/usr/bin/egrep
egrep -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1543

/usr/local/sbin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1543

/usr/local/bin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1543

/usr/sbin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1543

/usr/bin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1543

/usr/bin/sed
sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
2⤵
- Reads runtime system information
PID:1546

/usr/bin/xdg-mime
xdg-mime query default x-scheme-handler/https
2⤵
PID:1547

/usr/bin/dbus-send
dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
3⤵
- Reads runtime system information
PID:1548

/usr/bin/dbus-launch
dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
4⤵
PID:1550

/usr/bin/grep
grep " = \\\"xfce4\\\"\$"
3⤵
PID:1553

/usr/bin/xprop
xprop -root _DT_SAVE_MODE
3⤵
PID:1552

/usr/bin/grep
grep -i "^xfce_desktop_window"
3⤵
PID:1556

/usr/bin/xprop
xprop -root
3⤵
PID:1555

/usr/bin/grep
grep -q "^Enlightenment"
3⤵
PID:1559

/usr/bin/uname
uname
3⤵
PID:1561

/usr/bin/sed
sed "s/:/ /g"
3⤵
PID:1564

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1570

/usr/bin/grep
grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
3⤵
PID:1567

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1569

/usr/bin/head
head -n 1
3⤵
PID:1568

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1576

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1575

/usr/bin/head
head -n 1
3⤵
PID:1574

/usr/bin/grep
grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
3⤵
PID:1573

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1582

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1581

/usr/bin/head
head -n 1
3⤵
PID:1580

/usr/bin/grep
grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
3⤵
PID:1579

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1587

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1586

/usr/bin/head
head -n 1
3⤵
PID:1585

/usr/bin/grep
grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
3⤵
PID:1584

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1592

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1591

/usr/bin/head
head -n 1
3⤵
PID:1590

/usr/bin/grep
grep "x-scheme-handler/https=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
3⤵
PID:1589

/usr/bin/sed
sed "s/:/ /g"
2⤵
PID:1595

/usr/bin/sed
sed -e "s|-|/|"
2⤵
- Reads runtime system information
PID:1598

/usr/bin/sed
sed -e "s|-|/|"
2⤵
- Reads runtime system information
PID:1601

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1606

/usr/bin/which
which firefox
2⤵
PID:1607

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1610

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1613

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1621

/usr/bin/firefox
/usr/bin/firefox "https://shop.pe/widget/main/init/params?siteid=605b561993f3c33a0f851b38&product=Honor%20Society&product_url=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues&image=&price=&currency=undefined&rating=0&rating_count=0&review_count=0&stock_status=&description=&update_product=true&subcategory=&url=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues%3Fwelcome_back_mail%3Dlouise_arnaud%40mteen.net&callback=AddShoppersWidget.load_widget&no_cookie_callback=AddShoppersWidget.load_no_cookie&sos=false&rand=82306&cookie=&referer="
2⤵
PID:1622

/usr/bin/which
which /usr/bin/firefox
3⤵
PID:1623

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox "https://shop.pe/widget/main/init/params?siteid=605b561993f3c33a0f851b38&product=Honor%20Society&product_url=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues&image=&price=&currency=undefined&rating=0&rating_count=0&review_count=0&stock_status=&description=&update_product=true&subcategory=&url=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues%3Fwelcome_back_mail%3Dlouise_arnaud%40mteen.net&callback=AddShoppersWidget.load_widget&no_cookie_callback=AddShoppersWidget.load_no_cookie&sos=false&rand=82306&cookie=&referer="
2⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1622

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1627

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1627

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1627

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1627

/usr/lib/firefox/glxtest
/usr/lib/firefox/glxtest -f 13
3⤵
- Enumerates kernel/hardware configuration
PID:1630

/usr/bin/lsb_release
/usr/bin/lsb_release -idrc
3⤵
PID:1642

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 20252 -prefMapSize 231436 -appDir /usr/lib/firefox/browser "{854a106d-2095-4361-9556-784dd49feea3}" 1622 true socket
3⤵
- Changes its process name
- Reads CPU attributes
- Reads runtime system information
PID:1656

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1667

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1667

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1667

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1667

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 22645 -prefMapSize 231436 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{b32bccce-14c1-4b02-a545-119e78020746}" 1622 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1740

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 22313 -prefMapSize 231436 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{ab0ec1fb-f7a6-46e1-bd1d-c227d7d5e328}" 1622 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1766

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 22662 -prefMapSize 231436 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{e036cedb-7c50-4155-8081-2ad92286bd1f}" 1622 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1790

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 28662 -prefMapSize 231436 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{6396fedb-b28f-48e4-99c0-119f93b9cde7}" 1622 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1808

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -sandboxingKind 0 -prefsLen 29796 -prefMapSize 231436 -appDir /usr/lib/firefox/browser "{8cc02baa-45be-48a5-87b1-627ec7bdddf1}" 1622 true utility
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1845

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 27904 -prefMapSize 231436 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{898548d0-9f4a-4747-9266-4788916ade72}" 1622 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1847

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 27904 -prefMapSize 231436 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{202451a6-13e2-435d-99c2-65c9a2d9e2aa}" 1622 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1851

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 7 -isForBrowser -prefsLen 27904 -prefMapSize 231436 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{a6f2c7d9-953c-4ffb-969d-3f4427e724cb}" 1622 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1862

/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /root/.cache/gvfs -f -o big_writes
1⤵
PID:1710

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.cache/dconf/user
Filesize
2B

MD5
c4103f122d27677c9db144cae1394a66

SHA1
1489f923c4dca729178b3e3233458550d8dddf29

SHA256
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

SHA512
5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

Download Submit
/root/.dbus/session-bus/4816dd152e8c48ff97e9117d197c13d8-0
Filesize
466B

MD5
21e4d3a41d814d9a22066aa212ac01da

SHA1
8a589ce14bd6817d96dda40cd758baedf05fda26

SHA256
0e45a7605aa988c66a6bae540fe127feb2634e0c193cbfdd2a7948063661c515

SHA512
ec7d9ea9239ffa606049e8b0f0c5207935593c7bcbe2866f60b785b49333992195d693ad66f3457c858edce5dac682c268042156b797b2e1b3cf36d077af22b5

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads