Analysis
-
max time kernel
92s -
max time network
83s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
13-05-2024 16:39
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
snipersniperioc pid process /root/Downloads/sniper 1973 sniper /root/Downloads/sniper 1976 sniper -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
Processes:
sniperdescription ioc process File opened for reading /sys/class/dmi/id/product_uuid sniper -
Reads list of loaded kernel modules 1 TTPs 1 IoCs
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
Processes:
sniperdescription ioc process File opened for reading /proc/modules sniper -
Changes its process name 64 IoCs
Processes:
description ioc pid Changes the process name, possibly in an attempt to hide itself gmain 1539 Changes the process name, possibly in an attempt to hide itself gdbus 1541 Changes the process name, possibly in an attempt to hide itself glean.dispatche 1542 Changes the process name, possibly in an attempt to hide itself IPC I/O Parent 1544 Changes the process name, possibly in an attempt to hide itself IPC I/O Parent 1544 Changes the process name, possibly in an attempt to hide itself IPC I/O Parent 1544 Changes the process name, possibly in an attempt to hide itself HTML5 Parser 1550 Changes the process name, possibly in an attempt to hide itself HTML5 Parser 1550 Changes the process name, possibly in an attempt to hide itself Backgro~Pool #1 1549 Changes the process name, possibly in an attempt to hide itself Backgro~Pool #1 1549 Changes the process name, possibly in an attempt to hide itself IPDL Background 1548 Changes the process name, possibly in an attempt to hide itself IPDL Background 1548 Changes the process name, possibly in an attempt to hide itself Socket Thread 1547 Changes the process name, possibly in an attempt to hide itself Socket Thread 1547 Changes the process name, possibly in an attempt to hide itself Netlink Monitor 1546 Changes the process name, possibly in an attempt to hide itself Netlink Monitor 1546 Changes the process name, possibly in an attempt to hide itself pool-firefox 1552 Changes the process name, possibly in an attempt to hide itself pool-firefox 1551 Changes the process name, possibly in an attempt to hide itself Timer 1545 Changes the process name, possibly in an attempt to hide itself Timer 1545 Changes the process name, possibly in an attempt to hide itself JS Watchdog 1554 Changes the process name, possibly in an attempt to hide itself JS Watchdog 1554 Changes the process name, possibly in an attempt to hide itself glxtest:disk$0 1556 Changes the process name, possibly in an attempt to hide itself BGReadURLs 1557 Changes the process name, possibly in an attempt to hide itself BGReadURLs 1557 Changes the process name, possibly in an attempt to hide itself Cache2 I/O 1558 Changes the process name, possibly in an attempt to hide itself Cookie 1559 Changes the process name, possibly in an attempt to hide itself Cookie 1559 Changes the process name, possibly in an attempt to hide itself StreamTrans #1 1560 Changes the process name, possibly in an attempt to hide itself StreamTrans #1 1560 Changes the process name, possibly in an attempt to hide itself TaskCon~ller #1 1562 Changes the process name, possibly in an attempt to hide itself TaskCon~ller #0 1561 Changes the process name, possibly in an attempt to hide itself Worker Launcher 1563 Changes the process name, possibly in an attempt to hide itself Worker Launcher 1563 Changes the process name, possibly in an attempt to hide itself BgIOThr~Pool #1 1564 Changes the process name, possibly in an attempt to hide itself BgIOThr~Pool #1 1564 Changes the process name, possibly in an attempt to hide itself Softwar~cThread 1566 Changes the process name, possibly in an attempt to hide itself Softwar~cThread 1566 Changes the process name, possibly in an attempt to hide itself Softwar~cThread 1566 Changes the process name, possibly in an attempt to hide itself CanvasRenderer 1571 Changes the process name, possibly in an attempt to hide itself CanvasRenderer 1571 Changes the process name, possibly in an attempt to hide itself Compositor 1570 Changes the process name, possibly in an attempt to hide itself Compositor 1570 Changes the process name, possibly in an attempt to hide itself WRWorkerLP#0 1569 Changes the process name, possibly in an attempt to hide itself WRWorkerLP#0 1569 Changes the process name, possibly in an attempt to hide itself WRWorker#0 1568 Changes the process name, possibly in an attempt to hide itself WRWorker#0 1568 Changes the process name, possibly in an attempt to hide itself Renderer 1567 Changes the process name, possibly in an attempt to hide itself Renderer 1567 Changes the process name, possibly in an attempt to hide itself ImageIO 1572 Changes the process name, possibly in an attempt to hide itself ImageIO 1572 Changes the process name, possibly in an attempt to hide itself Permission 1573 Changes the process name, possibly in an attempt to hide itself Permission 1573 Changes the process name, possibly in an attempt to hide itself IPC Launch 1576 Changes the process name, possibly in an attempt to hide itself IPC Launch 1576 Changes the process name, possibly in an attempt to hide itself SandboxReporter 1575 Changes the process name, possibly in an attempt to hide itself SandboxReporter 1575 Changes the process name, possibly in an attempt to hide itself Breakpad Server 1574 Changes the process name, possibly in an attempt to hide itself Sandbox Forked 1577 Changes the process name, possibly in an attempt to hide itself gmain 1581 Changes the process name, possibly in an attempt to hide itself gdbus 1582 Changes the process name, possibly in an attempt to hide itself pool-/usr/libex 1583 Changes the process name, possibly in an attempt to hide itself gdbus 1588 Changes the process name, possibly in an attempt to hide itself Chroot Helper 1580 -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
firefoxsniperdescription ioc process File opened for reading /proc/cpuinfo firefox File opened for reading /proc/cpuinfo sniper -
Reads CPU attributes 1 TTPs 14 IoCs
Processes:
firefoxfirefoxsniperfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxnautilusnautilusdescription ioc process File opened for reading /sys/devices/system/cpu/present firefox File opened for reading /sys/devices/system/cpu/present firefox File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq sniper File opened for reading /sys/devices/system/cpu/present firefox File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size firefox File opened for reading /sys/devices/system/cpu/present firefox File opened for reading /sys/devices/system/cpu/present firefox File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq firefox File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size firefox File opened for reading /sys/devices/system/cpu/present firefox File opened for reading /sys/devices/system/cpu/present firefox File opened for reading /sys/devices/system/cpu/present firefox File opened for reading /sys/devices/system/cpu/online nautilus File opened for reading /sys/devices/system/cpu/online nautilus -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
firefoxgvfs-mtp-volume-monitorglxtestgvfs-gphoto2-volume-monitorfirefoxfirefoxfirefoxsniperfirefoxfirefoxdbus-daemondescription ioc process File opened for reading /sys/devices/system/cpu firefox File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent gvfs-mtp-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:01.1/resource glxtest File opened for reading /sys/devices/system/cpu glxtest File opened for reading /sys/bus gvfs-mtp-volume-monitor File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent gvfs-gphoto2-volume-monitor File opened for reading /sys/bus/pci/devices glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.0/resource glxtest File opened for reading /sys/bus/pci/devices/0000:00:00.0/irq glxtest File opened for reading /sys/bus/pci/devices/0000:00:00.0/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.1/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:03.0/resource glxtest File opened for reading /sys/bus/pci/devices/0000:00:02.0/class glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/subsystem_device glxtest File opened for reading /sys/devices/system/cpu firefox File opened for reading /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us firefox File opened for reading /sys/devices/system/cpu firefox File opened for reading /sys/bus/pci/devices/0000:00:01.0/irq glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.3/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:06.0/device glxtest File opened for reading /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us firefox File opened for reading /sys/bus/usb/devices gvfs-mtp-volume-monitor File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/uevent gvfs-gphoto2-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:01.3/irq glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:06.0/resource glxtest File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent gvfs-gphoto2-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:04.0/resource glxtest File opened for reading /sys/bus/pci/devices/0000:00:03.0/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.1/irq glxtest File opened for reading /sys/bus/pci/devices/0000:00:05.0/class glxtest File opened for reading /sys/class gvfs-mtp-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:04.0/irq glxtest File opened for reading /sys/bus/pci/devices/0000:00:04.0/vendor glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor glxtest File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent gvfs-mtp-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:00.0/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:03.0/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:06.0/irq glxtest File opened for reading /sys/bus/usb/devices gvfs-gphoto2-volume-monitor File opened for reading /sys/class gvfs-gphoto2-volume-monitor File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size sniper File opened for reading /sys/bus/pci/devices/0000:00:03.0/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.1/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:05.0/device glxtest File opened for reading /sys/devices/system/cpu firefox File opened for reading /sys/devices/system/cpu firefox File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent gvfs-gphoto2-volume-monitor File opened for reading /sys/kernel/security/apparmor/features/dbus/mask dbus-daemon File opened for reading /sys/bus/pci/devices/0000:00:04.0/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:00.0/vendor glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/uevent glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/device glxtest File opened for reading /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us firefox File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent gvfs-mtp-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:00.0/resource glxtest File opened for reading /sys/bus/pci/devices/0000:00:06.0/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:02.0/resource glxtest File opened for reading /sys/bus/pci/devices/0000:00:05.0/irq glxtest File opened for reading /sys/bus/pci/devices/0000:00:04.0/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:02.0/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.1/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:02.0/irq glxtest -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
firefoxdbus-daemonnautilussniperfirefoxgvfs-goa-volume-monitorfile-rollergnome-terminal-serverxdg-desktop-portalfirefoxfirefoxxdg-document-portaldconf-servicegvfs-udisks2-volume-monitorgvfs-gphoto2-volume-monitorgvfsd-fusefirefoxgoa-daemonfirefoxgvfs-afc-volume-monitorsedfirefoxgvfs-mtp-volume-monitordescription ioc process File opened for reading /proc/self/mountinfo firefox File opened for reading /proc/1822/cmdline dbus-daemon File opened for reading /proc/1843/cmdline dbus-daemon File opened for reading /proc/self/mountinfo nautilus File opened for reading /proc/1/environ sniper File opened for reading /proc/filesystems firefox File opened for reading /proc/filesystems gvfs-goa-volume-monitor File opened for reading /proc/self/mountinfo file-roller File opened for reading /proc/self/fd gnome-terminal-server File opened for reading /proc/stat sniper File opened for reading /proc/self/fd firefox File opened for reading /proc/filesystems xdg-desktop-portal File opened for reading /proc/self/fd/95 firefox File opened for reading /proc/self/maps firefox File opened for reading /proc/self/maps firefox File opened for reading /proc/filesystems xdg-document-portal File opened for reading /proc/filesystems dconf-service File opened for reading /proc/1625/cmdline dbus-daemon File opened for reading /proc/1652/cmdline dbus-daemon File opened for reading /proc/self/mountinfo gvfs-udisks2-volume-monitor File opened for reading /proc/filesystems gvfs-gphoto2-volume-monitor File opened for reading /proc/filesystems gvfsd-fuse File opened for reading /proc/self/stat firefox File opened for reading /proc/self/fd/123 firefox File opened for reading /proc/self/fd/135 firefox File opened for reading /proc/1/cgroup gvfs-udisks2-volume-monitor File opened for reading /proc/filesystems goa-daemon File opened for reading /proc/bus/pci/devices sniper File opened for reading /proc/self/task/1498/stat firefox File opened for reading /proc/self/fd/67 firefox File opened for reading /proc/self/stat firefox File opened for reading /proc/filesystems firefox File opened for reading /proc/self/task/1762/stat firefox File opened for reading /proc/1579/cmdline dbus-daemon File opened for reading /proc/self/fd/78 firefox File opened for reading /proc/self/maps firefox File opened for reading /proc/self/task/1781/stat firefox File opened for reading /proc/filesystems gnome-terminal-server File opened for reading /proc/filesystems gvfs-afc-volume-monitor File opened for reading /proc/filesystems sed File opened for reading /proc/self/fd/12 firefox File opened for reading /proc/self/task/1600/stat firefox File opened for reading /proc/self/fd/97 firefox File opened for reading /proc/self/fd/117 firefox File opened for reading /proc/1433/cmdline dbus-daemon File opened for reading /proc/self/fd/118 firefox File opened for reading /proc/filesystems firefox File opened for reading /proc/filesystems gvfs-udisks2-volume-monitor File opened for reading /proc/mounts dbus-daemon File opened for reading /proc/1585/cmdline dbus-daemon File opened for reading /proc/self/task/1748/stat firefox File opened for reading /proc/filesystems file-roller File opened for reading /proc/1417/status dbus-daemon File opened for reading /proc/self/stat firefox File opened for reading /proc/filesystems firefox File opened for reading /proc/filesystems gvfs-mtp-volume-monitor File opened for reading /proc/mounts xdg-desktop-portal File opened for reading /proc/self/status sniper File opened for reading /proc/1411/cmdline dbus-daemon File opened for reading /proc/self/fd/119 firefox File opened for reading /proc/self/fd/129 firefox File opened for reading /proc/self/fd/133 firefox File opened for reading /proc/1802/cmdline dbus-daemon File opened for reading /proc/self/stat firefox -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
firefoxdescription ioc process File opened for modification /tmp/firefox/.parentlock firefox File opened for modification /tmp/NFmVUfbF.zip firefox File opened for modification /tmp/tmpaddon firefox
Processes
-
/usr/bin/xdg-openxdg-open https://workupload.com/file/ve7qmheuGB81⤵
-
/usr/bin/dbus-senddbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager2⤵
-
/usr/bin/dbus-launchdbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr3⤵
-
/usr/bin/dbus-daemon/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/libexec/xdg-desktop-portal/usr/libexec/xdg-desktop-portal5⤵
- Reads runtime system information
-
/usr/libexec/xdg-document-portal/usr/libexec/xdg-document-portal5⤵
- Reads runtime system information
-
/usr/libexec/xdg-permission-store/usr/libexec/xdg-permission-store5⤵
-
/usr/libexec/xdg-desktop-portal-gtk/usr/libexec/xdg-desktop-portal-gtk5⤵
-
/usr/libexec/gvfsd/usr/libexec/gvfsd5⤵
-
/usr/libexec/gvfsd-trash/usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/06⤵
-
/usr/libexec/dconf-service/usr/libexec/dconf-service5⤵
- Reads runtime system information
-
/usr/bin/nautilus/usr/bin/nautilus --gapplication-service5⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/gnome-keyring-daemon/usr/bin/gnome-keyring-daemon --start --foreground "--components=secrets"5⤵
-
/usr/libexec/gvfs-udisks2-volume-monitor/usr/libexec/gvfs-udisks2-volume-monitor5⤵
- Reads runtime system information
-
/usr/libexec/gvfs-afc-volume-monitor/usr/libexec/gvfs-afc-volume-monitor5⤵
- Reads runtime system information
-
/usr/libexec/gvfs-mtp-volume-monitor/usr/libexec/gvfs-mtp-volume-monitor5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/libexec/gvfs-gphoto2-volume-monitor/usr/libexec/gvfs-gphoto2-volume-monitor5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/libexec/gvfs-goa-volume-monitor/usr/libexec/gvfs-goa-volume-monitor5⤵
- Reads runtime system information
-
/usr/libexec/goa-daemon/usr/libexec/goa-daemon5⤵
- Reads runtime system information
-
/usr/libexec/goa-identity-service/usr/libexec/goa-identity-service5⤵
-
/usr/bin/nautilus/usr/bin/nautilus --gapplication-service5⤵
- Reads CPU attributes
-
/usr/local/sbin/netnet usershare info6⤵
-
/usr/local/bin/netnet usershare info6⤵
-
/usr/sbin/netnet usershare info6⤵
-
/usr/bin/netnet usershare info6⤵
-
/sbin/netnet usershare info6⤵
-
/bin/netnet usershare info6⤵
-
/snap/bin/netnet usershare info6⤵
-
/usr/libexec/gnome-terminal-server/usr/libexec/gnome-terminal-server5⤵
- Reads runtime system information
-
/bin/bashbash6⤵
-
/usr/bin/groupsgroups7⤵
-
/usr/bin/lesspipelesspipe7⤵
-
/usr/bin/basenamebasename /usr/bin/lesspipe8⤵
-
/usr/bin/dirnamedirname /usr/bin/lesspipe8⤵
-
/usr/bin/dircolorsdircolors -b7⤵
-
/root/Downloads/sniper./sniper7⤵
- Executes dropped EXE
-
/usr/bin/chmodchmod 777 sniper7⤵
-
/root/Downloads/sniper./sniper7⤵
- Executes dropped EXE
- Reads hardware information
- Reads list of loaded kernel modules
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/bin/grepgrep " = \\\"xfce4\\\"\$"2⤵
-
/usr/bin/xpropxprop -root _DT_SAVE_MODE2⤵
-
/usr/bin/grepgrep -i "^xfce_desktop_window"2⤵
-
/usr/bin/xpropxprop -root2⤵
-
/usr/bin/grepgrep -q "^Enlightenment"2⤵
-
/usr/bin/unameuname2⤵
-
/usr/bin/grepgrep -q "^file://"2⤵
-
/usr/bin/egrepegrep -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/local/sbin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/local/bin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/sbin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/bin/grepgrep -E -q "^[[:alpha:]+\\.\\-]+:"2⤵
-
/usr/bin/sedsed -n "s/\\(^[[:alnum:]+\\.-]*\\):.*\$/\\1/p"2⤵
-
/usr/bin/xdg-mimexdg-mime query default x-scheme-handler/https2⤵
-
/usr/bin/dbus-senddbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager3⤵
-
/usr/bin/dbus-launchdbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr4⤵
-
/usr/bin/grepgrep " = \\\"xfce4\\\"\$"3⤵
-
/usr/bin/xpropxprop -root _DT_SAVE_MODE3⤵
-
/usr/bin/grepgrep -i "^xfce_desktop_window"3⤵
-
/usr/bin/xpropxprop -root3⤵
-
/usr/bin/grepgrep -q "^Enlightenment"3⤵
-
/usr/bin/unameuname3⤵
-
/usr/bin/sedsed "s/:/ /g"3⤵
-
/usr/bin/cutcut -d ";" -f 13⤵
-
/usr/bin/cutcut -d "=" -f 23⤵
-
/usr/bin/headhead -n 13⤵
-
/usr/bin/grepgrep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache3⤵
-
/usr/bin/cutcut -d ";" -f 13⤵
-
/usr/bin/cutcut -d "=" -f 23⤵
-
/usr/bin/headhead -n 13⤵
-
/usr/bin/grepgrep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache3⤵
-
/usr/bin/cutcut -d ";" -f 13⤵
-
/usr/bin/cutcut -d "=" -f 23⤵
-
/usr/bin/headhead -n 13⤵
-
/usr/bin/grepgrep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache3⤵
-
/usr/bin/cutcut -d ";" -f 13⤵
-
/usr/bin/cutcut -d "=" -f 23⤵
-
/usr/bin/headhead -n 13⤵
-
/usr/bin/grepgrep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache3⤵
-
/usr/bin/cutcut -d ";" -f 13⤵
-
/usr/bin/cutcut -d "=" -f 23⤵
-
/usr/bin/headhead -n 13⤵
-
/usr/bin/grepgrep "x-scheme-handler/https=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache3⤵
-
/usr/bin/sedsed "s/:/ /g"2⤵
-
/usr/bin/sedsed -e "s|-|/|"2⤵
-
/usr/bin/sedsed -e "s|-|/|"2⤵
- Reads runtime system information
-
/usr/bin/cutcut "-d=" -f 2-2⤵
-
/usr/bin/whichwhich firefox2⤵
-
/usr/bin/cutcut "-d=" -f 2-2⤵
-
/usr/bin/cutcut "-d=" -f 2-2⤵
-
/usr/bin/cutcut "-d=" -f 2-2⤵
-
/usr/bin/firefox/usr/bin/firefox https://workupload.com/file/ve7qmheuGB82⤵
-
/usr/bin/whichwhich /usr/bin/firefox3⤵
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox https://workupload.com/file/ve7qmheuGB82⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
-
/usr/local/sbin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr3⤵
-
/usr/local/bin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr3⤵
-
/usr/sbin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr3⤵
-
/usr/bin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr3⤵
-
/usr/lib/firefox/glxtest/usr/lib/firefox/glxtest -f 133⤵
- Enumerates kernel/hardware configuration
-
/usr/bin/lsb_release/usr/bin/lsb_release -idrc3⤵
-
/usr/local/sbin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr3⤵
-
/usr/local/bin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr3⤵
-
/usr/sbin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr3⤵
-
/usr/bin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr3⤵
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 21838 -prefMapSize 235428 -appDir /usr/lib/firefox/browser "{be07fd5e-64e6-4a88-8bf4-c96219260956}" 1496 true socket3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 20563 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{e224a9b2-f2a7-453d-89bc-668fe9a2c1d8}" 1496 true tab3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 28723 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{5c9358db-cb8f-447f-a912-2baeee7297ac}" 1496 true tab3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -sandboxingKind 0 -prefsLen 29252 -prefMapSize 235428 -appDir /usr/lib/firefox/browser "{9a2a2a9e-4fd3-4c8f-84c5-5c3ae3aa658a}" 1496 true utility3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 25357 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{6e1ed468-c898-4f6d-bd89-38a78027eb92}" 1496 true tab3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 25357 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{b73032e7-f788-49ea-bb52-986d68fb0fa7}" 1496 true tab3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/lib/firefox/firefox/usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 25357 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{fa613c65-1f31-40ca-bbe2-5bc29b04360a}" 1496 true tab3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/libexec/gvfsd-fuse/usr/libexec/gvfsd-fuse /root/.cache/gvfs -f -o big_writes1⤵
- Reads runtime system information
-
/bin/sh/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=\$\$; exec \"\$@\"" sh file-roller /root/Downloads/sniper.zip1⤵
-
/usr/local/sbin/file-rollerfile-roller /root/Downloads/sniper.zip1⤵
-
/usr/local/bin/file-rollerfile-roller /root/Downloads/sniper.zip1⤵
-
/usr/sbin/file-rollerfile-roller /root/Downloads/sniper.zip1⤵
-
/usr/bin/file-rollerfile-roller /root/Downloads/sniper.zip1⤵
- Reads runtime system information
-
/usr/local/sbin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr2⤵
-
/usr/local/bin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr2⤵
-
/usr/sbin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr2⤵
-
/usr/bin/dbus-launchdbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr2⤵
-
/usr/local/sbin/unzipunzip -ZTs -- /root/Downloads/sniper.zip2⤵
-
/usr/local/bin/unzipunzip -ZTs -- /root/Downloads/sniper.zip2⤵
-
/usr/sbin/unzipunzip -ZTs -- /root/Downloads/sniper.zip2⤵
-
/usr/bin/unzipunzip -ZTs -- /root/Downloads/sniper.zip2⤵
-
/usr/local/sbin/unzipunzip -d /root/Downloads -o -- /root/Downloads/sniper.zip2⤵
-
/usr/local/bin/unzipunzip -d /root/Downloads -o -- /root/Downloads/sniper.zip2⤵
-
/usr/sbin/unzipunzip -d /root/Downloads -o -- /root/Downloads/sniper.zip2⤵
-
/usr/bin/unzipunzip -d /root/Downloads -o -- /root/Downloads/sniper.zip2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/root/.cache/dconf/userFilesize
2B
MD5c4103f122d27677c9db144cae1394a66
SHA11489f923c4dca729178b3e3233458550d8dddf29
SHA25696a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA5125ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54
-
/root/Downloads/NFmVUfbF.zip.partFilesize
8KB
MD554208f8b79c3f5a1c111a2671c42474c
SHA1c7730344a31ba3a46959227524b68f1b61c43fa1
SHA256207a14f9ef667da3d15ecb7114b6f00afb93a6bb6fca785137e55b2694108a5d
SHA512ba3a28f18b8cf2a4736f1a3ba58bbc071ef014eaa523ee12c97bcc63f646dedab0196eb103ad085922f0e4f4b6ebd689ce8d7686a1d3f944be133859cda3e486
-
/root/Downloads/data/alts.txtFilesize
15KB
MD55ef80b4386adc807a34dfdf1fdface84
SHA1fde50413385f3074cfad37f07809cc52744e5527
SHA256e89fefb2a6815da89902c46b18b43dd0c01ffaa885a0df7edfd51bd9750b5afc
SHA5127ed69523a142f5063966a21d14497e3f2e01fc9203bb0767de02f064bbed2bca83679667fffb3a9011743bbde579181bb36f33ce43a71aa8c6ba5db78f52430b
-
/root/Downloads/data/claimToken.txtFilesize
71B
MD54668499ba3803a40733c16e6194db75f
SHA1145817933f93de6b6a8fef52fec1f401f4e440b4
SHA25608e0cc3d64375e4907bf5cdf55a80d5e22608cc31c27df56f4d167bcfc75df76
SHA51247deec9e811bbdd9c6ad5df09f4ebb9c788b8f31f4748dc553b99479c2f716939fe2c4cd9132130d00fa5f6986de1ebe2abc57c9b37a449e61635ac8d6d6a1de
-
/root/Downloads/data/config.jsonFilesize
940B
MD501b4fce3171841995945904498378f5b
SHA18cc3b92af1df9a4cb293fc6270ce11bf1575aad5
SHA25607034d71887a48e8fd30cdd388790dd64c46eb8fb6ac953a5461f165e5d6697f
SHA512ce28596412a242bf8ccaa8ae3f893ed3c9d80785abaedbabe5de570775bbe3b24e57fccb8066d502a3ba48b6364c8a2ce96f7eb1b9e046faa303d475bce4de6f
-
/root/Downloads/data/invites.txtFilesize
118.0MB
MD52fd3e55df096125bcc4ef26280950a25
SHA1d6631a3c19b272332f694a8897f7a368c2c1b1ed
SHA256c5a7944579fd45f8d31cfba24ac076f45977a8ccb9d8d441510a84df3b638a2f
SHA51249c493027440323b66438e44eed6c7b0874fd2f43c479ca4b20e25e0d66397f7256604f036c3ddd6be4d45e81ba384b8f52ac45bf68c66929f47163b5cd12660
-
/root/Downloads/sniperFilesize
3.1MB
MD5dca2601f7063962d4db50ef21aaa1865
SHA1ab5f6d04d01527b1b134df7859781ec4151b5d85
SHA25644b62fdd1ce8a60931e52976983bac1203056a3827e6376299af66283140cc2d
SHA5120e76e6152bebd33ff6b4b2561d8b1c08c2bc39af517a6e0c10f5ef4b1b1d0a3f32f462d22033d4d89951dd763c0e7c52bafd918809f7a61de76de1edb1033af0
-
/root/Downloads/sniper.WtXszY-b.zip.partFilesize
5.3MB
MD5cbbc75f7215ebd9acb6783a3c042cbbe
SHA1d7b5f01fde175ad1d7129c8959fef03bc4c0b3af
SHA25683011c24984a38fcc9ab7ea0f94f89d65ced89a207da8bd006f70787dc1b2920
SHA512a011d9b819cf63e0f0b6a3b21fb066bcc6c6429833626a5329bde9074564a9c30bcf01954580bcac2e0999f0a814b4e566fc2f9ba624de26f43d3d584f840108
-
/tmp/tmpaddonFilesize
569KB
MD530082ae40dc48af6343db2fd22cfc645
SHA13eb577555ee638e8beb01173e8f29e172747a728
SHA25685d4b95f9b2075daee9b0e64bce8d9d7343d0dda10e6072d7f9485a68472ee76
SHA51253a58bfb4c8124ad4f7655b99bfdea290033a085e0796b19245b33b91c0948fdac9f0c3e817130b352493a65d9a7a0fc8a7c1eedc618cdaa2b4580734a11cd9c