hxxps://workupload[.]com/file/ve7qmheuGB8

Analysis

max time kernel
92s
max time network
83s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
13-05-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/ve7qmheuGB8

Score

7^/10

antivm evasion

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

snipersniper

ioc pid process

/root/Downloads/sniper 1973 sniper
/root/Downloads/sniper 1976 sniper
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery
T1082

Processes:

sniper

description ioc process

File opened for reading /sys/class/dmi/id/product_uuid sniper
Reads list of loaded kernel modules 1 TTPs 1 IoCs
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
evasion

Virtualization/Sandbox Evasion
T1497

Processes:

sniper

description ioc process

File opened for reading /proc/modules sniper

ioc	pid	process
/root/Downloads/sniper	1973	sniper
/root/Downloads/sniper	1976	sniper

description	ioc	process
File opened for reading	/sys/class/dmi/id/product_uuid	sniper

description	ioc	process
File opened for reading	/proc/modules	sniper

Changes its process name 64 IoCs

Processes:

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	gmain	1539
Changes the process name, possibly in an attempt to hide itself	gdbus	1541
Changes the process name, possibly in an attempt to hide itself	glean.dispatche	1542
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1544
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1544
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1544
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1550
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1550
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1549
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1549
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1548
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1548
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1547
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1547
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1546
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1546
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1552
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1551
Changes the process name, possibly in an attempt to hide itself	Timer	1545
Changes the process name, possibly in an attempt to hide itself	Timer	1545
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1554
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1554
Changes the process name, possibly in an attempt to hide itself	glxtest:disk$0	1556
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1557
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1557
Changes the process name, possibly in an attempt to hide itself	Cache2 I/O	1558
Changes the process name, possibly in an attempt to hide itself	Cookie	1559
Changes the process name, possibly in an attempt to hide itself	Cookie	1559
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1560
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1560
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #1	1562
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #0	1561
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1563
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1563
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1564
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1564
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1566
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1566
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1566
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1571
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1571
Changes the process name, possibly in an attempt to hide itself	Compositor	1570
Changes the process name, possibly in an attempt to hide itself	Compositor	1570
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1569
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1569
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1568
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1568
Changes the process name, possibly in an attempt to hide itself	Renderer	1567
Changes the process name, possibly in an attempt to hide itself	Renderer	1567
Changes the process name, possibly in an attempt to hide itself	ImageIO	1572
Changes the process name, possibly in an attempt to hide itself	ImageIO	1572
Changes the process name, possibly in an attempt to hide itself	Permission	1573
Changes the process name, possibly in an attempt to hide itself	Permission	1573
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1576
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1576
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1575
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1575
Changes the process name, possibly in an attempt to hide itself	Breakpad Server	1574
Changes the process name, possibly in an attempt to hide itself	Sandbox Forked	1577
Changes the process name, possibly in an attempt to hide itself	gmain	1581
Changes the process name, possibly in an attempt to hide itself	gdbus	1582
Changes the process name, possibly in an attempt to hide itself	pool-/usr/libex	1583
Changes the process name, possibly in an attempt to hide itself	gdbus	1588
Changes the process name, possibly in an attempt to hide itself	Chroot Helper	1580

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

firefoxsniper

description ioc process

File opened for reading /proc/cpuinfo firefox
File opened for reading /proc/cpuinfo sniper

description	ioc	process
File opened for reading	/proc/cpuinfo	firefox
File opened for reading	/proc/cpuinfo	sniper

Reads CPU attributes 1 TTPs 14 IoCs

System Information Discovery

T1082

Processes:

firefoxfirefoxsniperfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxnautilusnautilus

description	ioc	process
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	sniper
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/online	nautilus
File opened for reading	/sys/devices/system/cpu/online	nautilus

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

firefoxgvfs-mtp-volume-monitorglxtestgvfs-gphoto2-volume-monitorfirefoxfirefoxfirefoxsniperfirefoxfirefoxdbus-daemon

description	ioc	process
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/resource	glxtest
File opened for reading	/sys/devices/system/cpu	glxtest
File opened for reading	/sys/bus	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_device	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/device	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/bus/usb/devices	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/resource	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	glxtest
File opened for reading	/sys/class	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/irq	glxtest
File opened for reading	/sys/bus/usb/devices	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/class	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	sniper
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/device	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/uevent	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/device	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/irq	glxtest

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

firefoxdbus-daemonnautilussniperfirefoxgvfs-goa-volume-monitorfile-rollergnome-terminal-serverxdg-desktop-portalfirefoxfirefoxxdg-document-portaldconf-servicegvfs-udisks2-volume-monitorgvfs-gphoto2-volume-monitorgvfsd-fusefirefoxgoa-daemonfirefoxgvfs-afc-volume-monitorsedfirefoxgvfs-mtp-volume-monitor

description	ioc	process
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/1822/cmdline	dbus-daemon
File opened for reading	/proc/1843/cmdline	dbus-daemon
File opened for reading	/proc/self/mountinfo	nautilus
File opened for reading	/proc/1/environ	sniper
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	gvfs-goa-volume-monitor
File opened for reading	/proc/self/mountinfo	file-roller
File opened for reading	/proc/self/fd	gnome-terminal-server
File opened for reading	/proc/stat	sniper
File opened for reading	/proc/self/fd	firefox
File opened for reading	/proc/filesystems	xdg-desktop-portal
File opened for reading	/proc/self/fd/95	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/filesystems	xdg-document-portal
File opened for reading	/proc/filesystems	dconf-service
File opened for reading	/proc/1625/cmdline	dbus-daemon
File opened for reading	/proc/1652/cmdline	dbus-daemon
File opened for reading	/proc/self/mountinfo	gvfs-udisks2-volume-monitor
File opened for reading	/proc/filesystems	gvfs-gphoto2-volume-monitor
File opened for reading	/proc/filesystems	gvfsd-fuse
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/fd/123	firefox
File opened for reading	/proc/self/fd/135	firefox
File opened for reading	/proc/1/cgroup	gvfs-udisks2-volume-monitor
File opened for reading	/proc/filesystems	goa-daemon
File opened for reading	/proc/bus/pci/devices	sniper
File opened for reading	/proc/self/task/1498/stat	firefox
File opened for reading	/proc/self/fd/67	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/task/1762/stat	firefox
File opened for reading	/proc/1579/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/78	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/task/1781/stat	firefox
File opened for reading	/proc/filesystems	gnome-terminal-server
File opened for reading	/proc/filesystems	gvfs-afc-volume-monitor
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd/12	firefox
File opened for reading	/proc/self/task/1600/stat	firefox
File opened for reading	/proc/self/fd/97	firefox
File opened for reading	/proc/self/fd/117	firefox
File opened for reading	/proc/1433/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/118	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	gvfs-udisks2-volume-monitor
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/1585/cmdline	dbus-daemon
File opened for reading	/proc/self/task/1748/stat	firefox
File opened for reading	/proc/filesystems	file-roller
File opened for reading	/proc/1417/status	dbus-daemon
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	gvfs-mtp-volume-monitor
File opened for reading	/proc/mounts	xdg-desktop-portal
File opened for reading	/proc/self/status	sniper
File opened for reading	/proc/1411/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/119	firefox
File opened for reading	/proc/self/fd/129	firefox
File opened for reading	/proc/self/fd/133	firefox
File opened for reading	/proc/1802/cmdline	dbus-daemon
File opened for reading	/proc/self/stat	firefox

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

firefox

description	ioc	process
File opened for modification	/tmp/firefox/.parentlock	firefox
File opened for modification	/tmp/NFmVUfbF.zip	firefox
File opened for modification	/tmp/tmpaddon	firefox

/usr/bin/xdg-open
xdg-open https://workupload.com/file/ve7qmheuGB8
1⤵
PID:1410

/usr/bin/dbus-send
dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
2⤵
PID:1411

/usr/bin/dbus-launch
dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
3⤵
PID:1412

/usr/bin/dbus-daemon
/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1415

/usr/libexec/xdg-desktop-portal
/usr/libexec/xdg-desktop-portal
5⤵
- Reads runtime system information
PID:1579

/usr/libexec/xdg-document-portal
/usr/libexec/xdg-document-portal
5⤵
- Reads runtime system information
PID:1585

/usr/libexec/xdg-permission-store
/usr/libexec/xdg-permission-store
5⤵
PID:1590

/usr/libexec/xdg-desktop-portal-gtk
/usr/libexec/xdg-desktop-portal-gtk
5⤵
PID:1599

/usr/libexec/gvfsd
/usr/libexec/gvfsd
5⤵
PID:1604

/usr/libexec/gvfsd-trash
/usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
6⤵
PID:1652

/usr/libexec/dconf-service
/usr/libexec/dconf-service
5⤵
- Reads runtime system information
PID:1625

/usr/bin/nautilus
/usr/bin/nautilus --gapplication-service
5⤵
- Reads CPU attributes
- Reads runtime system information
PID:1630

/usr/bin/gnome-keyring-daemon
/usr/bin/gnome-keyring-daemon --start --foreground "--components=secrets"
5⤵
PID:1822

/usr/libexec/gvfs-udisks2-volume-monitor
/usr/libexec/gvfs-udisks2-volume-monitor
5⤵
- Reads runtime system information
PID:1831

/usr/libexec/gvfs-afc-volume-monitor
/usr/libexec/gvfs-afc-volume-monitor
5⤵
- Reads runtime system information
PID:1837

/usr/libexec/gvfs-mtp-volume-monitor
/usr/libexec/gvfs-mtp-volume-monitor
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1843

/usr/libexec/gvfs-gphoto2-volume-monitor
/usr/libexec/gvfs-gphoto2-volume-monitor
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1850

/usr/libexec/gvfs-goa-volume-monitor
/usr/libexec/gvfs-goa-volume-monitor
5⤵
- Reads runtime system information
PID:1855

/usr/libexec/goa-daemon
/usr/libexec/goa-daemon
5⤵
- Reads runtime system information
PID:1861

/usr/libexec/goa-identity-service
/usr/libexec/goa-identity-service
5⤵
PID:1868

/usr/bin/nautilus
/usr/bin/nautilus --gapplication-service
5⤵
- Reads CPU attributes
PID:1943

/usr/local/sbin/net
net usershare info
6⤵
PID:1952

/usr/local/bin/net
net usershare info
6⤵
PID:1952

/usr/sbin/net
net usershare info
6⤵
PID:1952

/usr/bin/net
net usershare info
6⤵
PID:1952

/sbin/net
net usershare info
6⤵
PID:1952

/bin/net
net usershare info
6⤵
PID:1952

/snap/bin/net
net usershare info
6⤵
PID:1952

/usr/libexec/gnome-terminal-server
/usr/libexec/gnome-terminal-server
5⤵
- Reads runtime system information
PID:1954

/bin/bash
bash
6⤵
PID:1960

/usr/bin/groups
groups
7⤵
PID:1961

/usr/bin/lesspipe
lesspipe
7⤵
PID:1962

/usr/bin/basename
basename /usr/bin/lesspipe
8⤵
PID:1963

/usr/bin/dirname
dirname /usr/bin/lesspipe
8⤵
PID:1965

/usr/bin/dircolors
dircolors -b
7⤵
PID:1966

/root/Downloads/sniper
./sniper
7⤵
- Executes dropped EXE
PID:1973

/usr/bin/chmod
chmod 777 sniper
7⤵
PID:1974

/root/Downloads/sniper
./sniper
7⤵
- Executes dropped EXE
- Reads hardware information
- Reads list of loaded kernel modules
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1976

/usr/bin/grep
grep " = \\\"xfce4\\\"\$"
2⤵
PID:1419

/usr/bin/xprop
xprop -root _DT_SAVE_MODE
2⤵
PID:1418

/usr/bin/grep
grep -i "^xfce_desktop_window"
2⤵
PID:1421

/usr/bin/xprop
xprop -root
2⤵
PID:1420

/usr/bin/grep
grep -q "^Enlightenment"
2⤵
PID:1423

/usr/bin/uname
uname
2⤵
PID:1424

/usr/bin/grep
grep -q "^file://"
2⤵
PID:1426

/usr/bin/egrep
egrep -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1428

/usr/local/sbin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1428

/usr/local/bin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1428

/usr/sbin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1428

/usr/bin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1428

/usr/bin/sed
sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
2⤵
PID:1431

/usr/bin/xdg-mime
xdg-mime query default x-scheme-handler/https
2⤵
PID:1432

/usr/bin/dbus-send
dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
3⤵
PID:1433

/usr/bin/dbus-launch
dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
4⤵
PID:1434

/usr/bin/grep
grep " = \\\"xfce4\\\"\$"
3⤵
PID:1436

/usr/bin/xprop
xprop -root _DT_SAVE_MODE
3⤵
PID:1435

/usr/bin/grep
grep -i "^xfce_desktop_window"
3⤵
PID:1438

/usr/bin/xprop
xprop -root
3⤵
PID:1437

/usr/bin/grep
grep -q "^Enlightenment"
3⤵
PID:1440

/usr/bin/uname
uname
3⤵
PID:1441

/usr/bin/sed
sed "s/:/ /g"
3⤵
PID:1444

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1449

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1448

/usr/bin/head
head -n 1
3⤵
PID:1447

/usr/bin/grep
grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
3⤵
PID:1446

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1454

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1453

/usr/bin/head
head -n 1
3⤵
PID:1452

/usr/bin/grep
grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
3⤵
PID:1451

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1459

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1458

/usr/bin/head
head -n 1
3⤵
PID:1457

/usr/bin/grep
grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
3⤵
PID:1456

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1464

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1463

/usr/bin/head
head -n 1
3⤵
PID:1462

/usr/bin/grep
grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
3⤵
PID:1461

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1469

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1468

/usr/bin/head
head -n 1
3⤵
PID:1467

/usr/bin/grep
grep "x-scheme-handler/https=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
3⤵
PID:1466

/usr/bin/sed
sed "s/:/ /g"
2⤵
PID:1472

/usr/bin/sed
sed -e "s|-|/|"
2⤵
PID:1475

/usr/bin/sed
sed -e "s|-|/|"
2⤵
- Reads runtime system information
PID:1478

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1483

/usr/bin/which
which firefox
2⤵
PID:1484

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1487

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1490

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1495

/usr/bin/firefox
/usr/bin/firefox https://workupload.com/file/ve7qmheuGB8
2⤵
PID:1496

/usr/bin/which
which /usr/bin/firefox
3⤵
PID:1497

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox https://workupload.com/file/ve7qmheuGB8
2⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1496

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1540

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1540

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1540

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1540

/usr/lib/firefox/glxtest
/usr/lib/firefox/glxtest -f 13
3⤵
- Enumerates kernel/hardware configuration
PID:1543

/usr/bin/lsb_release
/usr/bin/lsb_release -idrc
3⤵
PID:1555

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1565

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1565

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1565

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1565

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 21838 -prefMapSize 235428 -appDir /usr/lib/firefox/browser "{be07fd5e-64e6-4a88-8bf4-c96219260956}" 1496 true socket
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1577

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 20563 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{e224a9b2-f2a7-453d-89bc-668fe9a2c1d8}" 1496 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1662

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 28723 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{5c9358db-cb8f-447f-a912-2baeee7297ac}" 1496 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1711

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -sandboxingKind 0 -prefsLen 29252 -prefMapSize 235428 -appDir /usr/lib/firefox/browser "{9a2a2a9e-4fd3-4c8f-84c5-5c3ae3aa658a}" 1496 true utility
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1743

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 25357 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{6e1ed468-c898-4f6d-bd89-38a78027eb92}" 1496 true tab
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1745

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 25357 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{b73032e7-f788-49ea-bb52-986d68fb0fa7}" 1496 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1753

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 25357 -prefMapSize 235428 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{fa613c65-1f31-40ca-bbe2-5bc29b04360a}" 1496 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1775

/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /root/.cache/gvfs -f -o big_writes
1⤵
- Reads runtime system information
PID:1609

/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=\$\$; exec \"\$@\"" sh file-roller /root/Downloads/sniper.zip
1⤵
PID:1802

/usr/local/sbin/file-roller
file-roller /root/Downloads/sniper.zip
1⤵
PID:1802

/usr/local/bin/file-roller
file-roller /root/Downloads/sniper.zip
1⤵
PID:1802

/usr/sbin/file-roller
file-roller /root/Downloads/sniper.zip
1⤵
PID:1802

/usr/bin/file-roller
file-roller /root/Downloads/sniper.zip
1⤵
- Reads runtime system information
PID:1802

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1806

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1806

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1806

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1806

/usr/local/sbin/unzip
unzip -ZTs -- /root/Downloads/sniper.zip
2⤵
PID:1847

/usr/local/bin/unzip
unzip -ZTs -- /root/Downloads/sniper.zip
2⤵
PID:1847

/usr/sbin/unzip
unzip -ZTs -- /root/Downloads/sniper.zip
2⤵
PID:1847

/usr/bin/unzip
unzip -ZTs -- /root/Downloads/sniper.zip
2⤵
PID:1847

/usr/local/sbin/unzip
unzip -d /root/Downloads -o -- /root/Downloads/sniper.zip
2⤵
PID:1941

/usr/local/bin/unzip
unzip -d /root/Downloads -o -- /root/Downloads/sniper.zip
2⤵
PID:1941

/usr/sbin/unzip
unzip -d /root/Downloads -o -- /root/Downloads/sniper.zip
2⤵
PID:1941

/usr/bin/unzip
unzip -d /root/Downloads -o -- /root/Downloads/sniper.zip
2⤵
PID:1941

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.cache/dconf/user
Filesize
2B

MD5
c4103f122d27677c9db144cae1394a66

SHA1
1489f923c4dca729178b3e3233458550d8dddf29

SHA256
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

SHA512
5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

Download Submit
/root/Downloads/NFmVUfbF.zip.part
Filesize
8KB

MD5
54208f8b79c3f5a1c111a2671c42474c

SHA1
c7730344a31ba3a46959227524b68f1b61c43fa1

SHA256
207a14f9ef667da3d15ecb7114b6f00afb93a6bb6fca785137e55b2694108a5d

SHA512
ba3a28f18b8cf2a4736f1a3ba58bbc071ef014eaa523ee12c97bcc63f646dedab0196eb103ad085922f0e4f4b6ebd689ce8d7686a1d3f944be133859cda3e486

Download Submit
/root/Downloads/data/alts.txt
Filesize
15KB

MD5
5ef80b4386adc807a34dfdf1fdface84

SHA1
fde50413385f3074cfad37f07809cc52744e5527

SHA256
e89fefb2a6815da89902c46b18b43dd0c01ffaa885a0df7edfd51bd9750b5afc

SHA512
7ed69523a142f5063966a21d14497e3f2e01fc9203bb0767de02f064bbed2bca83679667fffb3a9011743bbde579181bb36f33ce43a71aa8c6ba5db78f52430b

Download Submit
/root/Downloads/data/claimToken.txt
Filesize
71B

MD5
4668499ba3803a40733c16e6194db75f

SHA1
145817933f93de6b6a8fef52fec1f401f4e440b4

SHA256
08e0cc3d64375e4907bf5cdf55a80d5e22608cc31c27df56f4d167bcfc75df76

SHA512
47deec9e811bbdd9c6ad5df09f4ebb9c788b8f31f4748dc553b99479c2f716939fe2c4cd9132130d00fa5f6986de1ebe2abc57c9b37a449e61635ac8d6d6a1de

Download Submit
/root/Downloads/data/config.json
Filesize
940B

MD5
01b4fce3171841995945904498378f5b

SHA1
8cc3b92af1df9a4cb293fc6270ce11bf1575aad5

SHA256
07034d71887a48e8fd30cdd388790dd64c46eb8fb6ac953a5461f165e5d6697f

SHA512
ce28596412a242bf8ccaa8ae3f893ed3c9d80785abaedbabe5de570775bbe3b24e57fccb8066d502a3ba48b6364c8a2ce96f7eb1b9e046faa303d475bce4de6f

Download Submit
/root/Downloads/data/invites.txt
Filesize
118.0MB

MD5
2fd3e55df096125bcc4ef26280950a25

SHA1
d6631a3c19b272332f694a8897f7a368c2c1b1ed

SHA256
c5a7944579fd45f8d31cfba24ac076f45977a8ccb9d8d441510a84df3b638a2f

SHA512
49c493027440323b66438e44eed6c7b0874fd2f43c479ca4b20e25e0d66397f7256604f036c3ddd6be4d45e81ba384b8f52ac45bf68c66929f47163b5cd12660

Download Submit
/root/Downloads/sniper
Filesize
3.1MB

MD5
dca2601f7063962d4db50ef21aaa1865

SHA1
ab5f6d04d01527b1b134df7859781ec4151b5d85

SHA256
44b62fdd1ce8a60931e52976983bac1203056a3827e6376299af66283140cc2d

SHA512
0e76e6152bebd33ff6b4b2561d8b1c08c2bc39af517a6e0c10f5ef4b1b1d0a3f32f462d22033d4d89951dd763c0e7c52bafd918809f7a61de76de1edb1033af0

Download Submit
/root/Downloads/sniper.WtXszY-b.zip.part
Filesize
5.3MB

MD5
cbbc75f7215ebd9acb6783a3c042cbbe

SHA1
d7b5f01fde175ad1d7129c8959fef03bc4c0b3af

SHA256
83011c24984a38fcc9ab7ea0f94f89d65ced89a207da8bd006f70787dc1b2920

SHA512
a011d9b819cf63e0f0b6a3b21fb066bcc6c6429833626a5329bde9074564a9c30bcf01954580bcac2e0999f0a814b4e566fc2f9ba624de26f43d3d584f840108

Download Submit
/tmp/tmpaddon
Filesize
569KB

MD5
30082ae40dc48af6343db2fd22cfc645

SHA1
3eb577555ee638e8beb01173e8f29e172747a728

SHA256
85d4b95f9b2075daee9b0e64bce8d9d7343d0dda10e6072d7f9485a68472ee76

SHA512
53a58bfb4c8124ad4f7655b99bfdea290033a085e0796b19245b33b91c0948fdac9f0c3e817130b352493a65d9a7a0fc8a7c1eedc618cdaa2b4580734a11cd9c

Download Submit