hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

Score

6^/10

antivm

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

79 raw.githubusercontent.com
80 raw.githubusercontent.com
84 raw.githubusercontent.com
77 raw.githubusercontent.com
78 raw.githubusercontent.com

flow	ioc
79	raw.githubusercontent.com
80	raw.githubusercontent.com
84	raw.githubusercontent.com
77	raw.githubusercontent.com
78	raw.githubusercontent.com

Changes its process name 64 IoCs

Processes:

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	gmain	1533
Changes the process name, possibly in an attempt to hide itself	gdbus	1535
Changes the process name, possibly in an attempt to hide itself	glean.dispatche	1536
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1538
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1538
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1538
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1544
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1544
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1543
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1543
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1542
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1542
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1541
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1541
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1540
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1540
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1546
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1545
Changes the process name, possibly in an attempt to hide itself	Timer	1539
Changes the process name, possibly in an attempt to hide itself	Timer	1539
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1548
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1548
Changes the process name, possibly in an attempt to hide itself	glxtest:disk$0	1550
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1551
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1551
Changes the process name, possibly in an attempt to hide itself	Cache2 I/O	1552
Changes the process name, possibly in an attempt to hide itself	Cookie	1553
Changes the process name, possibly in an attempt to hide itself	Cookie	1553
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1554
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1554
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #1	1556
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #0	1555
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1557
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1557
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1558
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1558
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1560
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1560
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1560
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1565
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1565
Changes the process name, possibly in an attempt to hide itself	Compositor	1564
Changes the process name, possibly in an attempt to hide itself	Compositor	1564
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1563
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1563
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1562
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1562
Changes the process name, possibly in an attempt to hide itself	Renderer	1561
Changes the process name, possibly in an attempt to hide itself	Renderer	1561
Changes the process name, possibly in an attempt to hide itself	ImageIO	1566
Changes the process name, possibly in an attempt to hide itself	ImageIO	1566
Changes the process name, possibly in an attempt to hide itself	Permission	1567
Changes the process name, possibly in an attempt to hide itself	Permission	1567
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1570
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1570
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1569
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1569
Changes the process name, possibly in an attempt to hide itself	Breakpad Server	1568
Changes the process name, possibly in an attempt to hide itself	Sandbox Forked	1571
Changes the process name, possibly in an attempt to hide itself	Chroot Helper	1574
Changes the process name, possibly in an attempt to hide itself	gmain	1575
Changes the process name, possibly in an attempt to hide itself	gdbus	1576
Changes the process name, possibly in an attempt to hide itself	pool-/usr/libex	1577
Changes the process name, possibly in an attempt to hide itself	gmain	1581

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

firefox

description ioc process

File opened for reading /proc/cpuinfo firefox

description	ioc	process
File opened for reading	/proc/cpuinfo	firefox

Reads CPU attributes 1 TTPs 12 IoCs

System Information Discovery

T1082

Processes:

firefoxfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxnautilus

description	ioc	process
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/online	nautilus
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	firefox

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

firefoxgvfs-mtp-volume-monitorgvfs-gphoto2-volume-monitorglxtestfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxdbus-daemonfirefox

description	ioc	process
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/class	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/usb/devices	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/irq	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/device	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_device	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/vendor	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/irq	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/device	glxtest
File opened for reading	/sys/bus/pci/devices	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/vendor	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/usb/devices	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/class	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/uevent	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/device	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/class	glxtest

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

dbus-sendfirefoxfirefoxdbus-daemongvfsdfirefoxfirefoxsedfile-rollerglxtestfile-rollergvfsd-trashsedsedfirefoxfile-rollerfirefoxgvfs-udisks2-volume-monitorgvfs-gphoto2-volume-monitorfirefoxxdg-desktop-portalxdg-desktop-portal-gtk

description	ioc	process
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/fd/110	firefox
File opened for reading	/proc/1919/cmdline	dbus-daemon
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/fd/32	firefox
File opened for reading	/proc/self/fd	gvfsd
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/cgroup	firefox
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd/12	firefox
File opened for reading	/proc/self/fd	file-roller
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/1830/cmdline	dbus-daemon
File opened for reading	/proc/sys/kernel/cap_last_cap	dbus-daemon
File opened for reading	/proc/filesystems	glxtest
File opened for reading	/proc/self/fd/116	firefox
File opened for reading	/proc/filesystems	file-roller
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/1843/cmdline	dbus-daemon
File opened for reading	/proc/self/fd	file-roller
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/filesystems	gvfsd-trash
File opened for reading	/proc/self/fd/121	firefox
File opened for reading	/proc/self/task/1738/stat	firefox
File opened for reading	/proc/1866/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/fd	firefox
File opened for reading	/proc/1529/cmdline	dbus-daemon
File opened for reading	/proc/1573/cmdline	dbus-daemon
File opened for reading	/proc/self/task/1654/stat	firefox
File opened for reading	/proc/self/cgroup	firefox
File opened for reading	/proc/filesystems	file-roller
File opened for reading	/proc/self/fd	file-roller
File opened for reading	/proc/1584/cmdline	dbus-daemon
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/1579/cmdline	dbus-daemon
File opened for reading	/proc/self/task/1691/stat	firefox
File opened for reading	/proc/self/fd/114	firefox
File opened for reading	/proc/1/cgroup	gvfs-udisks2-volume-monitor
File opened for reading	/proc/1603/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/56	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	gvfs-udisks2-volume-monitor
File opened for reading	/proc/filesystems	gvfs-gphoto2-volume-monitor
File opened for reading	/proc/self/cgroup	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/mountinfo	gvfs-udisks2-volume-monitor
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/self/fd/111	firefox
File opened for reading	/proc/self/fd/118	firefox
File opened for reading	/proc/self/fd/119	firefox
File opened for reading	/proc/self/fd/124	firefox
File opened for reading	/proc/self/task/1740/stat	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	xdg-desktop-portal
File opened for reading	/proc/filesystems	xdg-desktop-portal-gtk
File opened for reading	/proc/self/fd/97	firefox

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

Processes:

firefox

description	ioc	process
File opened for modification	/tmp/i-pwdD3l.exe	firefox
File opened for modification	/tmp/firefox/.parentlock	firefox
File opened for modification	/tmp/YeXfeRwo.exe	firefox
File opened for modification	/tmp/tmpaddon	firefox
File opened for modification	/tmp/Tn6p244I.exe	firefox

/usr/bin/xdg-open
xdg-open https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
1⤵
PID:1441

/usr/bin/dbus-send
dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
2⤵
- Reads runtime system information
PID:1442

/usr/bin/dbus-launch
dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
3⤵
PID:1443

/usr/bin/dbus-daemon
/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1445

/usr/libexec/xdg-desktop-portal
/usr/libexec/xdg-desktop-portal
5⤵
- Reads runtime system information
PID:1573

/usr/libexec/xdg-document-portal
/usr/libexec/xdg-document-portal
5⤵
PID:1579

/usr/libexec/xdg-permission-store
/usr/libexec/xdg-permission-store
5⤵
PID:1584

/usr/libexec/xdg-desktop-portal-gtk
/usr/libexec/xdg-desktop-portal-gtk
5⤵
- Reads runtime system information
PID:1594

/usr/libexec/gvfsd
/usr/libexec/gvfsd
5⤵
- Reads runtime system information
PID:1598

/usr/libexec/gvfsd-trash
/usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
6⤵
- Reads runtime system information
PID:1630

/usr/libexec/dconf-service
/usr/libexec/dconf-service
5⤵
PID:1621

/usr/bin/nautilus
/usr/bin/nautilus --gapplication-service
5⤵
- Reads CPU attributes
PID:1627

/usr/bin/gnome-keyring-daemon
/usr/bin/gnome-keyring-daemon --start --foreground "--components=secrets"
5⤵
PID:1821

/usr/libexec/gvfs-udisks2-volume-monitor
/usr/libexec/gvfs-udisks2-volume-monitor
5⤵
- Reads runtime system information
PID:1830

/usr/libexec/gvfs-afc-volume-monitor
/usr/libexec/gvfs-afc-volume-monitor
5⤵
PID:1836

/usr/libexec/gvfs-mtp-volume-monitor
/usr/libexec/gvfs-mtp-volume-monitor
5⤵
- Enumerates kernel/hardware configuration
PID:1843

/usr/libexec/gvfs-gphoto2-volume-monitor
/usr/libexec/gvfs-gphoto2-volume-monitor
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1848

/usr/libexec/gvfs-goa-volume-monitor
/usr/libexec/gvfs-goa-volume-monitor
5⤵
PID:1853

/usr/libexec/goa-daemon
/usr/libexec/goa-daemon
5⤵
PID:1859

/usr/libexec/goa-identity-service
/usr/libexec/goa-identity-service
5⤵
PID:1866

/usr/bin/grep
grep " = \\\"xfce4\\\"\$"
2⤵
PID:1449

/usr/bin/xprop
xprop -root _DT_SAVE_MODE
2⤵
PID:1448

/usr/bin/grep
grep -i "^xfce_desktop_window"
2⤵
PID:1451

/usr/bin/xprop
xprop -root
2⤵
PID:1450

/usr/bin/grep
grep -q "^Enlightenment"
2⤵
PID:1453

/usr/bin/uname
uname
2⤵
PID:1454

/usr/bin/grep
grep -q "^file://"
2⤵
PID:1456

/usr/bin/egrep
egrep -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1458

/usr/local/sbin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1458

/usr/local/bin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1458

/usr/sbin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1458

/usr/bin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1458

/usr/bin/sed
sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
2⤵
PID:1461

/usr/bin/xdg-mime
xdg-mime query default x-scheme-handler/https
2⤵
PID:1462

/usr/bin/dbus-send
dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
3⤵
PID:1463

/usr/bin/dbus-launch
dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
4⤵
PID:1464

/usr/bin/grep
grep " = \\\"xfce4\\\"\$"
3⤵
PID:1466

/usr/bin/xprop
xprop -root _DT_SAVE_MODE
3⤵
PID:1465

/usr/bin/xprop
xprop -root
3⤵
PID:1467

/usr/bin/grep
grep -i "^xfce_desktop_window"
3⤵
PID:1468

/usr/bin/grep
grep -q "^Enlightenment"
3⤵
PID:1470

/usr/bin/uname
uname
3⤵
PID:1471

/usr/bin/sed
sed "s/:/ /g"
3⤵
PID:1474

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1479

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1478

/usr/bin/head
head -n 1
3⤵
PID:1477

/usr/bin/grep
grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
3⤵
PID:1476

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1484

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1483

/usr/bin/head
head -n 1
3⤵
PID:1482

/usr/bin/grep
grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
3⤵
PID:1481

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1489

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1488

/usr/bin/head
head -n 1
3⤵
PID:1487

/usr/bin/grep
grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
3⤵
PID:1486

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1494

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1493

/usr/bin/head
head -n 1
3⤵
PID:1492

/usr/bin/grep
grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
3⤵
PID:1491

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1499

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1498

/usr/bin/head
head -n 1
3⤵
PID:1497

/usr/bin/grep
grep "x-scheme-handler/https=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
3⤵
PID:1496

/usr/bin/sed
sed "s/:/ /g"
2⤵
- Reads runtime system information
PID:1502

/usr/bin/sed
sed -e "s|-|/|"
2⤵
- Reads runtime system information
PID:1505

/usr/bin/sed
sed -e "s|-|/|"
2⤵
- Reads runtime system information
PID:1508

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1513

/usr/bin/which
which firefox
2⤵
PID:1514

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1517

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1520

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1525

/usr/bin/firefox
/usr/bin/firefox https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
2⤵
PID:1529

/usr/bin/which
which /usr/bin/firefox
3⤵
PID:1530

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
2⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1529

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1534

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1534

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1534

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1534

/usr/lib/firefox/glxtest
/usr/lib/firefox/glxtest -f 13
3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1537

/usr/bin/lsb_release
/usr/bin/lsb_release -idrc
3⤵
PID:1549

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1559

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1559

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1559

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1559

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 21691 -prefMapSize 235269 -appDir /usr/lib/firefox/browser "{a02775ee-407c-4d10-a2bb-fdc7ce78714f}" 1529 true socket
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1571

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 20430 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{11120b21-50e4-4656-8eb2-82a2fb49ac36}" 1529 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1644

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 28535 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{1dac91d6-5f64-4282-9d6f-89de3272d4ed}" 1529 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1688

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -sandboxingKind 0 -prefsLen 29320 -prefMapSize 235269 -appDir /usr/lib/firefox/browser "{d7e5c226-1556-41d9-ac84-2b8f5582de7f}" 1529 true utility
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1721

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 25584 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{b5a949d5-3eb6-4567-91f8-e5017bd938cd}" 1529 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1729

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 25584 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{dce79d6e-6ed2-4c6e-8a92-bfa3d910b3cc}" 1529 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1730

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 25584 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{18af63d6-779d-4fc9-badf-f25751b401ba}" 1529 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1733

/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /root/.cache/gvfs -f -o big_writes
1⤵
PID:1603

/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=\$\$; exec \"\$@\"" sh file-roller /root/Downloads/MEMZ.exe
1⤵
PID:1809

/usr/local/sbin/file-roller
file-roller /root/Downloads/MEMZ.exe
1⤵
PID:1809

/usr/local/bin/file-roller
file-roller /root/Downloads/MEMZ.exe
1⤵
PID:1809

/usr/sbin/file-roller
file-roller /root/Downloads/MEMZ.exe
1⤵
PID:1809

/usr/bin/file-roller
file-roller /root/Downloads/MEMZ.exe
1⤵
- Reads runtime system information
PID:1809

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1813

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1813

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1813

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1813

/usr/local/sbin/unzip
unzip -ZTs -- /root/Downloads/MEMZ.exe
2⤵
PID:1837

/usr/local/bin/unzip
unzip -ZTs -- /root/Downloads/MEMZ.exe
2⤵
PID:1837

/usr/sbin/unzip
unzip -ZTs -- /root/Downloads/MEMZ.exe
2⤵
PID:1837

/usr/bin/unzip
unzip -ZTs -- /root/Downloads/MEMZ.exe
2⤵
PID:1837

/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=\$\$; exec \"\$@\"" sh file-roller /root/Downloads/MEMZ.exe
1⤵
PID:1905

/usr/local/sbin/file-roller
file-roller /root/Downloads/MEMZ.exe
1⤵
PID:1905

/usr/local/bin/file-roller
file-roller /root/Downloads/MEMZ.exe
1⤵
PID:1905

/usr/sbin/file-roller
file-roller /root/Downloads/MEMZ.exe
1⤵
PID:1905

/usr/bin/file-roller
file-roller /root/Downloads/MEMZ.exe
1⤵
- Reads runtime system information
PID:1905

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1909

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1909

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1909

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1909

/usr/local/sbin/unzip
unzip -ZTs -- /root/Downloads/MEMZ.exe
2⤵
PID:1912

/usr/local/bin/unzip
unzip -ZTs -- /root/Downloads/MEMZ.exe
2⤵
PID:1912

/usr/sbin/unzip
unzip -ZTs -- /root/Downloads/MEMZ.exe
2⤵
PID:1912

/usr/bin/unzip
unzip -ZTs -- /root/Downloads/MEMZ.exe
2⤵
PID:1912

/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=\$\$; exec \"\$@\"" sh file-roller /root/Downloads/TaskILL.exe
1⤵
PID:1919

/usr/local/sbin/file-roller
file-roller /root/Downloads/TaskILL.exe
1⤵
PID:1919

/usr/local/bin/file-roller
file-roller /root/Downloads/TaskILL.exe
1⤵
PID:1919

/usr/sbin/file-roller
file-roller /root/Downloads/TaskILL.exe
1⤵
PID:1919

/usr/bin/file-roller
file-roller /root/Downloads/TaskILL.exe
1⤵
- Reads runtime system information
PID:1919

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1923

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1923

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1923

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1923

/usr/local/sbin/unzip
unzip -ZTs -- /root/Downloads/TaskILL.exe
2⤵
PID:1926

/usr/local/bin/unzip
unzip -ZTs -- /root/Downloads/TaskILL.exe
2⤵
PID:1926

/usr/sbin/unzip
unzip -ZTs -- /root/Downloads/TaskILL.exe
2⤵
PID:1926

/usr/bin/unzip
unzip -ZTs -- /root/Downloads/TaskILL.exe
2⤵
PID:1926

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.cache/dconf/user
Filesize
2B

MD5
c4103f122d27677c9db144cae1394a66

SHA1
1489f923c4dca729178b3e3233458550d8dddf29

SHA256
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

SHA512
5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

Download Submit
/root/Downloads/YeXfeRwo.exe.part
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
/root/Downloads/i-pwdD3l.exe.part
Filesize
31KB

MD5
c261c6e3332d0d515c910bbf3b93aab3

SHA1
ff730b6b2726240df4b2f0db96c424c464c65c17

SHA256
4663715548c70eec7e9cbf272171493d47a75d2652e38cca870412ea9e749fe9

SHA512
a93bd7b1d809493917e0999d4030cb53ab7789c65f6b87e1bbac27bd8b3ad2aeb92dec0a69369c04541f5572a78f04d8dfba900624cf5bd82d7558f24d0a8e26

Download Submit
/tmp/tmpaddon
Filesize
569KB

MD5
30082ae40dc48af6343db2fd22cfc645

SHA1
3eb577555ee638e8beb01173e8f29e172747a728

SHA256
85d4b95f9b2075daee9b0e64bce8d9d7343d0dda10e6072d7f9485a68472ee76

SHA512
53a58bfb4c8124ad4f7655b99bfdea290033a085e0796b19245b33b91c0948fdac9f0c3e817130b352493a65d9a7a0fc8a7c1eedc618cdaa2b4580734a11cd9c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads