hxxp://192[.]227[.]232[.]151[:]81/

Analysis

max time kernel
442s
max time network
441s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
21-05-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://192.227.232.151:81/

Score

7^/10

antivm

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

install-latest-yak.shinstall-latest-yak.sh

ioc pid process

/root/Downloads/install-latest-yak.sh 1975 install-latest-yak.sh
/root/Downloads/install-latest-yak.sh 1985 install-latest-yak.sh

ioc	pid	process
/root/Downloads/install-latest-yak.sh	1975	install-latest-yak.sh
/root/Downloads/install-latest-yak.sh	1985	install-latest-yak.sh

Changes its process name 64 IoCs

Processes:

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	gmain	1531
Changes the process name, possibly in an attempt to hide itself	gdbus	1533
Changes the process name, possibly in an attempt to hide itself	glean.dispatche	1534
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1536
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1536
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1536
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1540
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1539
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1540
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1539
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1541
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1538
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1538
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1541
Changes the process name, possibly in an attempt to hide itself	Timer	1537
Changes the process name, possibly in an attempt to hide itself	Timer	1537
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1542
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1542
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1544
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1543
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1546
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1546
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1548
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1548
Changes the process name, possibly in an attempt to hide itself	glxtest:disk$0	1549
Changes the process name, possibly in an attempt to hide itself	Cache2 I/O	1550
Changes the process name, possibly in an attempt to hide itself	Cookie	1551
Changes the process name, possibly in an attempt to hide itself	Cookie	1551
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1552
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1552
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #1	1554
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #0	1553
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1555
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1555
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1556
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1556
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1558
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1558
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1558
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1563
Changes the process name, possibly in an attempt to hide itself	Compositor	1562
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1563
Changes the process name, possibly in an attempt to hide itself	Compositor	1562
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1561
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1560
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1561
Changes the process name, possibly in an attempt to hide itself	Renderer	1559
Changes the process name, possibly in an attempt to hide itself	Renderer	1559
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1560
Changes the process name, possibly in an attempt to hide itself	ImageIO	1564
Changes the process name, possibly in an attempt to hide itself	ImageIO	1564
Changes the process name, possibly in an attempt to hide itself	Permission	1565
Changes the process name, possibly in an attempt to hide itself	Permission	1565
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1568
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1568
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1567
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1567
Changes the process name, possibly in an attempt to hide itself	Breakpad Server	1566
Changes the process name, possibly in an attempt to hide itself	Sandbox Forked	1569
Changes the process name, possibly in an attempt to hide itself	Chroot Helper	1572
Changes the process name, possibly in an attempt to hide itself	gmain	1573
Changes the process name, possibly in an attempt to hide itself	gdbus	1574
Changes the process name, possibly in an attempt to hide itself	pool-/usr/libex	1575
Changes the process name, possibly in an attempt to hide itself	gmain	1579

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

firefox

description ioc process

File opened for reading /proc/cpuinfo firefox

description	ioc	process
File opened for reading	/proc/cpuinfo	firefox

Reads CPU attributes 1 TTPs 20 IoCs

System Information Discovery

T1082

Processes:

firefoxfirefoxfirefoxnautilusfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxnautilusfirefoxfirefoxfirefoxfirefoxfirefox

description	ioc	process
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/online	nautilus
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/online	nautilus
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

glxtestfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxgvfs-mtp-volume-monitorgvfs-gphoto2-volume-monitorfirefoxfirefoxfirefoxfirefoxfirefoxfirefox

description	ioc	process
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/device	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/irq	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/resource	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/resource	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/device	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus	gvfs-mtp-volume-monitor
File opened for reading	/sys/class	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/class	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/device	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/class	glxtest
File opened for reading	/sys/bus	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/irq	glxtest
File opened for reading	/sys/devices/system/cpu	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/usb/devices	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/irq	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/device	glxtest

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

firefoxgnome-keyring-daemonfirefoxgvfs-goa-volume-monitorfirefoxfirefoxfirefoxfirefoxdbus-daemonfirefoxfirefoxsudosudofirefoxfirefoxfirefoxgvfsd-metadatagnome-terminal-servergvfsd-trashsudoxdg-document-portalsudoxdg-desktop-portalsudobwrapxdg-desktop-portal-gtkfirefoxgvfs-udisks2-volume-monitorgvfs-mtp-volume-monitornautilusdbus-sendgedit

description	ioc	process
File opened for reading	/proc/self/task/1769/stat	firefox
File opened for reading	/proc/1824/status	gnome-keyring-daemon
File opened for reading	/proc/self/fd/121	firefox
File opened for reading	/proc/meminfo	firefox
File opened for reading	/proc/filesystems	gvfs-goa-volume-monitor
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/1824/cmdline	dbus-daemon
File opened for reading	/proc/1412/attr/current	dbus-daemon
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/fd/35	firefox
File opened for reading	/proc/self/task/1723/stat	firefox
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/1398/cmdline	dbus-daemon
File opened for reading	/proc/self/fd	firefox
File opened for reading	/proc/self/fd/125	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	gnome-keyring-daemon
File opened for reading	/proc/1610/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/81	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/fd/104	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/self/fd/116	firefox
File opened for reading	/proc/filesystems	gvfsd-metadata
File opened for reading	/proc/self/task/2273/stat	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/1922/cmdline	dbus-daemon
File opened for reading	/proc/1958/cgroup	gnome-terminal-server
File opened for reading	/proc/self/mountinfo	gvfsd-trash
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	xdg-document-portal
File opened for reading	/proc/self/fd/53	firefox
File opened for reading	/proc/self/fd/96	firefox
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/fd/58	firefox
File opened for reading	/proc/1527/root	xdg-desktop-portal
File opened for reading	/proc/1867/cmdline	dbus-daemon
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/1582/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/79	firefox
File opened for reading	/proc/1844/cmdline	dbus-daemon
File opened for reading	/proc/sys/kernel/overflowgid	bwrap
File opened for reading	/proc/filesystems	xdg-desktop-portal-gtk
File opened for reading	/proc/self/cgroup	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/mountinfo	gvfs-udisks2-volume-monitor
File opened for reading	/proc/filesystems	gvfs-mtp-volume-monitor
File opened for reading	/proc/filesystems	nautilus
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/1860/cmdline	dbus-daemon
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/fd/36	firefox
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/filesystems	gedit

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

Processes:

firefoxnautilus

description	ioc	process
File opened for modification	/tmp/firefox/.parentlock	firefox
File opened for modification	/tmp/Nyr55Q3N.sh	firefox
File opened for modification	/tmp/2NFIBGho.bmp	firefox
File opened for modification	/tmp/tmpaddon	firefox
File opened for modification	/tmp/flatpak-seccomp-Y5JTN2	nautilus

/usr/bin/xdg-open
xdg-open http://192.227.232.151:81/
1⤵
PID:1397

/usr/bin/dbus-send
dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
2⤵
PID:1398

/usr/bin/dbus-launch
dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
3⤵
PID:1399

/usr/bin/dbus-daemon
/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
4⤵
- Reads runtime system information
PID:1401

/usr/libexec/xdg-desktop-portal
/usr/libexec/xdg-desktop-portal
5⤵
- Reads runtime system information
PID:1571

/usr/libexec/xdg-document-portal
/usr/libexec/xdg-document-portal
5⤵
- Reads runtime system information
PID:1577

/usr/libexec/xdg-permission-store
/usr/libexec/xdg-permission-store
5⤵
PID:1582

/usr/libexec/xdg-desktop-portal-gtk
/usr/libexec/xdg-desktop-portal-gtk
5⤵
- Reads runtime system information
PID:1597

/usr/libexec/gvfsd
/usr/libexec/gvfsd
5⤵
PID:1603

/usr/libexec/gvfsd-trash
/usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
6⤵
- Reads runtime system information
PID:1630

/usr/libexec/dconf-service
/usr/libexec/dconf-service
5⤵
PID:1621

/usr/bin/nautilus
/usr/bin/nautilus --gapplication-service
5⤵
- Reads CPU attributes
PID:1626

/usr/bin/gnome-keyring-daemon
/usr/bin/gnome-keyring-daemon --start --foreground "--components=secrets"
5⤵
- Reads runtime system information
PID:1824

/usr/libexec/gvfs-udisks2-volume-monitor
/usr/libexec/gvfs-udisks2-volume-monitor
5⤵
- Reads runtime system information
PID:1832

/usr/libexec/gvfs-afc-volume-monitor
/usr/libexec/gvfs-afc-volume-monitor
5⤵
PID:1838

/usr/libexec/gvfs-mtp-volume-monitor
/usr/libexec/gvfs-mtp-volume-monitor
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1844

/usr/libexec/gvfs-gphoto2-volume-monitor
/usr/libexec/gvfs-gphoto2-volume-monitor
5⤵
- Enumerates kernel/hardware configuration
PID:1849

/usr/libexec/gvfs-goa-volume-monitor
/usr/libexec/gvfs-goa-volume-monitor
5⤵
- Reads runtime system information
PID:1854

/usr/libexec/goa-daemon
/usr/libexec/goa-daemon
5⤵
PID:1860

/usr/libexec/goa-identity-service
/usr/libexec/goa-identity-service
5⤵
PID:1867

/usr/bin/nautilus
/usr/bin/nautilus --gapplication-service
5⤵
- Reads CPU attributes
- Reads runtime system information
- Writes file to tmp directory
PID:1909

/usr/local/sbin/bwrap
bwrap --ro-bind /usr /usr --ro-bind /etc/ld.so.cache /etc/ld.so.cache --symlink /usr//bin /bin --symlink /usr//lib64 /lib64 --symlink /usr//lib /lib --symlink /usr//sbin /sbin --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --ro-bind-try /etc/alternatives /etc/alternatives --proc /proc --dev /dev --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-3NJTN2 /tmp --ro-bind /root/Downloads/resZZTyRQ.bmp /tmp/resZZTyRQ.bmp --seccomp 26 /usr/bin/gdk-pixbuf-thumbnailer -s 256 file:///tmp/resZZTyRQ.bmp /tmp/gnome-desktop-thumbnailer.png
6⤵
PID:1917

/usr/local/bin/bwrap
bwrap --ro-bind /usr /usr --ro-bind /etc/ld.so.cache /etc/ld.so.cache --symlink /usr//bin /bin --symlink /usr//lib64 /lib64 --symlink /usr//lib /lib --symlink /usr//sbin /sbin --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --ro-bind-try /etc/alternatives /etc/alternatives --proc /proc --dev /dev --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-3NJTN2 /tmp --ro-bind /root/Downloads/resZZTyRQ.bmp /tmp/resZZTyRQ.bmp --seccomp 26 /usr/bin/gdk-pixbuf-thumbnailer -s 256 file:///tmp/resZZTyRQ.bmp /tmp/gnome-desktop-thumbnailer.png
6⤵
PID:1917

/usr/sbin/bwrap
bwrap --ro-bind /usr /usr --ro-bind /etc/ld.so.cache /etc/ld.so.cache --symlink /usr//bin /bin --symlink /usr//lib64 /lib64 --symlink /usr//lib /lib --symlink /usr//sbin /sbin --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --ro-bind-try /etc/alternatives /etc/alternatives --proc /proc --dev /dev --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-3NJTN2 /tmp --ro-bind /root/Downloads/resZZTyRQ.bmp /tmp/resZZTyRQ.bmp --seccomp 26 /usr/bin/gdk-pixbuf-thumbnailer -s 256 file:///tmp/resZZTyRQ.bmp /tmp/gnome-desktop-thumbnailer.png
6⤵
PID:1917

/usr/bin/bwrap
bwrap --ro-bind /usr /usr --ro-bind /etc/ld.so.cache /etc/ld.so.cache --symlink /usr//bin /bin --symlink /usr//lib64 /lib64 --symlink /usr//lib /lib --symlink /usr//sbin /sbin --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --ro-bind-try /etc/alternatives /etc/alternatives --proc /proc --dev /dev --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-3NJTN2 /tmp --ro-bind /root/Downloads/resZZTyRQ.bmp /tmp/resZZTyRQ.bmp --seccomp 26 /usr/bin/gdk-pixbuf-thumbnailer -s 256 file:///tmp/resZZTyRQ.bmp /tmp/gnome-desktop-thumbnailer.png
6⤵
- Reads runtime system information
PID:1917

/usr/bin/gdk-pixbuf-thumbnailer
/usr/bin/gdk-pixbuf-thumbnailer -s 256 file:///tmp/resZZTyRQ.bmp /tmp/gnome-desktop-thumbnailer.png
7⤵
PID:1920

/usr/bin/gedit
/usr/bin/gedit --gapplication-service
5⤵
PID:1922

/usr/libexec/gvfsd-metadata
/usr/libexec/gvfsd-metadata
5⤵
- Reads runtime system information
PID:1930

/usr/bin/gedit
/usr/bin/gedit --gapplication-service
5⤵
- Reads runtime system information
PID:1940

/usr/libexec/gnome-terminal-server
/usr/libexec/gnome-terminal-server
5⤵
- Reads runtime system information
PID:1958

/bin/bash
bash
6⤵
PID:1964

/usr/bin/groups
groups
7⤵
PID:1965

/usr/bin/lesspipe
lesspipe
7⤵
PID:1966

/usr/bin/basename
basename /usr/bin/lesspipe
8⤵
PID:1967

/usr/bin/dirname
dirname /usr/bin/lesspipe
8⤵
PID:1969

/usr/bin/dircolors
dircolors -b
7⤵
PID:1970

/usr/bin/ls
ls "--color=auto"
7⤵
PID:1972

/root/Downloads/install-latest-yak.sh
./install-latest-yak.sh
7⤵
- Executes dropped EXE
PID:1975

/usr/bin/sudo
sudo ./install-latest-yak.sh
7⤵
- Reads runtime system information
PID:1977

/usr/bin/sudo
sudo install-latest-yak.sh
7⤵
- Reads runtime system information
PID:1979

/usr/bin/sudo
sudo execinstall-latest-yak.sh
7⤵
- Reads runtime system information
PID:1980

/usr/bin/sudo
sudo exec install-latest-yak.sh
7⤵
PID:1981

/usr/bin/sudo
sudo .install-latest-yak.sh
7⤵
- Reads runtime system information
PID:1982

/root/Downloads/install-latest-yak.sh
/root/Downloads/install-latest-yak.sh
7⤵
- Executes dropped EXE
PID:1985

/usr/bin/sudo
sudo /root/Downloads/install-latest-yak.sh
7⤵
- Reads runtime system information
PID:1998

/usr/bin/grep
grep " = \\\"xfce4\\\"\$"
2⤵
PID:1414

/usr/bin/xprop
xprop -root _DT_SAVE_MODE
2⤵
PID:1413

/usr/bin/grep
grep -i "^xfce_desktop_window"
2⤵
PID:1416

/usr/bin/xprop
xprop -root
2⤵
PID:1415

/usr/bin/grep
grep -q "^Enlightenment"
2⤵
PID:1418

/usr/bin/uname
uname
2⤵
PID:1419

/usr/bin/grep
grep -q "^file://"
2⤵
PID:1421

/usr/bin/egrep
egrep -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1423

/usr/local/sbin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1423

/usr/local/bin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1423

/usr/sbin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1423

/usr/bin/grep
grep -E -q "^[[:alpha:]+\\.\\-]+:"
2⤵
PID:1423

/usr/bin/sed
sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
2⤵
PID:1426

/usr/bin/xdg-mime
xdg-mime query default x-scheme-handler/http
2⤵
PID:1427

/usr/bin/dbus-send
dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
3⤵
- Reads runtime system information
PID:1428

/usr/bin/dbus-launch
dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
4⤵
PID:1429

/usr/bin/grep
grep " = \\\"xfce4\\\"\$"
3⤵
PID:1431

/usr/bin/xprop
xprop -root _DT_SAVE_MODE
3⤵
PID:1430

/usr/bin/grep
grep -i "^xfce_desktop_window"
3⤵
PID:1433

/usr/bin/xprop
xprop -root
3⤵
PID:1432

/usr/bin/grep
grep -q "^Enlightenment"
3⤵
PID:1435

/usr/bin/uname
uname
3⤵
PID:1436

/usr/bin/sed
sed "s/:/ /g"
3⤵
PID:1439

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1444

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1443

/usr/bin/head
head -n 1
3⤵
PID:1442

/usr/bin/grep
grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
3⤵
PID:1441

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1449

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1448

/usr/bin/head
head -n 1
3⤵
PID:1447

/usr/bin/grep
grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
3⤵
PID:1446

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1454

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1453

/usr/bin/head
head -n 1
3⤵
PID:1452

/usr/bin/grep
grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
3⤵
PID:1451

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1459

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1458

/usr/bin/head
head -n 1
3⤵
PID:1457

/usr/bin/grep
grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
3⤵
PID:1456

/usr/bin/cut
cut -d ";" -f 1
3⤵
PID:1464

/usr/bin/cut
cut -d "=" -f 2
3⤵
PID:1463

/usr/bin/head
head -n 1
3⤵
PID:1462

/usr/bin/grep
grep "x-scheme-handler/http=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
3⤵
PID:1461

/usr/bin/sed
sed "s/:/ /g"
2⤵
PID:1467

/usr/bin/sed
sed -e "s|-|/|"
2⤵
PID:1470

/usr/bin/sed
sed -e "s|-|/|"
2⤵
PID:1473

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1478

/usr/bin/which
which firefox
2⤵
PID:1479

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1482

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1485

/usr/bin/cut
cut "-d=" -f 2-
2⤵
PID:1519

/usr/bin/firefox
/usr/bin/firefox http://192.227.232.151:81/
2⤵
PID:1527

/usr/bin/which
which /usr/bin/firefox
3⤵
PID:1528

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox http://192.227.232.151:81/
2⤵
- Checks CPU configuration
- Reads CPU attributes
- Reads runtime system information
- Writes file to tmp directory
PID:1527

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1532

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1532

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1532

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1532

/usr/lib/firefox/glxtest
/usr/lib/firefox/glxtest -f 13
3⤵
- Enumerates kernel/hardware configuration
PID:1535

/usr/bin/lsb_release
/usr/bin/lsb_release -idrc
3⤵
PID:1547

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1557

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1557

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1557

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
3⤵
PID:1557

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 20597 -prefMapSize 234708 -appDir /usr/lib/firefox/browser "{0eea513c-10ae-4310-9352-9f41ebc0e65d}" 1527 true socket
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1569

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 20206 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{51e0787f-d77f-40f0-b1aa-fb4cb621c96c}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1646

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 28644 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{20196e2a-f447-4fa3-b20e-055743945bd5}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1691

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -sandboxingKind 0 -prefsLen 29335 -prefMapSize 234708 -appDir /usr/lib/firefox/browser "{acebcedb-c0a2-4577-8eef-bcfed62c4f54}" 1527 true utility
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1721

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 25826 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{f5c1c81d-aa42-459b-8a9e-72821738dbcf}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1722

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 25826 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{0b70ad3f-2435-4318-b2b2-1a05b6481257}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1744

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 25969 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{f5b3e52f-da4b-4cc3-bb7c-9c92cce655ae}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1762

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 25969 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{f8cd8792-32ca-4f2b-96a7-e2640a0e7ca3}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1765

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 7 -isForBrowser -prefsLen 25969 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{691d00be-b56e-44c3-9bc3-90c10188d425}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1799

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 8 -isForBrowser -prefsLen 28813 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{55cfcb02-b27b-4aa8-a30e-b72a6c167d47}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2126

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 9 -isForBrowser -prefsLen 28813 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{8fe820c5-1bb3-41cd-a8b4-8ae08dfe83ce}" 1527 true tab
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:2156

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 10 -isForBrowser -prefsLen 28813 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{9ff60a0e-2b84-4230-8d21-2dfac5a4b146}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2194

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 11 -isForBrowser -prefsLen 28937 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{cc081c7b-fd69-4740-8766-80a2dc71891e}" 1527 true tab
3⤵
- Reads CPU attributes
PID:2253

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 12 -isForBrowser -prefsLen 33139 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{367631a6-99f0-4426-a07c-2d6ac4ac2bbe}" 1527 true tab
3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2270

/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /root/.cache/gvfs -f -o big_writes
1⤵
PID:1610

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.bash_history
Filesize
262B

MD5
43022a0fa34d1c6b89c0d15c23a55d5b

SHA1
5ae241415286275b6780c28ef50a69f445ea7e13

SHA256
fad8f24c896129923a07881a124cb6c909e24d4bc73952d423ea1cdb55cbdc8d

SHA512
341771f3532c7bfb0ab0eb8558cdb98713fd055eb18f1ef5ae1355f0b136b538508f78cbffea0cad68cb29cfd3b83e4dd02f920f28c92794d9eb180eed7b0069

Download Submit
/root/.cache/dconf/user
Filesize
2B

MD5
c4103f122d27677c9db144cae1394a66

SHA1
1489f923c4dca729178b3e3233458550d8dddf29

SHA256
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

SHA512
5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

Download Submit
/root/.cache/thumbnails/fail/gnome-thumbnail-factory/ae72ca3b3a5e25dee949419147dcbbbb.png.U69UN2
Filesize
222B

MD5
645f7acacaa3539ec0e3a7a94967e56f

SHA1
bf4f67e6c4d198d245168bae282d882ccf785293

SHA256
6ab4da284a54130ceb376decc249e47db13c39cf036b2fdbe0892d660f951ba2

SHA512
57fb5416c21484967288337fe19dbf874ddae98754dff352b407b24918eda776c00303d8e0b115fb7f3fa00f943b883b3817830950be47788896c9d91a4ab90c

Download Submit
/root/.config/gedit/accels
Filesize
102B

MD5
44ca9eff853cd7a8f9c1ba0bcf0c9064

SHA1
f09dcf877fcf2329996584d6b07b062c383283de

SHA256
6a1e573c0068dc87d4f0fbe6782d0a253dd60b9f37b7f6c5c4d6c72547f16c05

SHA512
3e7ccb1086dbaf64b48a389fd247981f4e20c577f8466b75c84484ef8aa5befb4f71f87f05c5ade91b89f8a860a83144bc36eed6fbe0fa91d47cbbb2d2beeea6

Download Submit
/root/.local/share/gvfs-metadata/home-56821165.log.SZXZN2
Filesize
32KB

MD5
4d63038c59ddaa416050237ec5a228ab

SHA1
9ec4530499df320591c01f0d50469ef65672f312

SHA256
7b7e5b5ae8e5ea5f6c14ae12c2440e88d5579af731ad6f4fee239fd623f6abdb

SHA512
98a1ee02605c9722e36ec09f09246354fbc055d4009e0074dd4beb9eb63839ed5e4b76d3143e48ce0e7b484d2a0ded0f2fabcd5da5849c3e124e231c05af2c23

Download Submit
/root/Downloads/2NFIBGho.bmp.part
Filesize
1.8MB

MD5
ff37343c299dc8d5530b7407dd594c8d

SHA1
7e526e35ffdeeb91e1b646f8d49c9a0a4f80885d

SHA256
b0200b9f7c9f9fb9eab97717c091a0fd53a608d559050088fcaa18f7d7b1bb78

SHA512
d88871af5c7d952b42f5f22d455d551bcef316ded16b66026d54c2b0795db5a8de2ca512a906a63e01461d35e9b4d8e74cce33a4ebbc6702ccfa49448c255fce

Download Submit
/root/Downloads/Nyr55Q3N.sh.part
Filesize
1KB

MD5
6fdc025141c235838e396e1f3274a138

SHA1
d32ffb9d701fea25469b9cbaf14f04f1e89fc27c

SHA256
9c4b111ef0c0ccb23bbd1afc2c0620783ddc932e9ec3d6696c505b1ce4f25994

SHA512
e526c2453f55096e32ac9e0f496618bfb4393352cfe909937b75f601e237f6bc8c5074c2d2c3d851bd8fdab77394b8a5d0c4c73b5f66c86c2bce43ed89f12195

Download Submit
/root/Downloads/resZZTyRQ.F1nOT4KO.bmp.part
Filesize
3.1MB

MD5
101801960856b49c4428123011952c9d

SHA1
e695874e3f36de610348def91431ce9d40013b84

SHA256
23be596bc7d1832621fda9f5804a6c022ad436acb01c2e172cd3b98338734dfb

SHA512
f9f0eed9a79fc9ae643452ac1680f8c6cb209e7ded21fde7aca1adabb573ec67e12ced3529e4b61fa6bb54778c8714f4691af1ded4711be5842c7e9e38f15e9d

Download Submit
/tmp/flatpak-seccomp-Y5JTN2
Filesize
496B

MD5
6329a7d4e4361fa39ed514f8be2ff9ec

SHA1
fbcd9019ea592fafb28961c384b8847e0f64d6e8

SHA256
eb2fd18f927deec1fad9452265e5085689f24e925e71ee933aa46d8a57546c46

SHA512
2fa5728ba700f350e2c44151b489febfab157aba4d75cb4d3c808c383c071cada82d75b16402237d8c158a019dc45ada56c2471313ebd97a253f7bbb655eafea

Download Submit
/tmp/tmpaddon
Filesize
569KB

MD5
30082ae40dc48af6343db2fd22cfc645

SHA1
3eb577555ee638e8beb01173e8f29e172747a728

SHA256
85d4b95f9b2075daee9b0e64bce8d9d7343d0dda10e6072d7f9485a68472ee76

SHA512
53a58bfb4c8124ad4f7655b99bfdea290033a085e0796b19245b33b91c0948fdac9f0c3e817130b352493a65d9a7a0fc8a7c1eedc618cdaa2b4580734a11cd9c

Download Submit