hxxps://www[.]surveymonkey[.]com/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FpF_2Fhy3EhxbpxJDHYpYZT3PErDK_2Bf6OjNYOPsqZdKwg_2FdGRiGnm_2F0m8noAHL9RnTztl0qK8tjedG5spADp9S8s46J_2BQUlokjVRnQ3_2BxA9RYERIXPceFygvo72KmUAGOx_2B_2F_2B4hOB1YeXxOD3dpQt_2BoFl63vUL3yGQdJEKeXQNYyYZMBmxw48t2_2BesDsizChsedfW60dYYTzQTyLsXglfyC_2BaXQNEjHkLHsOMhZhjq5a0

General

Target

https://www.surveymonkey.com/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FpF_2Fhy3EhxbpxJDHYpYZT3PErDK_2Bf6OjNYOPsqZdKwg_2FdGRiGnm_2F0m8noAHL9RnTztl0qK8tjedG5spADp9S8s46J_2BQUlokjVRnQ3_2BxA9RYERIXPceFygvo72KmUAGOx_2B_2F_2B4hOB1YeXxOD3dpQt_2BoFl63vUL3yGQdJEKeXQNYyYZMBmxw48t2_2BesDsizChsedfW60dYYTzQTyLsXglfyC_2BaXQNEjHkLHsOMhZhjq5a0

Score

4^/10

antivm

Malware Config

Signatures

Changes its process name 64 IoCs

Processes:

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	gmain	1470
Changes the process name, possibly in an attempt to hide itself	gdbus	1476
Changes the process name, possibly in an attempt to hide itself	glean.dispatche	1477
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1479
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1479
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1479
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1484
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1483
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1482
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1483
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1484
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1482
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1481
Changes the process name, possibly in an attempt to hide itself	Timer	1480
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1481
Changes the process name, possibly in an attempt to hide itself	Timer	1480
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1485
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1485
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1487
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1486
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1489
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1489
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1491
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1491
Changes the process name, possibly in an attempt to hide itself	Cache2 I/O	1492
Changes the process name, possibly in an attempt to hide itself	Cookie	1493
Changes the process name, possibly in an attempt to hide itself	Cookie	1493
Changes the process name, possibly in an attempt to hide itself	glxtest:disk$0	1494
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1495
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1495
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #1	1497
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #0	1496
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1498
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1498
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1499
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1499
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1501
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1501
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1501
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1503
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1506
Changes the process name, possibly in an attempt to hide itself	Compositor	1505
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1504
Changes the process name, possibly in an attempt to hide itself	Compositor	1505
Changes the process name, possibly in an attempt to hide itself	Renderer	1502
Changes the process name, possibly in an attempt to hide itself	Renderer	1502
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1503
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1504
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1506
Changes the process name, possibly in an attempt to hide itself	ImageIO	1507
Changes the process name, possibly in an attempt to hide itself	ImageIO	1507
Changes the process name, possibly in an attempt to hide itself	Permission	1508
Changes the process name, possibly in an attempt to hide itself	Permission	1508
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1511
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1511
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1510
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1510
Changes the process name, possibly in an attempt to hide itself	Breakpad Server	1509
Changes the process name, possibly in an attempt to hide itself	Sandbox Forked	1512
Changes the process name, possibly in an attempt to hide itself	Chroot Helper	1513
Changes the process name, possibly in an attempt to hide itself	gmain	1517
Changes the process name, possibly in an attempt to hide itself	gdbus	1518
Changes the process name, possibly in an attempt to hide itself	pool-/usr/libex	1519
Changes the process name, possibly in an attempt to hide itself	gmain	1522

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

firefox

description ioc process

File opened for reading /proc/cpuinfo firefox

description	ioc	process
File opened for reading	/proc/cpuinfo	firefox

Reads CPU attributes 1 TTPs 12 IoCs

System Information Discovery

T1082

Processes:

nautilusfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxfirefoxfirefox

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	nautilus
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

glxtestgvfs-gphoto2-volume-monitorfirefoxfirefoxfirefoxfirefoxgvfs-mtp-volume-monitorfirefoxfirefoxfirefoxfirefoxdbus-daemon

description	ioc	process
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/class	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/resource	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/vendor	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/device	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/device	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_device	glxtest
File opened for reading	/sys/bus	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/class	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/device	glxtest
File opened for reading	/sys/devices/system/cpu	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/vendor	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/usb/devices	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/device	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/vendor	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/class	glxtest
File opened for reading	/sys/class	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/irq	glxtest
File opened for reading	/sys/bus/usb/devices	gvfs-mtp-volume-monitor

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

dconf-servicefirefoxxdg-permission-storefirefoxfirefoxfirefoxfirefoxdbus-daemonfirefoxgnome-keyring-daemongoa-daemongvfs-udisks2-volume-monitorxdg-document-portalgvfs-afc-volume-monitorgvfs-goa-volume-monitorxdg-desktop-portal-gtkfirefoxxdg-desktop-portalfirefoxgvfs-mtp-volume-monitorgvfsdgvfsd-trashnautilusgvfs-gphoto2-volume-monitor

description	ioc	process
File opened for reading	/proc/cmdline	dconf-service
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/filesystems	xdg-permission-store
File opened for reading	/proc/self/cgroup	firefox
File opened for reading	/proc/self/fd/66	firefox
File opened for reading	/proc/self/task/1710/stat	firefox
File opened for reading	/proc/self/task/1597/stat	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/fd/75	firefox
File opened for reading	/proc/self/fd/125	firefox
File opened for reading	/proc/self/fd/132	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/1475/status	dbus-daemon
File opened for reading	/proc/self/fd/35	firefox
File opened for reading	/proc/1575/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/96	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	gnome-keyring-daemon
File opened for reading	/proc/1727/status	gnome-keyring-daemon
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	goa-daemon
File opened for reading	/proc/1/cgroup	gvfs-udisks2-volume-monitor
File opened for reading	/proc/self/fd/105	firefox
File opened for reading	/proc/1743/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/53	firefox
File opened for reading	/proc/filesystems	xdg-document-portal
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/1421/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	gvfs-afc-volume-monitor
File opened for reading	/proc/self/fd/124	firefox
File opened for reading	/proc/filesystems	gvfs-goa-volume-monitor
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/filesystems	xdg-desktop-portal-gtk
File opened for reading	/proc/self/fd/83	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/task/1677/stat	firefox
File opened for reading	/proc/mounts	xdg-desktop-portal
File opened for reading	/proc/1737/cgroup	gvfs-udisks2-volume-monitor
File opened for reading	/proc/self/fd/84	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/sys/kernel/cap_last_cap	gnome-keyring-daemon
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	gvfs-udisks2-volume-monitor
File opened for reading	/proc/filesystems	gvfs-mtp-volume-monitor
File opened for reading	/proc/1754/cmdline	dbus-daemon
File opened for reading	/proc/1539/cmdline	dbus-daemon
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/fd	gvfsd
File opened for reading	/proc/self/mountinfo	gvfsd-trash
File opened for reading	/proc/self/task/1516/stat	firefox
File opened for reading	/proc/filesystems	nautilus
File opened for reading	/proc/self/fd/129	firefox
File opened for reading	/proc/1727/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	gvfs-gphoto2-volume-monitor
File opened for reading	/proc/1525/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	xdg-desktop-portal
File opened for reading	/proc/1521/cmdline	dbus-daemon
File opened for reading	/proc/1552/cmdline	dbus-daemon

Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.

Processes:

firefox

description ioc process

File opened for modification /tmp/firefox/.parentlock firefox
File opened for modification /tmp/tmpaddon firefox

description	ioc	process
File opened for modification	/tmp/firefox/.parentlock	firefox
File opened for modification	/tmp/tmpaddon	firefox

/usr/bin/firefox
firefox -new-tab https://www.surveymonkey.com/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FpF_2Fhy3EhxbpxJDHYpYZT3PErDK_2Bf6OjNYOPsqZdKwg_2FdGRiGnm_2F0m8noAHL9RnTztl0qK8tjedG5spADp9S8s46J_2BQUlokjVRnQ3_2BxA9RYERIXPceFygvo72KmUAGOx_2B_2F_2B4hOB1YeXxOD3dpQt_2BoFl63vUL3yGQdJEKeXQNYyYZMBmxw48t2_2BesDsizChsedfW60dYYTzQTyLsXglfyC_2BaXQNEjHkLHsOMhZhjq5a0
1⤵
PID:1421

/usr/bin/which
which /usr/bin/firefox
2⤵
PID:1422

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -new-tab https://www.surveymonkey.com/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FpF_2Fhy3EhxbpxJDHYpYZT3PErDK_2Bf6OjNYOPsqZdKwg_2FdGRiGnm_2F0m8noAHL9RnTztl0qK8tjedG5spADp9S8s46J_2BQUlokjVRnQ3_2BxA9RYERIXPceFygvo72KmUAGOx_2B_2F_2B4hOB1YeXxOD3dpQt_2BoFl63vUL3yGQdJEKeXQNYyYZMBmxw48t2_2BesDsizChsedfW60dYYTzQTyLsXglfyC_2BaXQNEjHkLHsOMhZhjq5a0
1⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1421

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1471

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1471

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1471

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1471

/usr/bin/dbus-daemon
/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1473

/usr/libexec/xdg-desktop-portal
/usr/libexec/xdg-desktop-portal
4⤵
- Reads runtime system information
PID:1515

/usr/libexec/xdg-document-portal
/usr/libexec/xdg-document-portal
4⤵
- Reads runtime system information
PID:1521

/usr/libexec/xdg-permission-store
/usr/libexec/xdg-permission-store
4⤵
- Reads runtime system information
PID:1525

/usr/libexec/xdg-desktop-portal-gtk
/usr/libexec/xdg-desktop-portal-gtk
4⤵
- Reads runtime system information
PID:1539

/usr/libexec/gvfsd
/usr/libexec/gvfsd
4⤵
- Reads runtime system information
PID:1546

/usr/libexec/gvfsd-trash
/usr/libexec/gvfsd-trash --spawner :1.6 /org/gtk/gvfs/exec_spaw/0
5⤵
- Reads runtime system information
PID:1575

/usr/libexec/dconf-service
/usr/libexec/dconf-service
4⤵
- Reads runtime system information
PID:1564

/usr/bin/nautilus
/usr/bin/nautilus --gapplication-service
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1569

/usr/bin/gnome-keyring-daemon
/usr/bin/gnome-keyring-daemon --start --foreground "--components=secrets"
4⤵
- Reads runtime system information
PID:1727

/usr/libexec/gvfs-udisks2-volume-monitor
/usr/libexec/gvfs-udisks2-volume-monitor
4⤵
- Reads runtime system information
PID:1737

/usr/libexec/gvfs-afc-volume-monitor
/usr/libexec/gvfs-afc-volume-monitor
4⤵
- Reads runtime system information
PID:1743

/usr/libexec/gvfs-mtp-volume-monitor
/usr/libexec/gvfs-mtp-volume-monitor
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1749

/usr/libexec/gvfs-gphoto2-volume-monitor
/usr/libexec/gvfs-gphoto2-volume-monitor
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1754

/usr/libexec/gvfs-goa-volume-monitor
/usr/libexec/gvfs-goa-volume-monitor
4⤵
- Reads runtime system information
PID:1759

/usr/libexec/goa-daemon
/usr/libexec/goa-daemon
4⤵
- Reads runtime system information
PID:1765

/usr/libexec/goa-identity-service
/usr/libexec/goa-identity-service
4⤵
PID:1783

/usr/lib/firefox/glxtest
/usr/lib/firefox/glxtest -f 13
2⤵
- Enumerates kernel/hardware configuration
PID:1478

/usr/bin/lsb_release
/usr/bin/lsb_release -idrc
2⤵
PID:1490

/usr/local/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1500

/usr/local/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1500

/usr/sbin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1500

/usr/bin/dbus-launch
dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
2⤵
PID:1500

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 20597 -prefMapSize 234708 -appDir /usr/lib/firefox/browser "{cd2750ee-d0df-4cd6-9bb1-108e64be6390}" 1421 true socket
2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1512

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 20206 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{80d8e0d0-fd77-4034-8438-03406f5db5f9}" 1421 true tab
2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1586

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 28958 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{0d3d4307-c4f2-4f81-8eaa-90db5dfeeabe}" 1421 true tab
2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1631

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -sandboxingKind 0 -prefsLen 29902 -prefMapSize 234708 -appDir /usr/lib/firefox/browser "{74aa0837-9a33-423f-b0b2-d49e4b76b3de}" 1421 true utility
2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1672

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 25969 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{6bfe78a5-7904-4377-97b4-7e642e3a31c1}" 1421 true tab
2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1674

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 25969 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{ebd8bbbd-97e1-4307-b6e6-645b250a82d8}" 1421 true tab
2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1681

/usr/lib/firefox/firefox
/usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 25969 -prefMapSize 234708 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{e9fbede5-2bb1-4b2c-8f22-06e0da74fadb}" 1421 true tab
2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1705

/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /root/.cache/gvfs -f -o big_writes
1⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.cache/dconf/user
Filesize
2B

MD5
c4103f122d27677c9db144cae1394a66

SHA1
1489f923c4dca729178b3e3233458550d8dddf29

SHA256
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

SHA512
5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

Download Submit
/tmp/tmpaddon
Filesize
569KB

MD5
30082ae40dc48af6343db2fd22cfc645

SHA1
3eb577555ee638e8beb01173e8f29e172747a728

SHA256
85d4b95f9b2075daee9b0e64bce8d9d7343d0dda10e6072d7f9485a68472ee76

SHA512
53a58bfb4c8124ad4f7655b99bfdea290033a085e0796b19245b33b91c0948fdac9f0c3e817130b352493a65d9a7a0fc8a7c1eedc618cdaa2b4580734a11cd9c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads