hxxps://wellhello[.]com/site/user/fastlogin/f1d56a765f6ce77eaae610449365b0d0/343906313?uid=289158894&r=https%3A%2F%2Fwellhello[.]com%2Fsite%2Fuser%2Fconfirmemail%2F289158894%2FtbwCwdVP%3Flink_name%3Dlink%26template_name%3Dconfirm_email%26mailer_version%3D3

max time kernel
0s
max time network
4s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
19/07/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wellhello.com/site/user/fastlogin/f1d56a765f6ce77eaae610449365b0d0/343906313?uid=289158894&r=https%3A%2F%2Fwellhello.com%2Fsite%2Fuser%2Fconfirmemail%2F289158894%2FtbwCwdVP%3Flink_name%3Dlink%26template_name%3Dconfirm_email%26mailer_version%3D3

Score

4^/10

Malware Config

Signatures

Changes its process name 3 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	pool-spawner	2528
Changes the process name, possibly in an attempt to hide itself	gmain	2529
Changes the process name, possibly in an attempt to hide itself	dconf worker	2530

Enumerates kernel/hardware configuration 1 TTPs 26 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/bpf	snap-confine
File opened for reading	/sys/kernel/security/apparmor/features/network_v8	firefox
File opened for reading	/sys/kernel/security/apparmor/features/ptrace	firefox
File opened for reading	/sys/kernel/security/apparmor/features/signal	firefox
File opened for reading	/sys/kernel/security/apparmor/features/caps	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/drm/renderD128/uevent	snap-confine
File opened for reading	/sys/fs/cgroup/user.slice/user-0.slice/[email protected]/app.slice/snap.firefox.firefox-cfcdcda6-8e4c-4ff8-bc3d-1872398a561f.scope	snap-confine
File opened for reading	/sys/devices/virtual/dma_heap/system/uevent	snap-confine
File opened for reading	/sys/kernel/security/apparmor/features/mount	firefox
File opened for reading	/sys/kernel/security/apparmor/features/namespaces	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/drm/card1/uevent	snap-confine
File opened for reading	/sys/kernel/security/apparmor/features	firefox
File opened for reading	/sys/kernel/security/apparmor/features/file	firefox
File opened for reading	/sys/kernel/security/apparmor/features/ipc	firefox
File opened for reading	/sys/kernel/security/apparmor/features/io_uring	firefox
File opened for reading	/sys/devices/virtual/mem/full/uevent	snap-confine
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	firefox
File opened for reading	/sys/kernel/security/apparmor/features/dbus	firefox
File opened for reading	/sys/kernel/security/apparmor/features/query	firefox
File opened for reading	/sys/kernel/security/apparmor/features/rlimit	firefox
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap-seccomp
File opened for reading	/sys/module/apparmor/parameters/enabled	snap-confine
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/drm/card1/card1-Virtual-1/uevent	snap-confine
File opened for reading	/sys/kernel/security/apparmor/features/domain	firefox
File opened for reading	/sys/kernel/security/apparmor/features/network	firefox
File opened for reading	/sys/kernel/security/apparmor/features/policy	firefox

Reads runtime system information 40 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/fd/12	snap-confine
File opened for reading	/proc/self/fd/11	snap-confine
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/cgroups	firefox
File opened for reading	/proc/sys/kernel/random/uuid	firefox
File opened for reading	/proc/self/mountinfo	snap-confine
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/2454/attr/apparmor/current	snap-confine
File opened for reading	/proc/self/ns/mnt	snap-confine
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	gsettings
File opened for reading	/proc/self/mounts	firefox
File opened for reading	/proc/mounts	snap-confine
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	gsettings
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/fd/10	snap-confine
File opened for reading	/proc/self/cgroup	snap-confine
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/cmdline	firefox
File opened for reading	/proc/self/fd/9	snap-confine
File opened for reading	/proc/1/ns/mnt	snap-confine
File opened for reading	/proc/self/fd/13	snap-confine
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/sys/kernel/seccomp/actions_avail	firefox
File opened for reading	/proc/2454/cgroup	firefox
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	gsettings

/usr/bin/firefox
firefox -new-tab "https://wellhello.com/site/user/fastlogin/f1d56a765f6ce77eaae610449365b0d0/343906313?uid=289158894&r=https%3A%2F%2Fwellhello.com%2Fsite%2Fuser%2Fconfirmemail%2F289158894%2FtbwCwdVP%3Flink_name%3Dlink%26template_name%3Dconfirm_email%26mailer_version%3D3"
1⤵
PID:2454
- /usr/bin/xdg-settings
  xdg-settings get default-web-browser
  2⤵
  PID:2455
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    PID:2457
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:2462
- - /usr/bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    - Reads runtime system information
    PID:2463
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:2464
- - /usr/bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    - Reads runtime system information
    PID:2465
- - /usr/bin/grep
    grep -q "^Enlightenment"
    3⤵
    - Reads runtime system information
    PID:2467
- - /usr/bin/uname
    uname
    3⤵
    PID:2468
- - /usr/bin/xdg-mime
    xdg-mime query default x-scheme-handler/http
    3⤵
    PID:2469
  - - /usr/bin/dbus-send
      dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
      4⤵
      PID:2470
  - - /usr/bin/xprop
      xprop -root _DT_SAVE_MODE
      4⤵
      PID:2475
  - - /usr/bin/grep
      grep " = \\\"xfce4\\\"\$"
      4⤵
      Reads runtime system information
      PID:2476
  - - /usr/bin/xprop
      xprop -root
      4⤵
      PID:2477
  - - /usr/bin/grep
      grep -i "^xfce_desktop_window"
      4⤵
      Reads runtime system information
      PID:2478
  - - /usr/bin/grep
      grep -q "^Enlightenment"
      4⤵
      Reads runtime system information
      PID:2480
  - - /usr/bin/uname
      uname
      4⤵
      PID:2481
  - - /usr/bin/sed
      sed "s/:/ /g"
      4⤵
      Reads runtime system information
      PID:2484
  - - /usr/bin/grep
      grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
      4⤵
      Reads runtime system information
      PID:2486
  - - /usr/bin/head
      head -n 1
      4⤵
      PID:2487
  - - /usr/bin/cut
      cut -d "=" -f 2
      4⤵
      PID:2488
  - - /usr/bin/cut
      cut -d ";" -f 1
      4⤵
      PID:2489
  - - /usr/bin/grep
      grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
      4⤵
      Reads runtime system information
      PID:2491
  - - /usr/bin/head
      head -n 1
      4⤵
      PID:2492
  - - /usr/bin/cut
      cut -d "=" -f 2
      4⤵
      PID:2493
  - - /usr/bin/cut
      cut -d ";" -f 1
      4⤵
      PID:2494
  - - /usr/bin/grep
      grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
      4⤵
      Reads runtime system information
      PID:2496
  - - /usr/bin/head
      head -n 1
      4⤵
      PID:2497
  - - /usr/bin/cut
      cut -d "=" -f 2
      4⤵
      PID:2498
  - - /usr/bin/cut
      cut -d ";" -f 1
      4⤵
      PID:2499
  - - /usr/bin/grep
      grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
      4⤵
      Reads runtime system information
      PID:2502
  - - /usr/bin/head
      head -n 1
      4⤵
      PID:2503
  - - /usr/bin/cut
      cut -d "=" -f 2
      4⤵
      PID:2504
  - - /usr/bin/cut
      cut -d ";" -f 1
      4⤵
      PID:2505
  - - /usr/bin/grep
      grep "x-scheme-handler/http=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
      4⤵
      Reads runtime system information
      PID:2507
  - - /usr/bin/head
      head -n 1
      4⤵
      PID:2508
  - - /usr/bin/cut
      cut -d "=" -f 2
      4⤵
      PID:2509
  - - /usr/bin/cut
      cut -d ";" -f 1
      4⤵
      PID:2510
  - - /usr/bin/grep
      grep "x-scheme-handler/http=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
      4⤵
      Reads runtime system information
      PID:2514
  - - /usr/bin/head
      head -n 1
      4⤵
      PID:2515
  - - /usr/bin/cut
      cut -d "=" -f 2
      4⤵
      PID:2516
  - - /usr/bin/cut
      cut -d ";" -f 1
      4⤵
      PID:2517
  - - /usr/bin/sed
      sed "s/:/ /g"
      4⤵
      Reads runtime system information
      PID:2520
  - - /usr/bin/grep
      grep -l "x-scheme-handler/http;" "/.local/share/applications/*.desktop"
      4⤵
      Reads runtime system information
      PID:2522
  - - /usr/bin/grep
      grep -l "x-scheme-handler/http;" "/usr/local/share//applications/*.desktop"
      4⤵
      Reads runtime system information
      PID:2524
  - - /usr/bin/grep
      grep -l "x-scheme-handler/http;" /usr/share//applications/apport-gtk.desktop /usr/share//applications/bluetooth-sendto.desktop /usr/share//applications/display-im6.q16.desktop /usr/share//applications/gcr-prompter.desktop /usr/share//applications/gcr-viewer.desktop /usr/share//applications/geoclue-demo-agent.desktop /usr/share//applications/gkbd-keyboard-display.desktop /usr/share//applications/gnome-about-panel.desktop /usr/share//applications/gnome-applications-panel.desktop /usr/share//applications/gnome-background-panel.desktop /usr/share//applications/gnome-bluetooth-panel.desktop /usr/share//applications/gnome-color-panel.desktop /usr/share//applications/gnome-datetime-panel.desktop /usr/share//applications/gnome-disk-image-mounter.desktop /usr/share//applications/gnome-disk-image-writer.desktop /usr/share//applications/gnome-display-panel.desktop /usr/share//applications/gnome-initial-setup.desktop /usr/share//applications/gnome-keyboard-panel.desktop /usr/share//applications/gnome-language-selector.desktop /usr/share//applications/gnome-mouse-panel.desktop /usr/share//applications/gnome-multitasking-panel.desktop /usr/share//applications/gnome-network-panel.desktop /usr/share//applications/gnome-notifications-panel.desktop /usr/share//applications/gnome-online-accounts-panel.desktop /usr/share//applications/gnome-power-panel.desktop /usr/share//applications/gnome-printers-panel.desktop /usr/share//applications/gnome-privacy-panel.desktop /usr/share//applications/gnome-region-panel.desktop /usr/share//applications/gnome-search-panel.desktop /usr/share//applications/gnome-session-properties.desktop /usr/share//applications/gnome-sharing-panel.desktop /usr/share//applications/gnome-sound-panel.desktop /usr/share//applications/gnome-system-monitor-kde.desktop /usr/share//applications/gnome-system-panel.desktop /usr/share//applications/gnome-ubuntu-panel.desktop /usr/share//applications/gnome-universal-access-panel.desktop /usr/share//applications/gnome-users-panel.desktop /usr/share//applications/gnome-wacom-panel.desktop /usr/share//applications/gnome-wifi-panel.desktop /usr/share//applications/gnome-wwan-panel.desktop /usr/share//applications/hplj1020.desktop /usr/share//applications/ibus-setup-table.desktop /usr/share//applications/im-config.desktop /usr/share//applications/io.snapcraft.SessionAgent.desktop /usr/share//applications/libreoffice-calc.desktop /usr/share//applications/libreoffice-draw.desktop /usr/share//applications/libreoffice-impress.desktop /usr/share//applications/libreoffice-math.desktop /usr/share//applications/libreoffice-startcenter.desktop /usr/share//applications/libreoffice-writer.desktop /usr/share//applications/libreoffice-xsltfilter.desktop /usr/share//applications/nautilus-autorun-software.desktop /usr/share//applications/nm-applet.desktop /usr/share//applications/nm-connection-editor.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Emojier.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Extension.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Wayland.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Setup.desktop /usr/share//applications/org.freedesktop.Xwayland.desktop /usr/share//applications/org.gnome.Calculator.desktop /usr/share//applications/org.gnome.Calendar.desktop /usr/share//applications/org.gnome.Characters.desktop /usr/share//applications/org.gnome.DejaDup.desktop /usr/share//applications/org.gnome.DiskUtility.desktop /usr/share//applications/org.gnome.Evince-previewer.desktop /usr/share//applications/org.gnome.Evince.desktop /usr/share//applications/org.gnome.Evolution-alarm-notify.desktop /usr/share//applications/org.gnome.FileRoller.desktop /usr/share//applications/org.gnome.Logs.desktop /usr/share//applications/org.gnome.Nautilus.desktop /usr/share//applications/org.gnome.OnlineAccounts.OAuth2.desktop /usr/share//applications/org.gnome.PowerStats.desktop /usr/share//applications/org.gnome.RemoteDesktop.Handover.desktop /usr/share//applications/org.gnome.Rhythmbox3.desktop /usr/share//applications/org.gnome.Rhythmbox3.device.desktop /usr/share//applications/org.gnome.Settings.desktop /usr/share//applications/org.gnome.Shell.Extensions.desktop /usr/share//applications/org.gnome.Shell.PortalHelper.desktop /usr/share//applications/org.gnome.Shell.desktop /usr/share//applications/org.gnome.Shotwell-Viewer.desktop /usr/share//applications/org.gnome.Shotwell.Auth.desktop /usr/share//applications/org.gnome.Shotwell.desktop /usr/share//applications/org.gnome.Snapshot.desktop /usr/share//applications/org.gnome.SystemMonitor.desktop /usr/share//applications/org.gnome.Tecla.desktop /usr/share//applications/org.gnome.Terminal.Preferences.desktop /usr/share//applications/org.gnome.Terminal.desktop /usr/share//applications/org.gnome.TextEditor.desktop /usr/share//applications/org.gnome.Totem.desktop /usr/share//applications/org.gnome.Zenity.desktop /usr/share//applications/org.gnome.baobab.desktop /usr/share//applications/org.gnome.clocks.desktop /usr/share//applications/org.gnome.eog.desktop /usr/share//applications/org.gnome.evolution-data-server.OAuth2-handler.desktop /usr/share//applications/org.gnome.font-viewer.desktop /usr/share//applications/org.gnome.seahorse.Application.desktop /usr/share//applications/org.remmina.Remmina-file.desktop /usr/share//applications/org.remmina.Remmina.desktop /usr/share//applications/python3.12.desktop /usr/share//applications/remmina-gnome.desktop /usr/share//applications/rygel.desktop /usr/share//applications/simple-scan.desktop /usr/share//applications/snap-handle-link.desktop /usr/share//applications/software-properties-drivers.desktop /usr/share//applications/software-properties-gtk.desktop /usr/share//applications/software-properties-livepatch.desktop /usr/share//applications/thunderbird.desktop /usr/share//applications/transmission-gtk.desktop /usr/share//applications/update-manager.desktop /usr/share//applications/usb-creator-gtk.desktop /usr/share//applications/xdg-desktop-portal-gnome.desktop /usr/share//applications/xdg-desktop-portal-gtk.desktop /usr/share//applications/yelp.desktop
      4⤵
      Reads runtime system information
      PID:2526
- /usr/bin/gsettings
  gsettings get org.gnome.shell favorite-apps
  2⤵
  - Reads runtime system information
  PID:2527
- /usr/bin/grep
  grep -q "'firefox.desktop'"
  2⤵
  - Reads runtime system information
  PID:2532
- /usr/bin/gsettings
  gsettings get com.canonical.Unity.Launcher favorites
  2⤵
  - Reads runtime system information
  PID:2533
- /usr/bin/grep
  grep -q "'application://firefox.desktop'"
  2⤵
  - Reads runtime system information
  PID:2535
- /usr/bin/gsettings
  gsettings get org.mate.panel object-id-list
  2⤵
  - Reads runtime system information
  PID:2536
- /usr/bin/which
  which qdbus
  2⤵
  PID:2537

/snap/bin/firefox
/snap/bin/firefox -new-tab "https://wellhello.com/site/user/fastlogin/f1d56a765f6ce77eaae610449365b0d0/343906313?uid=289158894&r=https%3A%2F%2Fwellhello.com%2Fsite%2Fuser%2Fconfirmemail%2F289158894%2FtbwCwdVP%3Flink_name%3Dlink%26template_name%3Dconfirm_email%26mailer_version%3D3"
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2454
- /usr/lib/snapd/snap-seccomp
  /usr/lib/snapd/snap-seccomp version-info
  2⤵
  - Enumerates kernel/hardware configuration
  PID:2541

/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine --base core22 snap.firefox.firefox /usr/lib/snapd/snap-exec firefox -new-tab "https://wellhello.com/site/user/fastlogin/f1d56a765f6ce77eaae610449365b0d0/343906313?uid=289158894&r=https%3A%2F%2Fwellhello.com%2Fsite%2Fuser%2Fconfirmemail%2F289158894%2FtbwCwdVP%3Flink_name%3Dlink%26template_name%3Dconfirm_email%26mailer_version%3D3"
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2454

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/snapd/ns/snap.firefox.fstab

Filesize
40B

MD5
65408163d77c5bbcc5b17dc2e313c93e

SHA1
b8891c89ce55f6c1bbe476fd4912a7af296ce79a

SHA256
d86e32b299b19c1c03a025d8d5ed026cdf923fc9a1015439cde134b3d13d1fff

SHA512
394e2394e44e38210817f5f02779f7b8253c3ff1b4aa816bce7a0b95e40f47094d01cb43ec5e7ec593404f5ddf6fc49bb4175eece231a3cee7c5295e0d9349a7

Download Submit

Resubmissions

Analysis