hxxps://drive[.]google[.]com/drive/folders/1Fa0E3128_Fq0UTCtHmctLFYdK7BNsH0O

Resubmissions

30/08/2024, 21:07 UTC

240830-zyjajawgln 6

30/08/2024, 15:50 UTC

240830-taa2cssbnc 6

Analysis

max time kernel
1s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
30/08/2024, 15:50 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1Fa0E3128_Fq0UTCtHmctLFYdK7BNsH0O

Score

3^/10

Malware Config

Signatures

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/vendor	firefox

Reads runtime system information 16 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/task/1610/stat	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/task/1584/stat	firefox
File opened for reading	/proc/self/task/1597/stat	firefox
File opened for reading	/proc/filesystems	firefox

/usr/bin/xdg-open
xdg-open https://drive.google.com/drive/folders/1Fa0E3128_Fq0UTCtHmctLFYdK7BNsH0O
1⤵
PID:1480
- /usr/bin/dbus-send
  dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
  2⤵
  - Reads runtime system information
  PID:1481
- - /usr/bin/dbus-launch
    dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr
    3⤵
    PID:1482
- /bin/grep
  grep " = \\\"xfce4\\\"\$"
  2⤵
  PID:1484
- /usr/bin/xprop
  xprop -root _DT_SAVE_MODE
  2⤵
  PID:1483
- /bin/grep
  grep -i "^xfce_desktop_window"
  2⤵
  PID:1491
- /usr/bin/xprop
  xprop -root
  2⤵
  PID:1490
- /bin/grep
  grep -q "^Enlightenment"
  2⤵
  PID:1494
- /bin/uname
  uname
  2⤵
  PID:1497
- /bin/grep
  grep -q "^file://"
  2⤵
  PID:1500
- /bin/egrep
  egrep -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1502
- /usr/local/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1502
- /usr/local/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1502
- /usr/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1502
- /usr/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1502
- /sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1502
- /bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1502
- /bin/sed
  sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
  2⤵
  - Reads runtime system information
  PID:1505
- /usr/bin/xdg-mime
  xdg-mime query default x-scheme-handler/https
  2⤵
  PID:1506
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    - Reads runtime system information
    PID:1507
  - - /usr/bin/dbus-launch
      dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr
      4⤵
      PID:1508
- - /bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    PID:1510
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:1509
- - /bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    PID:1516
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:1515
- - /bin/grep
    grep -q "^Enlightenment"
    3⤵
    PID:1520
- - /bin/uname
    uname
    3⤵
    PID:1523
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1527
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1532
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1531
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1530
- - /bin/grep
    grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    PID:1529
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1537
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1536
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1535
- - /bin/grep
    grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    PID:1534
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1542
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1541
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1540
- - /bin/grep
    grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    PID:1539
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1547
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1546
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1545
- - /bin/grep
    grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    PID:1544
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1555
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1554
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1553
- - /bin/grep
    grep "x-scheme-handler/https=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
    3⤵
    PID:1552
- /bin/sed
  sed "s/:/ /g"
  2⤵
  - Reads runtime system information
  PID:1558
- /bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1561
- /bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1564
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1569
- /usr/bin/which
  which firefox
  2⤵
  PID:1570
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1573
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1576
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1581
- /usr/bin/firefox
  /usr/bin/firefox https://drive.google.com/drive/folders/1Fa0E3128_Fq0UTCtHmctLFYdK7BNsH0O
  2⤵
  PID:1582
- - /usr/bin/which
    which /usr/bin/firefox
    3⤵
    PID:1583
- /usr/lib/firefox/firefox
  /usr/lib/firefox/firefox https://drive.google.com/drive/folders/1Fa0E3128_Fq0UTCtHmctLFYdK7BNsH0O
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1582
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1594
- /usr/bin/x-www-browser
  x-www-browser https://drive.google.com/drive/folders/1Fa0E3128_Fq0UTCtHmctLFYdK7BNsH0O
  2⤵
  PID:1595
- - /usr/bin/which
    which /usr/bin/x-www-browser
    3⤵
    PID:1596
- /usr/lib/firefox/firefox
  /usr/lib/firefox/firefox https://drive.google.com/drive/folders/1Fa0E3128_Fq0UTCtHmctLFYdK7BNsH0O
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1595
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1604
- /usr/bin/firefox
  firefox https://drive.google.com/drive/folders/1Fa0E3128_Fq0UTCtHmctLFYdK7BNsH0O
  2⤵
  PID:1608
- - /usr/bin/which
    which /usr/bin/firefox
    3⤵
    PID:1609
- /usr/lib/firefox/firefox
  /usr/lib/firefox/firefox https://drive.google.com/drive/folders/1Fa0E3128_Fq0UTCtHmctLFYdK7BNsH0O
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1608
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1616
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1619
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1624
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1626
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1628
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1630
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1632
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1634
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1636
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1640
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1642
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1644
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1646
- /bin/grep
  grep -q "%s"
  2⤵
  PID:1648

Network

No results found

185.125.188.62:443

tls

135 B
2
185.125.188.62:443

tls

135 B
2
151.101.1.91:443

tls, https

233 B
40 B
1
1
151.101.1.91:443

extensions.gnome.org

tls

4.0kB
221.8kB
67
172
195.181.164.15:443

tls, https

10.1kB
40

224.0.0.251:5353

146 B
2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.