hxxps://webminer[.]pages[.]dev?algorithm=yespowerurx&host=yespowerURX[.]sea[.]mine[.]zpool[.]ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1[.]5

Analysis

max time kernel
0s
max time network
1510s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240729-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
30/09/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://webminer.pages.dev?algorithm=yespowerurx&host=yespowerURX.sea.mine.zpool.ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1.5

Score

6^/10

discovery

Malware Config

Signatures

Reads AppArmor ptrace settings 1 TTPs 1 IoCs

Discovery of allowed ptrace capabilities by AppArmor.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/security/apparmor/features/ptrace	snap

Changes its process name 3 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	pool-spawner	2643	gsettings
Changes the process name, possibly in an attempt to hide itself	gmain	2644	gsettings
Changes the process name, possibly in an attempt to hide itself	dconf worker	2645	gsettings

Enumerates kernel/hardware configuration 1 TTPs 20 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/apparmor/parameters/enabled	dbus-daemon
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	firefox
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/security/apparmor/features/domain	snap
File opened for reading	/sys/kernel/security/apparmor/features/network_v8	snap
File opened for reading	/sys/kernel/security/apparmor/features	snap
File opened for reading	/sys/kernel/security/apparmor/features/caps	snap
File opened for reading	/sys/kernel/security/apparmor/features/mount	snap
File opened for reading	/sys/kernel/security/apparmor/features/rlimit	snap
File opened for reading	/sys/kernel/security/apparmor/features/dbus	snap
File opened for reading	/sys/kernel/security/apparmor/features/file	snap
File opened for reading	/sys/kernel/security/apparmor/features/io_uring	snap
File opened for reading	/sys/kernel/security/apparmor/features/signal	snap
File opened for reading	/sys/kernel/security/apparmor/features/ipc	snap
File opened for reading	/sys/kernel/security/apparmor/features/namespaces	snap
File opened for reading	/sys/kernel/security/apparmor/features/network	snap
File opened for reading	/sys/kernel/security/apparmor/features/policy	snap
File opened for reading	/sys/kernel/security/apparmor/features/query	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap-seccomp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/cmdline	firefox
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/2507/status	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/mounts	snap
File opened for reading	/proc/sys/kernel/cap_last_cap	dbus-daemon
File opened for reading	/proc/2507/attr/apparmor/current	dbus-daemon
File opened for reading	/proc/2502/cmdline	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	gsettings
File opened for reading	/proc/self/fd	dbus-daemon
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/mountinfo	snap
File opened for reading	/proc/2576/cgroup	snap
File opened for reading	/proc/self/mounts	firefox
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/2578/cmdline	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	gsettings
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/fd	dbus-launch
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/2591/cmdline	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/cgroups	firefox
File opened for reading	/proc/2523/cmdline	dbus-daemon
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/filesystems	gsettings
File opened for reading	/proc/cgroups	snap

/usr/bin/xdg-open
xdg-open "https://webminer.pages.dev?algorithm=yespowerurx&host=yespowerURX.sea.mine.zpool.ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1.5"
1⤵
PID:2500
- /usr/bin/dbus-send
  dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
  2⤵
  - Reads runtime system information
  PID:2502
- - /usr/bin/dbus-launch
    dbus-launch --autolaunch 36e6eb39a6fa405996e79cad2731865d --binary-syntax --close-stderr
    3⤵
    - Reads runtime system information
    PID:2503
  - - /usr/bin/dbus-daemon
      /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:2505
- /usr/bin/xprop
  xprop -root _DT_SAVE_MODE
  2⤵
  PID:2508
- /usr/bin/grep
  grep " = \\\"xfce4\\\"\$"
  2⤵
  - Reads runtime system information
  PID:2509
- /usr/bin/xprop
  xprop -root
  2⤵
  PID:2510
- /usr/bin/grep
  grep -i "^xfce_desktop_window"
  2⤵
  - Reads runtime system information
  PID:2511
- /usr/bin/grep
  grep -q "^Enlightenment"
  2⤵
  - Reads runtime system information
  PID:2513
- /usr/bin/uname
  uname
  2⤵
  PID:2514
- /usr/bin/grep
  grep -q "^file://"
  2⤵
  - Reads runtime system information
  PID:2516
- /usr/bin/egrep
  egrep -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:2518
- /usr/local/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:2518
- /usr/local/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:2518
- /usr/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:2518
- /usr/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  - Reads runtime system information
  PID:2518
- /usr/bin/sed
  sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
  2⤵
  - Reads runtime system information
  PID:2521
- /usr/bin/xdg-mime
  xdg-mime query default x-scheme-handler/https
  2⤵
  PID:2522
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    - Reads runtime system information
    PID:2523
  - - /usr/bin/dbus-launch
      dbus-launch --autolaunch 36e6eb39a6fa405996e79cad2731865d --binary-syntax --close-stderr
      4⤵
      PID:2524
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:2525
- - /usr/bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    - Reads runtime system information
    PID:2526
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:2527
- - /usr/bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    - Reads runtime system information
    PID:2528
- - /usr/bin/grep
    grep -q "^Enlightenment"
    3⤵
    - Reads runtime system information
    PID:2530
- - /usr/bin/uname
    uname
    3⤵
    PID:2531
- - /usr/bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:2534
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:2536
- - /usr/bin/head
    head -n 1
    3⤵
    PID:2537
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:2538
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:2539
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:2541
- - /usr/bin/head
    head -n 1
    3⤵
    PID:2542
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:2543
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:2544
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:2546
- - /usr/bin/head
    head -n 1
    3⤵
    PID:2547
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:2548
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:2549
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:2551
- - /usr/bin/head
    head -n 1
    3⤵
    PID:2552
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:2553
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:2554
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:2556
- - /usr/bin/head
    head -n 1
    3⤵
    PID:2557
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:2558
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:2559
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:2561
- - /usr/bin/head
    head -n 1
    3⤵
    PID:2562
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:2563
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:2564
- - /usr/bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:2567
- - /usr/bin/grep
    grep -l "x-scheme-handler/https;" "/.local/share/applications/*.desktop"
    3⤵
    - Reads runtime system information
    PID:2569
- - /usr/bin/grep
    grep -l "x-scheme-handler/https;" "/usr/local/share//applications/*.desktop"
    3⤵
    - Reads runtime system information
    PID:2571
- - /usr/bin/grep
    grep -l "x-scheme-handler/https;" /usr/share//applications/apport-gtk.desktop /usr/share//applications/bluetooth-sendto.desktop /usr/share//applications/display-im6.q16.desktop /usr/share//applications/gcr-prompter.desktop /usr/share//applications/gcr-viewer.desktop /usr/share//applications/geoclue-demo-agent.desktop /usr/share//applications/gkbd-keyboard-display.desktop /usr/share//applications/gnome-about-panel.desktop /usr/share//applications/gnome-applications-panel.desktop /usr/share//applications/gnome-background-panel.desktop /usr/share//applications/gnome-bluetooth-panel.desktop /usr/share//applications/gnome-color-panel.desktop /usr/share//applications/gnome-datetime-panel.desktop /usr/share//applications/gnome-disk-image-mounter.desktop /usr/share//applications/gnome-disk-image-writer.desktop /usr/share//applications/gnome-display-panel.desktop /usr/share//applications/gnome-initial-setup.desktop /usr/share//applications/gnome-keyboard-panel.desktop /usr/share//applications/gnome-language-selector.desktop /usr/share//applications/gnome-mouse-panel.desktop /usr/share//applications/gnome-multitasking-panel.desktop /usr/share//applications/gnome-network-panel.desktop /usr/share//applications/gnome-notifications-panel.desktop /usr/share//applications/gnome-online-accounts-panel.desktop /usr/share//applications/gnome-power-panel.desktop /usr/share//applications/gnome-printers-panel.desktop /usr/share//applications/gnome-privacy-panel.desktop /usr/share//applications/gnome-region-panel.desktop /usr/share//applications/gnome-search-panel.desktop /usr/share//applications/gnome-session-properties.desktop /usr/share//applications/gnome-sharing-panel.desktop /usr/share//applications/gnome-sound-panel.desktop /usr/share//applications/gnome-system-monitor-kde.desktop /usr/share//applications/gnome-system-panel.desktop /usr/share//applications/gnome-ubuntu-panel.desktop /usr/share//applications/gnome-universal-access-panel.desktop /usr/share//applications/gnome-users-panel.desktop /usr/share//applications/gnome-wacom-panel.desktop /usr/share//applications/gnome-wifi-panel.desktop /usr/share//applications/gnome-wwan-panel.desktop /usr/share//applications/hplj1020.desktop /usr/share//applications/ibus-setup-table.desktop /usr/share//applications/im-config.desktop /usr/share//applications/io.snapcraft.SessionAgent.desktop /usr/share//applications/libreoffice-calc.desktop /usr/share//applications/libreoffice-draw.desktop /usr/share//applications/libreoffice-impress.desktop /usr/share//applications/libreoffice-math.desktop /usr/share//applications/libreoffice-startcenter.desktop /usr/share//applications/libreoffice-writer.desktop /usr/share//applications/libreoffice-xsltfilter.desktop /usr/share//applications/nautilus-autorun-software.desktop /usr/share//applications/nm-applet.desktop /usr/share//applications/nm-connection-editor.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Emojier.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Extension.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Wayland.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Setup.desktop /usr/share//applications/org.freedesktop.Xwayland.desktop /usr/share//applications/org.gnome.Calculator.desktop /usr/share//applications/org.gnome.Calendar.desktop /usr/share//applications/org.gnome.Characters.desktop /usr/share//applications/org.gnome.DejaDup.desktop /usr/share//applications/org.gnome.DiskUtility.desktop /usr/share//applications/org.gnome.Evince-previewer.desktop /usr/share//applications/org.gnome.Evince.desktop /usr/share//applications/org.gnome.Evolution-alarm-notify.desktop /usr/share//applications/org.gnome.FileRoller.desktop /usr/share//applications/org.gnome.Logs.desktop /usr/share//applications/org.gnome.Nautilus.desktop /usr/share//applications/org.gnome.OnlineAccounts.OAuth2.desktop /usr/share//applications/org.gnome.PowerStats.desktop /usr/share//applications/org.gnome.RemoteDesktop.Handover.desktop /usr/share//applications/org.gnome.Rhythmbox3.desktop /usr/share//applications/org.gnome.Rhythmbox3.device.desktop /usr/share//applications/org.gnome.Settings.desktop /usr/share//applications/org.gnome.Shell.Extensions.desktop /usr/share//applications/org.gnome.Shell.PortalHelper.desktop /usr/share//applications/org.gnome.Shell.desktop /usr/share//applications/org.gnome.Shotwell-Viewer.desktop /usr/share//applications/org.gnome.Shotwell.Auth.desktop /usr/share//applications/org.gnome.Shotwell.desktop /usr/share//applications/org.gnome.Snapshot.desktop /usr/share//applications/org.gnome.SystemMonitor.desktop /usr/share//applications/org.gnome.Tecla.desktop /usr/share//applications/org.gnome.Terminal.Preferences.desktop /usr/share//applications/org.gnome.Terminal.desktop /usr/share//applications/org.gnome.TextEditor.desktop /usr/share//applications/org.gnome.Totem.desktop /usr/share//applications/org.gnome.Zenity.desktop /usr/share//applications/org.gnome.baobab.desktop /usr/share//applications/org.gnome.clocks.desktop /usr/share//applications/org.gnome.eog.desktop /usr/share//applications/org.gnome.evolution-data-server.OAuth2-handler.desktop /usr/share//applications/org.gnome.font-viewer.desktop /usr/share//applications/org.gnome.seahorse.Application.desktop /usr/share//applications/org.remmina.Remmina-file.desktop /usr/share//applications/org.remmina.Remmina.desktop /usr/share//applications/python3.12.desktop /usr/share//applications/remmina-gnome.desktop /usr/share//applications/rygel.desktop /usr/share//applications/simple-scan.desktop /usr/share//applications/snap-handle-link.desktop /usr/share//applications/software-properties-drivers.desktop /usr/share//applications/software-properties-gtk.desktop /usr/share//applications/software-properties-livepatch.desktop /usr/share//applications/thunderbird.desktop /usr/share//applications/transmission-gtk.desktop /usr/share//applications/update-manager.desktop /usr/share//applications/usb-creator-gtk.desktop /usr/share//applications/xdg-desktop-portal-gnome.desktop /usr/share//applications/xdg-desktop-portal-gtk.desktop /usr/share//applications/yelp.desktop
    3⤵
    - Reads runtime system information
    PID:2573
- /usr/bin/grep
  grep -q "%s"
  2⤵
  - Reads runtime system information
  PID:2575
- /usr/bin/x-www-browser
  x-www-browser "https://webminer.pages.dev?algorithm=yespowerurx&host=yespowerURX.sea.mine.zpool.ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1.5"
  2⤵
  PID:2576
- - /usr/bin/xdg-settings
    xdg-settings get default-web-browser
    3⤵
    PID:2577
  - - /usr/bin/dbus-send
      dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
      4⤵
      Reads runtime system information
      PID:2578
    - - /usr/bin/dbus-launch
        
        dbus-launch --autolaunch 36e6eb39a6fa405996e79cad2731865d --binary-syntax --close-stderr
        5⤵
        
        PID:2579
  - - /usr/bin/xprop
      xprop -root _DT_SAVE_MODE
      4⤵
      PID:2583
  - - /usr/bin/grep
      grep " = \\\"xfce4\\\"\$"
      4⤵
      Reads runtime system information
      PID:2584
  - - /usr/bin/xprop
      xprop -root
      4⤵
      PID:2585
  - - /usr/bin/grep
      grep -i "^xfce_desktop_window"
      4⤵
      Reads runtime system information
      PID:2586
  - - /usr/bin/grep
      grep -q "^Enlightenment"
      4⤵
      Reads runtime system information
      PID:2588
  - - /usr/bin/uname
      uname
      4⤵
      PID:2589
  - - /usr/bin/xdg-mime
      xdg-mime query default x-scheme-handler/http
      4⤵
      PID:2590
    - - /usr/bin/dbus-send
        
        dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
        5⤵
        Reads runtime system information
        
        PID:2591
      - /usr/bin/dbus-launch
        
        dbus-launch --autolaunch 36e6eb39a6fa405996e79cad2731865d --binary-syntax --close-stderr
        6⤵
        
        PID:2592
    - - /usr/bin/grep
        
        grep " = \\\"xfce4\\\"\$"
        5⤵
        Reads runtime system information
        
        PID:2594
    - - /usr/bin/xprop
        
        xprop -root _DT_SAVE_MODE
        5⤵
        
        PID:2593
    - - /usr/bin/xprop
        
        xprop -root
        5⤵
        
        PID:2595
    - - /usr/bin/grep
        
        grep -i "^xfce_desktop_window"
        5⤵
        Reads runtime system information
        
        PID:2596
    - - /usr/bin/grep
        
        grep -q "^Enlightenment"
        5⤵
        Reads runtime system information
        
        PID:2598
    - - /usr/bin/uname
        
        uname
        5⤵
        
        PID:2599
    - - /usr/bin/sed
        
        sed "s/:/ /g"
        5⤵
        Reads runtime system information
        
        PID:2602
    - - /usr/bin/grep
        
        grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
        5⤵
        Reads runtime system information
        
        PID:2604
    - - /usr/bin/head
        
        head -n 1
        5⤵
        
        PID:2605
    - - /usr/bin/cut
        
        cut -d "=" -f 2
        5⤵
        
        PID:2606
    - - /usr/bin/cut
        
        cut -d ";" -f 1
        5⤵
        
        PID:2607
    - - /usr/bin/head
        
        head -n 1
        5⤵
        
        PID:2610
    - - /usr/bin/grep
        
        grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
        5⤵
        Reads runtime system information
        
        PID:2609
    - - /usr/bin/cut
        
        cut -d "=" -f 2
        5⤵
        
        PID:2611
    - - /usr/bin/cut
        
        cut -d ";" -f 1
        5⤵
        
        PID:2612
    - - /usr/bin/grep
        
        grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
        5⤵
        Reads runtime system information
        
        PID:2614
    - - /usr/bin/head
        
        head -n 1
        5⤵
        
        PID:2615
    - - /usr/bin/cut
        
        cut -d "=" -f 2
        5⤵
        
        PID:2616
    - - /usr/bin/cut
        
        cut -d ";" -f 1
        5⤵
        
        PID:2617
    - - /usr/bin/grep
        
        grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
        5⤵
        
        PID:2619
    - - /usr/bin/head
        
        head -n 1
        5⤵
        
        PID:2620
    - - /usr/bin/cut
        
        cut -d "=" -f 2
        5⤵
        
        PID:2621
    - - /usr/bin/cut
        
        cut -d ";" -f 1
        5⤵
        
        PID:2622
    - - /usr/bin/grep
        
        grep "x-scheme-handler/http=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
        5⤵
        Reads runtime system information
        
        PID:2624
    - - /usr/bin/head
        
        head -n 1
        5⤵
        
        PID:2625
    - - /usr/bin/cut
        
        cut -d "=" -f 2
        5⤵
        
        PID:2626
    - - /usr/bin/cut
        
        cut -d ";" -f 1
        5⤵
        
        PID:2627
    - - /usr/bin/head
        
        head -n 1
        5⤵
        
        PID:2630
    - - /usr/bin/grep
        
        grep "x-scheme-handler/http=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
        5⤵
        Reads runtime system information
        
        PID:2629
    - - /usr/bin/cut
        
        cut -d "=" -f 2
        5⤵
        
        PID:2631
    - - /usr/bin/cut
        
        cut -d ";" -f 1
        5⤵
        
        PID:2632
    - - /usr/bin/sed
        
        sed "s/:/ /g"
        5⤵
        Reads runtime system information
        
        PID:2635
    - - /usr/bin/grep
        
        grep -l "x-scheme-handler/http;" "/.local/share/applications/*.desktop"
        5⤵
        
        PID:2637
    - - /usr/bin/grep
        
        grep -l "x-scheme-handler/http;" "/usr/local/share//applications/*.desktop"
        5⤵
        Reads runtime system information
        
        PID:2639
    - - /usr/bin/grep
        
        grep -l "x-scheme-handler/http;" /usr/share//applications/apport-gtk.desktop /usr/share//applications/bluetooth-sendto.desktop /usr/share//applications/display-im6.q16.desktop /usr/share//applications/gcr-prompter.desktop /usr/share//applications/gcr-viewer.desktop /usr/share//applications/geoclue-demo-agent.desktop /usr/share//applications/gkbd-keyboard-display.desktop /usr/share//applications/gnome-about-panel.desktop /usr/share//applications/gnome-applications-panel.desktop /usr/share//applications/gnome-background-panel.desktop /usr/share//applications/gnome-bluetooth-panel.desktop /usr/share//applications/gnome-color-panel.desktop /usr/share//applications/gnome-datetime-panel.desktop /usr/share//applications/gnome-disk-image-mounter.desktop /usr/share//applications/gnome-disk-image-writer.desktop /usr/share//applications/gnome-display-panel.desktop /usr/share//applications/gnome-initial-setup.desktop /usr/share//applications/gnome-keyboard-panel.desktop /usr/share//applications/gnome-language-selector.desktop /usr/share//applications/gnome-mouse-panel.desktop /usr/share//applications/gnome-multitasking-panel.desktop /usr/share//applications/gnome-network-panel.desktop /usr/share//applications/gnome-notifications-panel.desktop /usr/share//applications/gnome-online-accounts-panel.desktop /usr/share//applications/gnome-power-panel.desktop /usr/share//applications/gnome-printers-panel.desktop /usr/share//applications/gnome-privacy-panel.desktop /usr/share//applications/gnome-region-panel.desktop /usr/share//applications/gnome-search-panel.desktop /usr/share//applications/gnome-session-properties.desktop /usr/share//applications/gnome-sharing-panel.desktop /usr/share//applications/gnome-sound-panel.desktop /usr/share//applications/gnome-system-monitor-kde.desktop /usr/share//applications/gnome-system-panel.desktop /usr/share//applications/gnome-ubuntu-panel.desktop /usr/share//applications/gnome-universal-access-panel.desktop /usr/share//applications/gnome-users-panel.desktop /usr/share//applications/gnome-wacom-panel.desktop /usr/share//applications/gnome-wifi-panel.desktop /usr/share//applications/gnome-wwan-panel.desktop /usr/share//applications/hplj1020.desktop /usr/share//applications/ibus-setup-table.desktop /usr/share//applications/im-config.desktop /usr/share//applications/io.snapcraft.SessionAgent.desktop /usr/share//applications/libreoffice-calc.desktop /usr/share//applications/libreoffice-draw.desktop /usr/share//applications/libreoffice-impress.desktop /usr/share//applications/libreoffice-math.desktop /usr/share//applications/libreoffice-startcenter.desktop /usr/share//applications/libreoffice-writer.desktop /usr/share//applications/libreoffice-xsltfilter.desktop /usr/share//applications/nautilus-autorun-software.desktop /usr/share//applications/nm-applet.desktop /usr/share//applications/nm-connection-editor.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Emojier.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Extension.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Wayland.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Setup.desktop /usr/share//applications/org.freedesktop.Xwayland.desktop /usr/share//applications/org.gnome.Calculator.desktop /usr/share//applications/org.gnome.Calendar.desktop /usr/share//applications/org.gnome.Characters.desktop /usr/share//applications/org.gnome.DejaDup.desktop /usr/share//applications/org.gnome.DiskUtility.desktop /usr/share//applications/org.gnome.Evince-previewer.desktop /usr/share//applications/org.gnome.Evince.desktop /usr/share//applications/org.gnome.Evolution-alarm-notify.desktop /usr/share//applications/org.gnome.FileRoller.desktop /usr/share//applications/org.gnome.Logs.desktop /usr/share//applications/org.gnome.Nautilus.desktop /usr/share//applications/org.gnome.OnlineAccounts.OAuth2.desktop /usr/share//applications/org.gnome.PowerStats.desktop /usr/share//applications/org.gnome.RemoteDesktop.Handover.desktop /usr/share//applications/org.gnome.Rhythmbox3.desktop /usr/share//applications/org.gnome.Rhythmbox3.device.desktop /usr/share//applications/org.gnome.Settings.desktop /usr/share//applications/org.gnome.Shell.Extensions.desktop /usr/share//applications/org.gnome.Shell.PortalHelper.desktop /usr/share//applications/org.gnome.Shell.desktop /usr/share//applications/org.gnome.Shotwell-Viewer.desktop /usr/share//applications/org.gnome.Shotwell.Auth.desktop /usr/share//applications/org.gnome.Shotwell.desktop /usr/share//applications/org.gnome.Snapshot.desktop /usr/share//applications/org.gnome.SystemMonitor.desktop /usr/share//applications/org.gnome.Tecla.desktop /usr/share//applications/org.gnome.Terminal.Preferences.desktop /usr/share//applications/org.gnome.Terminal.desktop /usr/share//applications/org.gnome.TextEditor.desktop /usr/share//applications/org.gnome.Totem.desktop /usr/share//applications/org.gnome.Zenity.desktop /usr/share//applications/org.gnome.baobab.desktop /usr/share//applications/org.gnome.clocks.desktop /usr/share//applications/org.gnome.eog.desktop /usr/share//applications/org.gnome.evolution-data-server.OAuth2-handler.desktop /usr/share//applications/org.gnome.font-viewer.desktop /usr/share//applications/org.gnome.seahorse.Application.desktop /usr/share//applications/org.remmina.Remmina-file.desktop /usr/share//applications/org.remmina.Remmina.desktop /usr/share//applications/python3.12.desktop /usr/share//applications/remmina-gnome.desktop /usr/share//applications/rygel.desktop /usr/share//applications/simple-scan.desktop /usr/share//applications/snap-handle-link.desktop /usr/share//applications/software-properties-drivers.desktop /usr/share//applications/software-properties-gtk.desktop /usr/share//applications/software-properties-livepatch.desktop /usr/share//applications/thunderbird.desktop /usr/share//applications/transmission-gtk.desktop /usr/share//applications/update-manager.desktop /usr/share//applications/usb-creator-gtk.desktop /usr/share//applications/xdg-desktop-portal-gnome.desktop /usr/share//applications/xdg-desktop-portal-gtk.desktop /usr/share//applications/yelp.desktop
        5⤵
        Reads runtime system information
        
        PID:2641
- - /usr/bin/gsettings
    gsettings get org.gnome.shell favorite-apps
    3⤵
    - Changes its process name
    - Reads runtime system information
    PID:2642
- - /usr/bin/grep
    grep -q "'firefox.desktop'"
    3⤵
    - Reads runtime system information
    PID:2647
- - /usr/bin/gsettings
    gsettings get com.canonical.Unity.Launcher favorites
    3⤵
    - Reads runtime system information
    PID:2648
- - /usr/bin/grep
    grep -q "'application://firefox.desktop'"
    3⤵
    - Reads runtime system information
    PID:2650
- - /usr/bin/gsettings
    gsettings get org.mate.panel object-id-list
    3⤵
    - Reads runtime system information
    PID:2651
- - /usr/bin/which
    which qdbus
    3⤵
    PID:2652
- /snap/bin/firefox
  /snap/bin/firefox "https://webminer.pages.dev?algorithm=yespowerurx&host=yespowerURX.sea.mine.zpool.ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1.5"
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2576
- /snap/snapd/current/usr/bin/snap
  /snap/bin/firefox "https://webminer.pages.dev?algorithm=yespowerurx&host=yespowerURX.sea.mine.zpool.ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1.5"
  2⤵
  - Reads AppArmor ptrace settings
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2576
- - /snap/snapd/21759/usr/lib/snapd/snap-seccomp
    /snap/snapd/21759/usr/lib/snapd/snap-seccomp version-info
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2660
- /snap/snapd/21759/usr/lib/snapd/snap-confine
  /snap/snapd/21759/usr/lib/snapd/snap-confine --base core22 snap.firefox.firefox /usr/lib/snapd/snap-exec firefox "https://webminer.pages.dev?algorithm=yespowerurx&host=yespowerURX.sea.mine.zpool.ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1.5"
  2⤵
  PID:2657

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads