hxxps://webminer[.]pages[.]dev?algorithm=yespowerurx&host=yespowerURX[.]sea[.]mine[.]zpool[.]ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1[.]5

Analysis

max time kernel
0s
max time network
897s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
30-09-2024 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://webminer.pages.dev?algorithm=yespowerurx&host=yespowerURX.sea.mine.zpool.ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1.5

Score

3^/10

discovery

Malware Config

Signatures

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/apparmor/parameters/enabled	dbus-daemon
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon

Reads runtime system information 27 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/sys/kernel/cap_last_cap	dbus-daemon
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1575/cmdline	dbus-daemon
File opened for reading	/proc/1596/cmdline	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/1580/status	dbus-daemon
File opened for reading	/proc/1580/attr/apparmor/current	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep

/usr/bin/xdg-open
xdg-open "https://webminer.pages.dev?algorithm=yespowerurx&host=yespowerURX.sea.mine.zpool.ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1.5"
1⤵
PID:1574
- /usr/bin/dbus-send
  dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
  2⤵
  - Reads runtime system information
  PID:1575
- - /usr/bin/dbus-launch
    dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr
    3⤵
    PID:1576
  - - /usr/bin/dbus-daemon
      /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1578
- /usr/bin/grep
  grep " = \\\"xfce4\\\"\$"
  2⤵
  - Reads runtime system information
  PID:1582
- /usr/bin/xprop
  xprop -root _DT_SAVE_MODE
  2⤵
  PID:1581
- /usr/bin/grep
  grep -i "^xfce_desktop_window"
  2⤵
  - Reads runtime system information
  PID:1584
- /usr/bin/xprop
  xprop -root
  2⤵
  PID:1583
- /usr/bin/grep
  grep -q "^Enlightenment"
  2⤵
  - Reads runtime system information
  PID:1586
- /usr/bin/uname
  uname
  2⤵
  PID:1587
- /usr/bin/grep
  grep -q "^file://"
  2⤵
  - Reads runtime system information
  PID:1589
- /usr/bin/egrep
  egrep -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1591
- /usr/local/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1591
- /usr/local/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1591
- /usr/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1591
- /usr/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  - Reads runtime system information
  PID:1591
- /usr/bin/sed
  sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
  2⤵
  - Reads runtime system information
  PID:1594
- /usr/bin/xdg-mime
  xdg-mime query default x-scheme-handler/https
  2⤵
  PID:1595
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    - Reads runtime system information
    PID:1596
  - - /usr/bin/dbus-launch
      dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr
      4⤵
      PID:1597
- - /usr/bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    - Reads runtime system information
    PID:1599
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:1598
- - /usr/bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    - Reads runtime system information
    PID:1601
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:1600
- - /usr/bin/grep
    grep -q "^Enlightenment"
    3⤵
    - Reads runtime system information
    PID:1603
- - /usr/bin/uname
    uname
    3⤵
    PID:1604
- - /usr/bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1607
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1612
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1611
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1610
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1609
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1617
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1616
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1615
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1614
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1622
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1621
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1620
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1619
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1627
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1626
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1625
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1624
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1632
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1631
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1630
- - /usr/bin/grep
    grep "x-scheme-handler/https=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1629
- /usr/bin/sed
  sed "s/:/ /g"
  2⤵
  - Reads runtime system information
  PID:1635
- /usr/bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1638
- /usr/bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1641
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1649
- /usr/bin/which
  which firefox
  2⤵
  PID:1650
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1653
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1656
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1661
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1664
- /usr/bin/firefox
  /usr/bin/firefox "https://webminer.pages.dev?algorithm=yespowerurx&host=yespowerURX.sea.mine.zpool.ca&port=6236&worker=DG3AezgvUxfN1mwPWKwmpMzSqEGbqXsyXH&password=c%3DDOGE%2Czap%3DURX&workers=1.5"
  2⤵
  PID:1665

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.dbus/session-bus/f2de92a803c744e586bd87567a26b68a-0

Filesize
465B

MD5
24c6f27ed99cd79893250073a6dca8c5

SHA1
8556f662d1b47a33616eb261e48bd1b85c194c8b

SHA256
8bd91549413f97be8bec1bd38049fcea5eb419ce34ba71572e1dad79d11a5b14

SHA512
89abe016e5707202c3cb318a8366df5b4de3a409feb8650e9a31d3ed03f661fc4985f772cb60709bca0e3a00b02a8b7dca8a0f14dbf7c5cf0f711960c89aa1d4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads