Malware Analysis Report

2024-10-16 06:44

Sample ID 241007-158z7szckg
Target https://google.com/bebra.dod
Tags
discovery
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

Threat Level: Likely benign

The file https://google.com/bebra.dod was found to be: Likely benign.

Malicious Activity Summary

discovery

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 22:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 22:15

Reported

2024-10-07 22:23

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

448s

Command Line

[firefox -new-tab https://google.com/bebra.dod]

Signatures

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/bus/pci/devices/0000:00:03.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/device /usr/lib/firefox/firefox N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/task/1521/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A

Processes

/usr/bin/firefox

[firefox -new-tab https://google.com/bebra.dod]

/usr/bin/which

[which /usr/bin/firefox]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -new-tab https://google.com/bebra.dod]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.19:443 tcp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.59:443 api.snapcraft.io tcp
GB 185.125.188.59:443 api.snapcraft.io tcp
GB 185.125.188.58:443 api.snapcraft.io tcp
GB 185.125.188.58:443 api.snapcraft.io tcp
US 1.1.1.1:53 dashboard.snapcraft.io udp
GB 185.125.188.62:443 dashboard.snapcraft.io tcp
GB 185.125.188.58:443 api.snapcraft.io tcp
GB 185.125.188.58:443 api.snapcraft.io tcp
GB 185.125.188.58:443 api.snapcraft.io tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 185.125.188.61:443 dashboard.snapcraft.io tcp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.98:80 connectivity-check.ubuntu.com tcp
GB 185.125.188.58:443 api.snapcraft.io tcp
GB 185.125.188.58:443 api.snapcraft.io tcp
GB 185.125.188.58:443 api.snapcraft.io tcp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp
US 1.1.1.1:53 canonical-lgw01.cdn.snapcraftcontent.com udp
US 1.1.1.1:53 canonical-lgw01.cdn.snapcraftcontent.com udp
GB 185.125.190.26:443 canonical-lgw01.cdn.snapcraftcontent.com tcp
GB 185.125.188.59:443 api.snapcraft.io tcp
GB 185.125.188.59:443 api.snapcraft.io tcp
US 1.1.1.1:53 canonical-lgw01.cdn.snapcraftcontent.com udp
GB 185.125.190.27:443 canonical-lgw01.cdn.snapcraftcontent.com tcp
GB 185.125.188.59:443 api.snapcraft.io tcp
GB 185.125.188.59:443 api.snapcraft.io tcp
GB 185.125.188.59:443 api.snapcraft.io tcp
GB 185.125.190.28:443 canonical-lgw01.cdn.snapcraftcontent.com tcp
US 1.1.1.1:53 canonical-bos01.cdn.snapcraftcontent.com udp
US 1.1.1.1:53 canonical-bos01.cdn.snapcraftcontent.com udp
US 91.189.91.43:443 canonical-bos01.cdn.snapcraftcontent.com tcp
GB 185.125.188.59:443 api.snapcraft.io tcp
GB 185.125.190.28:443 canonical-lgw01.cdn.snapcraftcontent.com tcp
GB 185.125.188.59:443 api.snapcraft.io tcp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.58:443 api.snapcraft.io tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.41:443 tcp
NL 149.154.167.41:80 149.154.167.41 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
NL 149.154.167.41:443 tcp
NL 149.154.167.41:80 149.154.167.41 tcp
US 1.1.1.1:53 spocs.getpocket.com udp
US 1.1.1.1:53 spocs.getpocket.com udp
US 1.1.1.1:53 getpocket.cdn.mozilla.net udp
US 1.1.1.1:53 getpocket.cdn.mozilla.net udp
US 1.1.1.1:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 1.1.1.1:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 1.1.1.1:53 shavar.prod.mozaws.net udp
US 1.1.1.1:53 tracking-protection.cdn.mozilla.net udp
US 1.1.1.1:53 tracking-protection.cdn.mozilla.net udp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 web.telegram.org udp
US 1.1.1.1:53 web.telegram.org udp
NL 149.154.167.99:80 web.telegram.org tcp
NL 149.154.167.99:443 web.telegram.org tcp
US 1.1.1.1:53 t.me udp
US 1.1.1.1:53 t.me udp
US 1.1.1.1:53 telegram.me udp
US 1.1.1.1:53 telegram.me udp
NL 149.154.167.99:443 telegram.me tcp
NL 149.154.167.99:443 telegram.me tcp
US 1.1.1.1:53 zws2.web.telegram.org udp
US 1.1.1.1:53 zws2.web.telegram.org udp
NL 149.154.167.99:443 zws2.web.telegram.org tcp
NL 149.154.167.99:443 zws2.web.telegram.org tcp
US 1.1.1.1:53 zws2-1.web.telegram.org udp
US 1.1.1.1:53 zws2-1.web.telegram.org udp
NL 149.154.167.99:443 zws2-1.web.telegram.org tcp
NL 149.154.167.99:443 zws2-1.web.telegram.org tcp
US 1.1.1.1:53 kws2.web.telegram.org udp
US 1.1.1.1:53 kws2.web.telegram.org udp
US 1.1.1.1:53 venus.web.telegram.org udp
US 1.1.1.1:53 venus.web.telegram.org udp
NL 149.154.167.99:443 venus.web.telegram.org tcp
NL 149.154.167.99:443 venus.web.telegram.org tcp
NL 149.154.167.99:443 venus.web.telegram.org tcp
NL 149.154.167.99:443 venus.web.telegram.org tcp
NL 149.154.167.99:443 venus.web.telegram.org tcp
NL 149.154.167.99:443 venus.web.telegram.org tcp
NL 149.154.167.99:443 venus.web.telegram.org tcp
US 1.1.1.1:53 kws4.web.telegram.org udp
US 1.1.1.1:53 kws4.web.telegram.org udp
NL 149.154.167.99:443 kws4.web.telegram.org tcp
NL 149.154.167.99:443 kws4.web.telegram.org tcp
US 1.1.1.1:53 location.services.mozilla.com udp
US 1.1.1.1:53 location.services.mozilla.com udp
US 1.1.1.1:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 1.1.1.1:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 1.1.1.1:53 archive.mozilla.org udp
US 1.1.1.1:53 archive.mozilla.org udp
US 34.117.35.28:443 archive.mozilla.org tcp
US 1.1.1.1:53 ciscobinary.openh264.org udp
US 1.1.1.1:53 ciscobinary.openh264.org udp
US 34.117.35.28:443 archive.mozilla.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 1.1.1.1:53 support.mozilla.org udp
US 1.1.1.1:53 support.mozilla.org udp
US 1.1.1.1:53 wiki.mozilla.org udp
US 1.1.1.1:53 wiki.mozilla.org udp
US 1.1.1.1:53 www.mozilla.org udp
US 1.1.1.1:53 www.mozilla.org udp
US 1.1.1.1:53 www.mozorg.moz.works udp
US 1.1.1.1:53 wiki-prod-850398177.us-west-2.elb.amazonaws.com udp
US 1.1.1.1:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 1.1.1.1:53 kws1.web.telegram.org udp
US 1.1.1.1:53 kws1.web.telegram.org udp
US 149.154.174.100:443 kws1.web.telegram.org tcp
US 1.1.1.1:53 kws3.web.telegram.org udp
US 1.1.1.1:53 kws3.web.telegram.org udp
US 149.154.174.100:443 kws3.web.telegram.org tcp
US 149.154.174.100:443 kws3.web.telegram.org tcp

Files

N/A