Analysis Overview
score
3/10
Threat Level: Likely benign
The file https://google.com/bebra.dod was found to be: Likely benign.
Malicious Activity Summary
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 22:15
Signatures
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 22:15
Reported
2024-10-07 22:23
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
448s
Command Line
[firefox -new-tab https://google.com/bebra.dod]
Signatures
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/irq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/vendor | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/resource | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/vendor | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/device | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/resource | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/irq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/vendor | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/class | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/vendor | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/device | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/class | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/vendor | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/class | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/class | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/irq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/vendor | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/class | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/resource | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/resource | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/device | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/irq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/class | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/device | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/resource | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/class | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/resource | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/irq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/device | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/class | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/resource | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/vendor | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/resource | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/device | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/resource | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/class | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/irq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/vendor | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/irq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/irq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/vendor | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/device | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/device | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/irq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/device | /usr/lib/firefox/firefox | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/task/1521/stat | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/stat | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/lib/firefox/firefox | N/A |
Processes
/usr/bin/firefox
[firefox -new-tab https://google.com/bebra.dod]
/usr/bin/which
[which /usr/bin/firefox]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -new-tab https://google.com/bebra.dod]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.19:443 | tcp | |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | dashboard.snapcraft.io | udp |
| GB | 185.125.188.62:443 | dashboard.snapcraft.io | tcp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 185.125.188.61:443 | dashboard.snapcraft.io | tcp |
| GB | 84.17.50.8:443 | 1527653184.rsc.cdn77.org | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| GB | 185.125.190.98:80 | connectivity-check.ubuntu.com | tcp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | canonical-lgw01.cdn.snapcraftcontent.com | udp |
| US | 1.1.1.1:53 | canonical-lgw01.cdn.snapcraftcontent.com | udp |
| GB | 185.125.190.26:443 | canonical-lgw01.cdn.snapcraftcontent.com | tcp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | canonical-lgw01.cdn.snapcraftcontent.com | udp |
| GB | 185.125.190.27:443 | canonical-lgw01.cdn.snapcraftcontent.com | tcp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| GB | 185.125.190.28:443 | canonical-lgw01.cdn.snapcraftcontent.com | tcp |
| US | 1.1.1.1:53 | canonical-bos01.cdn.snapcraftcontent.com | udp |
| US | 1.1.1.1:53 | canonical-bos01.cdn.snapcraftcontent.com | udp |
| US | 91.189.91.43:443 | canonical-bos01.cdn.snapcraftcontent.com | tcp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| GB | 185.125.190.28:443 | canonical-lgw01.cdn.snapcraftcontent.com | tcp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.41:443 | tcp | |
| NL | 149.154.167.41:80 | 149.154.167.41 | tcp |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
| NL | 149.154.167.41:443 | tcp | |
| NL | 149.154.167.41:80 | 149.154.167.41 | tcp |
| US | 1.1.1.1:53 | spocs.getpocket.com | udp |
| US | 1.1.1.1:53 | spocs.getpocket.com | udp |
| US | 1.1.1.1:53 | getpocket.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | getpocket.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 1.1.1.1:53 | shavar.prod.mozaws.net | udp |
| US | 1.1.1.1:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | web.telegram.org | udp |
| US | 1.1.1.1:53 | web.telegram.org | udp |
| NL | 149.154.167.99:80 | web.telegram.org | tcp |
| NL | 149.154.167.99:443 | web.telegram.org | tcp |
| US | 1.1.1.1:53 | t.me | udp |
| US | 1.1.1.1:53 | t.me | udp |
| US | 1.1.1.1:53 | telegram.me | udp |
| US | 1.1.1.1:53 | telegram.me | udp |
| NL | 149.154.167.99:443 | telegram.me | tcp |
| NL | 149.154.167.99:443 | telegram.me | tcp |
| US | 1.1.1.1:53 | zws2.web.telegram.org | udp |
| US | 1.1.1.1:53 | zws2.web.telegram.org | udp |
| NL | 149.154.167.99:443 | zws2.web.telegram.org | tcp |
| NL | 149.154.167.99:443 | zws2.web.telegram.org | tcp |
| US | 1.1.1.1:53 | zws2-1.web.telegram.org | udp |
| US | 1.1.1.1:53 | zws2-1.web.telegram.org | udp |
| NL | 149.154.167.99:443 | zws2-1.web.telegram.org | tcp |
| NL | 149.154.167.99:443 | zws2-1.web.telegram.org | tcp |
| US | 1.1.1.1:53 | kws2.web.telegram.org | udp |
| US | 1.1.1.1:53 | kws2.web.telegram.org | udp |
| US | 1.1.1.1:53 | venus.web.telegram.org | udp |
| US | 1.1.1.1:53 | venus.web.telegram.org | udp |
| NL | 149.154.167.99:443 | venus.web.telegram.org | tcp |
| NL | 149.154.167.99:443 | venus.web.telegram.org | tcp |
| NL | 149.154.167.99:443 | venus.web.telegram.org | tcp |
| NL | 149.154.167.99:443 | venus.web.telegram.org | tcp |
| NL | 149.154.167.99:443 | venus.web.telegram.org | tcp |
| NL | 149.154.167.99:443 | venus.web.telegram.org | tcp |
| NL | 149.154.167.99:443 | venus.web.telegram.org | tcp |
| US | 1.1.1.1:53 | kws4.web.telegram.org | udp |
| US | 1.1.1.1:53 | kws4.web.telegram.org | udp |
| NL | 149.154.167.99:443 | kws4.web.telegram.org | tcp |
| NL | 149.154.167.99:443 | kws4.web.telegram.org | tcp |
| US | 1.1.1.1:53 | location.services.mozilla.com | udp |
| US | 1.1.1.1:53 | location.services.mozilla.com | udp |
| US | 1.1.1.1:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 1.1.1.1:53 | archive.mozilla.org | udp |
| US | 1.1.1.1:53 | archive.mozilla.org | udp |
| US | 34.117.35.28:443 | archive.mozilla.org | tcp |
| US | 1.1.1.1:53 | ciscobinary.openh264.org | udp |
| US | 1.1.1.1:53 | ciscobinary.openh264.org | udp |
| US | 34.117.35.28:443 | archive.mozilla.org | udp |
| GB | 88.221.134.209:80 | ciscobinary.openh264.org | tcp |
| US | 1.1.1.1:53 | support.mozilla.org | udp |
| US | 1.1.1.1:53 | support.mozilla.org | udp |
| US | 1.1.1.1:53 | wiki.mozilla.org | udp |
| US | 1.1.1.1:53 | wiki.mozilla.org | udp |
| US | 1.1.1.1:53 | www.mozilla.org | udp |
| US | 1.1.1.1:53 | www.mozilla.org | udp |
| US | 1.1.1.1:53 | www.mozorg.moz.works | udp |
| US | 1.1.1.1:53 | wiki-prod-850398177.us-west-2.elb.amazonaws.com | udp |
| US | 1.1.1.1:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 1.1.1.1:53 | kws1.web.telegram.org | udp |
| US | 1.1.1.1:53 | kws1.web.telegram.org | udp |
| US | 149.154.174.100:443 | kws1.web.telegram.org | tcp |
| US | 1.1.1.1:53 | kws3.web.telegram.org | udp |
| US | 1.1.1.1:53 | kws3.web.telegram.org | udp |
| US | 149.154.174.100:443 | kws3.web.telegram.org | tcp |
| US | 149.154.174.100:443 | kws3.web.telegram.org | tcp |
Files
N/A