754e73d783386a99ea36946cb578d34abe841adb9e32c0471711006d3ffeb61b

Analysis

max time kernel
0s
max time network
130s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
25/01/2025, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
Size

3KB
MD5

eece87baf1509ffc027d6b22b7683955
SHA1

d4a03766203c775b71eeaedc423d7920c1019f3c
SHA256

c4f9c723000a08c87859623c0a11022472bfd4b8758c7530778b50bc549c1618
SHA512

882e3acc7bffc4f09b7ad223b0839560e070a04467b78fb279da8e5ee72a8fa1fbd65da1bdeec4d56576232f5b50a6124c485d017c7e129283deb6edaa457319

Score

3^/10

discovery

Malware Config

Signatures

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	cp

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1523	zip
1534	zip

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/sedGVCe2X	sed
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/sedsMHf6W	sed
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/zii68lrX	zip
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/chrome.manifest	cp
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/chrome/FaceTheme .jar	zip
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/chrome/ziV2WxjV	zip
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/install.rdf	cp
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/FaceTheme .xpi	zip
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files	build.sh

/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
"/tmp/\$APPDATA/Mozilla/Firefox/\$R0/extensions/[email protected]/build.sh"
1⤵
- Writes file to tmp directory
PID:1510
- /bin/rm
  rm -f "FaceTheme .jar" "FaceTheme .xpi" files
  2⤵
  PID:1512
- /bin/rm
  rm -rf build
  2⤵
  PID:1513
- /bin/mkdir
  mkdir --parents --verbose build/chrome
  2⤵
  - Reads runtime system information
  PID:1515
- /bin/grep
  grep -v "~"
  2⤵
  PID:1517
- /usr/bin/find
  find content -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:1516
- /bin/grep
  grep -v "~"
  2⤵
  PID:1519
- /usr/bin/find
  find locale -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:1518
- /bin/grep
  grep -v "~"
  2⤵
  PID:1521
- /usr/bin/find
  find "skin " -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:1520
- /bin/cat
  cat files
  2⤵
  PID:1522
- /usr/bin/zip
  zip -0 -r "build/chrome/FaceTheme .jar" content/firefoxOverlay.xul content/installid.js content/overlay.js content/vfdownload.js content/.DS_Store locale/.DS_Store locale/en-US/vfdownload.properties locale/en-US/.DS_Store locale/en-US/._vfdownload.properties
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1523
- /bin/mkdir
  mkdir "build/defaults "
  2⤵
  - Reads runtime system information
  PID:1524
- /bin/grep
  grep -v "~"
  2⤵
  PID:1527
- /usr/bin/find
  find "defaults " -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:1526
- /bin/cp
  cp --verbose --parents build
  2⤵
  - Reads runtime system information
  PID:1528
- /bin/cp
  cp --verbose " " build
  2⤵
  - Reads runtime system information
  PID:1529
- /bin/cp
  cp --verbose install.rdf build
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1530
- /bin/cp
  cp --verbose chrome.manifest build
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1531
- /bin/sed
  sed -i -r "s/^(content\\s+\\S*\\s+)(\\S*\\/)\$/\\1jar:chrome\\/FaceTheme \\.jar!\\/\\2/" chrome.manifest
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1532
- /bin/sed
  sed -i -r "s/^(skin|locale)(\\s+\\S*\\s+\\S*\\s+)(.*\\/)\$/\\1\\2jar:chrome\\/FaceTheme \\.jar!\\/\\3/" chrome.manifest
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1533
- /usr/bin/zip
  zip -r "../FaceTheme .xpi" chrome chrome.manifest "defaults " install.rdf
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1534
- /bin/rm
  rm ./files
  2⤵
  PID:1535
- /bin/rm
  rm -rf build
  2⤵
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/chrome/ziV2WxjV

Filesize
28KB

MD5
fdbf34d25ac9bb259568133e441221d8

SHA1
6f99f83736df40719c4ef2335bba69a4761b5077

SHA256
53cac435a1bc01c2eedbeafcbbefe8dc79783e2807048fbaf10c3ba9249fbc40

SHA512
4d2a219c3dfa6c71aa37d153770340502a77b80d4a183bf8cd4f22e130596d1d8c5cbb3b051614a00f059b9cadbe1678bed73d03026ebb9749dd1ff55e1a06c8

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/install.rdf

Filesize
832B

MD5
10ef10aea91367c25d64cc0a6e4c7b63

SHA1
f2c2f98eaf95a652f5e67c90beac050d0b06a8f2

SHA256
3d10efb9f31c25bfd8547026bc54ded986abc7fcfde70241dad755c4a6ff8c5a

SHA512
d800ba7457952b20d9a7282646b750fec626a6b718c94be17e01cd193d7679b79ccad22898cd8ef00eccb5ed7892be0b67b9573016e54fdf278042cb00e20fc8

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/sedGVCe2X

Filesize
196B

MD5
c1a30b414c8167308f3eeb6f80d8d914

SHA1
12e35b3061f07daceacdf1eadaa9f34a707d66f2

SHA256
22aa39685cf882e435e94031ec555b17b6602fefb2c3eb75ca528da3e6854eb7

SHA512
a58980fa97cb2a6a7a19f7b09c518951a1d72cc29335a43d04aa8184d3e1bbf0e15e98a25dd0141cdc9be88daa4e1993b4b3fe59b804084ea957ba737beae961

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
107B

MD5
820df2dd50e9611575fdace6a46f9c43

SHA1
fa17ca7ff97040ef9ca2951e0e92138892343405

SHA256
bd427429c4beaeee0e416ae977a922f0ce4c8cc08b475e3356fd1a1e2d617891

SHA512
cfb0d7842c06e0288375af7dc9c17a3418b2f272e29f0bba22a8c24185841ee8b7ec3f037f781a745c5bda8477ff50a91f4230c93f08ce0e2b56cd9b0eb5f1fe

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
219B

MD5
b2dbb3f23e26894120c659b29e19c5c9

SHA1
513b01504ba5de0ff1f11f811e83ebdac83d5afc

SHA256
3d2560a27a606586d465cf775f9151380e905041b2479cfed192952da51ddb6e

SHA512
188c97ec70ef8a50522632b98f88da419861cb6193885241467c6088f6da08265d9fb4bf5720da561afd910bcaeb6c900dc14b3baf5c8bb67abcfce8587e5c75

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
220B

MD5
74ee2121808fa465ed5a1197080834bc

SHA1
f7128c8be35b4186228652e02a840fe4f06f0c0f

SHA256
f2480476a3adc6bc01dfce39f10292053cd10c77692e16b30e7898dc98cc53e4

SHA512
e4ac9b0072248f4f1a8fe6ba22f081070a7ef3ff0be9783fa8b3618a7026707a358f996669f17e0be431945b25a0e5bdec62acc801551fac985e45848e9eb023

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
232B

MD5
f79923936fb0d23ef812d0ddb52dad5e

SHA1
5fb4bb8cb3d49088faf83eb4024118e6a10e42aa

SHA256
47078a6a76512fa63c6dff18a447bd68baa204f8502109b919a3f36c2abae0f2

SHA512
1377bcec53473f576deccfc82ad7f4ecd81cdbb06316924e06312573cf736a211841be0d19758329aa7984e7b60bef0c7cb44f312455e88a21e7ba69961afb18

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
248B

MD5
58e6769aed7df392c9aead5c007d27df

SHA1
7201549255a40d2074b2bf4ddadf5182ced6529b

SHA256
1e87876c930bcb9eba1ee561f959cfe2f57a18cc65e0842cb93d84452d153742

SHA512
e157d891297d54559146a2abe31c7bcf16cd7ff01fa23acae96908ba19f30fe374926830f0285b8feb8199d7df5f22cd4b7dc7e9532b3059a032a7ae2d8a2248

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/zii68lrX

Filesize
4KB

MD5
269fc29f11b685cc54c960e999df2af4

SHA1
c6e2b8094ede86314459ef9c8967b333980acb3f

SHA256
6ed1c5fb2064158c42c9c1f762d6e03867d8a43f031636c941b2b4e51ce950bd

SHA512
1991dd6316345bca8f55b49d8ed95dcf2cc6d232e7dacd2bc50d3780291ee1a3ce52546e902050d848d2904de26a7f322b854fb57a52c53ea5648eedcbb6f169

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads