754e73d783386a99ea36946cb578d34abe841adb9e32c0471711006d3ffeb61b

Analysis

max time kernel
3s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25/01/2025, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
Size

3KB
MD5

eece87baf1509ffc027d6b22b7683955
SHA1

d4a03766203c775b71eeaedc423d7920c1019f3c
SHA256

c4f9c723000a08c87859623c0a11022472bfd4b8758c7530778b50bc549c1618
SHA512

882e3acc7bffc4f09b7ad223b0839560e070a04467b78fb279da8e5ee72a8fa1fbd65da1bdeec4d56576232f5b50a6124c485d017c7e129283deb6edaa457319

Score

3^/10

discovery

Malware Config

Signatures

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/install.rdf	cp
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/chrome.manifest	cp
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/sedDgNd5R	sed
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/sedBmMrn1	sed
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files	build.sh

/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
"/tmp/\$APPDATA/Mozilla/Firefox/\$R0/extensions/[email protected]/build.sh"
1⤵
- Writes file to tmp directory
PID:661
- /bin/rm
  rm -f "FaceTheme .jar" "FaceTheme .xpi" files
  2⤵
  PID:670
- /bin/rm
  rm -rf build
  2⤵
  PID:672
- /bin/mkdir
  mkdir --parents --verbose build/chrome
  2⤵
  - Reads runtime system information
  PID:675
- /usr/bin/find
  find content -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:677
- /bin/grep
  grep -v "~"
  2⤵
  PID:678
- /bin/grep
  grep -v "~"
  2⤵
  PID:684
- /usr/bin/find
  find locale -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:683
- /bin/grep
  grep -v "~"
  2⤵
  PID:686
- /usr/bin/find
  find "skin " -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:685
- /bin/cat
  cat files
  2⤵
  PID:688
- /bin/mkdir
  mkdir "build/defaults "
  2⤵
  - Reads runtime system information
  PID:692
- /usr/bin/find
  find "defaults " -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:696
- /bin/grep
  grep -v "~"
  2⤵
  PID:697
- /bin/cp
  cp --verbose --parents build
  2⤵
  - Reads runtime system information
  PID:700
- /bin/cp
  cp --verbose " " build
  2⤵
  - Reads runtime system information
  PID:701
- /bin/cp
  cp --verbose install.rdf build
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:703
- /bin/cp
  cp --verbose chrome.manifest build
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:705
- /bin/sed
  sed -i -r "s/^(content\\s+\\S*\\s+)(\\S*\\/)\$/\\1jar:chrome\\/FaceTheme \\.jar!\\/\\2/" chrome.manifest
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:706
- /bin/sed
  sed -i -r "s/^(skin|locale)(\\s+\\S*\\s+\\S*\\s+)(.*\\/)\$/\\1\\2jar:chrome\\/FaceTheme \\.jar!\\/\\3/" chrome.manifest
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:708
- /bin/rm
  rm ./files
  2⤵
  PID:712
- /bin/rm
  rm -rf build
  2⤵
  PID:713

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/install.rdf

Filesize
832B

MD5
10ef10aea91367c25d64cc0a6e4c7b63

SHA1
f2c2f98eaf95a652f5e67c90beac050d0b06a8f2

SHA256
3d10efb9f31c25bfd8547026bc54ded986abc7fcfde70241dad755c4a6ff8c5a

SHA512
d800ba7457952b20d9a7282646b750fec626a6b718c94be17e01cd193d7679b79ccad22898cd8ef00eccb5ed7892be0b67b9573016e54fdf278042cb00e20fc8

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/sedDgNd5R

Filesize
196B

MD5
c1a30b414c8167308f3eeb6f80d8d914

SHA1
12e35b3061f07daceacdf1eadaa9f34a707d66f2

SHA256
22aa39685cf882e435e94031ec555b17b6602fefb2c3eb75ca528da3e6854eb7

SHA512
a58980fa97cb2a6a7a19f7b09c518951a1d72cc29335a43d04aa8184d3e1bbf0e15e98a25dd0141cdc9be88daa4e1993b4b3fe59b804084ea957ba737beae961

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
107B

MD5
72ee0a47e8218788730bc2c6ed0ae5b6

SHA1
5d0fd7fe54847cec0b4c66af95214120fcbd4504

SHA256
04729cb9a1af5193f9ba4bbdb9a382e1b4b7d121532630e06c63fc5ea9891614

SHA512
66075e73d161ac8c4bf1b7b66980437c89626d0b98951f30037c2861b5a1cb290fcc5869b9cae7617b4bdc80a8c7614a409d562f770b4becfc266d8ef18f1d29

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
219B

MD5
79573078ced515cc5403d599e927ecc6

SHA1
bd18857ec526a5b6b10369445051d218585fe444

SHA256
c0ce213aa73050ca0f69ee2aaec927f66de27e0648c077defab2c5133acbcadd

SHA512
f471b9b7d6ed410a8868efd857d39dde52932630138040a38b79196a21c0c09f1a3903ca123727f1f367075815185c063fe4a4205f72df5008a99da950ebfd3c

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
220B

MD5
c14365005ed97e226a973391f6dff83e

SHA1
4815694c7535f12962d193a7baa28f366363a6b3

SHA256
d5304c7b15633fc78e89cc4969e38ff9e324bc9933d8a46a8d5511222c3d269b

SHA512
45d4658146f522e5cb0abd855e329c9c2e4022658f339a0a0d77d854f80f289be5a76ff4b1be86d076429e0345a300f4d2b4531b1233fe9615d7934cbba9fa73

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
232B

MD5
9543c4b7669c04a6dbef50b754202626

SHA1
a62d3a973167677a57816cda5a8c8ad5a11f830c

SHA256
517aa162dbdfdb841a130ba4e446abb3f392b65b2f1756857e601e21498cecab

SHA512
c14c1b8ec2d827a4074d1446f2d1b2ad7e75a0b5d4e7e40be7c4ae937a7aa42f3255418349a3c82d8c2e1ebe4ce4fbc22f951eb5b2a6c480dd24868b7797c706

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
248B

MD5
8ab18605c8d0c6f3508b8024f67f5408

SHA1
9ff6849d066a5eafb79129280d43d03d30f2e1f4

SHA256
bdd710edf17996b70557623ab81ec34e774855dc02d7f0abfb2debd7a414cd79

SHA512
f6df1a6598a91df1b61c80e83a59bb1694bfcb8996ffd84ff3a198c7ba75a8400c3e10b6117bcc6952408018f3c915e9052694c0a49264afe85cd83783628322

Download Submit