754e73d783386a99ea36946cb578d34abe841adb9e32c0471711006d3ffeb61b

Analysis

max time kernel
2s
platform
debian-9_mips
resource
debian9-mipsbe-20240729-en
resource tags

arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
25/01/2025, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
Size

3KB
MD5

eece87baf1509ffc027d6b22b7683955
SHA1

d4a03766203c775b71eeaedc423d7920c1019f3c
SHA256

c4f9c723000a08c87859623c0a11022472bfd4b8758c7530778b50bc549c1618
SHA512

882e3acc7bffc4f09b7ad223b0839560e070a04467b78fb279da8e5ee72a8fa1fbd65da1bdeec4d56576232f5b50a6124c485d017c7e129283deb6edaa457319

Score

3^/10

discovery

Malware Config

Signatures

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files	build.sh
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/install.rdf	cp
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/chrome.manifest	cp
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/sedlIahxa	sed
File opened for modification	/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/sedWjI5Cl	sed

/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
"/tmp/\$APPDATA/Mozilla/Firefox/\$R0/extensions/[email protected]/build.sh"
1⤵
- Writes file to tmp directory
PID:717
- /bin/rm
  rm -f "FaceTheme .jar" "FaceTheme .xpi" files
  2⤵
  PID:722
- /bin/rm
  rm -rf build
  2⤵
  PID:727
- /bin/mkdir
  mkdir --parents --verbose build/chrome
  2⤵
  - Reads runtime system information
  PID:731
- /usr/bin/find
  find content -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:734
- /bin/grep
  grep -v "~"
  2⤵
  PID:735
- /bin/grep
  grep -v "~"
  2⤵
  PID:739
- /usr/bin/find
  find locale -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:738
- /bin/grep
  grep -v "~"
  2⤵
  PID:743
- /usr/bin/find
  find "skin " -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:742
- /bin/cat
  cat files
  2⤵
  PID:745
- /bin/mkdir
  mkdir "build/defaults "
  2⤵
  - Reads runtime system information
  PID:747
- /usr/bin/find
  find "defaults " -path "*CVS*" -prune -o -type f -print
  2⤵
  - Reads runtime system information
  PID:750
- /bin/grep
  grep -v "~"
  2⤵
  PID:751
- /bin/cp
  cp --verbose --parents build
  2⤵
  - Reads runtime system information
  PID:753
- /bin/cp
  cp --verbose " " build
  2⤵
  - Reads runtime system information
  PID:754
- /bin/cp
  cp --verbose install.rdf build
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:756
- /bin/cp
  cp --verbose chrome.manifest build
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:758
- /bin/sed
  sed -i -r "s/^(content\\s+\\S*\\s+)(\\S*\\/)\$/\\1jar:chrome\\/FaceTheme \\.jar!\\/\\2/" chrome.manifest
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:760
- /bin/sed
  sed -i -r "s/^(skin|locale)(\\s+\\S*\\s+\\S*\\s+)(.*\\/)\$/\\1\\2jar:chrome\\/FaceTheme \\.jar!\\/\\3/" chrome.manifest
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:761
- /bin/rm
  rm ./files
  2⤵
  PID:764
- /bin/rm
  rm -rf build
  2⤵
  PID:765

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/install.rdf

Filesize
832B

MD5
10ef10aea91367c25d64cc0a6e4c7b63

SHA1
f2c2f98eaf95a652f5e67c90beac050d0b06a8f2

SHA256
3d10efb9f31c25bfd8547026bc54ded986abc7fcfde70241dad755c4a6ff8c5a

SHA512
d800ba7457952b20d9a7282646b750fec626a6b718c94be17e01cd193d7679b79ccad22898cd8ef00eccb5ed7892be0b67b9573016e54fdf278042cb00e20fc8

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build/sedlIahxa

Filesize
196B

MD5
c1a30b414c8167308f3eeb6f80d8d914

SHA1
12e35b3061f07daceacdf1eadaa9f34a707d66f2

SHA256
22aa39685cf882e435e94031ec555b17b6602fefb2c3eb75ca528da3e6854eb7

SHA512
a58980fa97cb2a6a7a19f7b09c518951a1d72cc29335a43d04aa8184d3e1bbf0e15e98a25dd0141cdc9be88daa4e1993b4b3fe59b804084ea957ba737beae961

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
107B

MD5
fed9e039c4412f3932612ae7150e739d

SHA1
cd040e85f964bb576d96556f082c02e207a72a2e

SHA256
82a407335e5d537306157a7e08e0459a3c2e9546c0c20c2618b60608a3a95bd6

SHA512
aa3852a891c03259c90167d5a229d7e44176c1a3fadb979c508a9a1601f19c8c80595d1faff9ddafef601be51cac3c3b6811060b240704d426076e8ff6ff94ea

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
219B

MD5
99889c9f0c2993b071c6a438a8fab959

SHA1
f1932457d0df3af9768ca7caf68b8cb4f734be3a

SHA256
57a69dd22a8a82ef8fcbd70cf95029a065648a6eee0162723224018d1c4552b5

SHA512
892b382bb05890749e8c17a1290f1223e8d75e08688d18b44f52bd0b009c1f5e5a3f618d032d95fa08b044794e65aa2084ddabf748699688c6de450eab574434

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
220B

MD5
0d3dacfec1dac8c483cd3117570cee7e

SHA1
9f80b750f92776fa6fd4da659419bf96a4ba292c

SHA256
ee4c3144258cb278d0f55724ea3be28b2b63f15135525fc9b383914f17f806ce

SHA512
8ff877fc8b8899a523fee713eb23cbae01092896cf6fbefa7b9ae6dca8cec1ec9d42624cd834bc55372e3fe2943e2ff7b7eb1fcc5c66c9547da6c9ea75b78081

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
232B

MD5
3ff5af913d97ecf7f31511dcbd8cca67

SHA1
cd543b5d4eea13564ff4d0f85b112a74467a119d

SHA256
9fa9afa639dbb0d8de91712c34b71cf2211e3697a4a835de2e993723acccbc94

SHA512
370e042eca25851238c07f7dd31d3bf1ed0a459573cd4c945948d67d83aca472f5e4701726b187e149279b637eeb9e94e148ec36bfdb9dbaf4048d133bb9803e

Download Submit
/tmp/$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/files

Filesize
248B

MD5
3c3c22a40ed5c2c9bdfc5137812f5891

SHA1
ac23c663d78e651b3db5d3912f2f6633a85ea15d

SHA256
241aecd1ad0e8cf419ca427c8d5a1715612187f0b3b2a7cdff844186f7ae11b1

SHA512
adfe81a56685a3d933e52302b9a99ef67d03af68177b347926b7e74d35316f8c100592396f823e4aa1a8197df807fffebcbf5ccc2c748b8878351b531c28c39e

Download Submit