Analysis
-
max time kernel
1799s -
max time network
1800s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20250307-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20250307-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
27/03/2025, 17:26
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Changes its process name 64 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself AsyncSi~lThread 2522 firefox-bin Changes the process name, possibly in an attempt to hide itself pool-spawner 2526 firefox-bin Changes the process name, possibly in an attempt to hide itself gmain 2527 firefox-bin Changes the process name, possibly in an attempt to hide itself gdbus 2533 firefox-bin Changes the process name, possibly in an attempt to hide itself glean.dispatche 2535 firefox-bin Changes the process name, possibly in an attempt to hide itself IPC I/O Parent 2537 firefox-bin Changes the process name, possibly in an attempt to hide itself IPC I/O Parent 2537 firefox-bin Changes the process name, possibly in an attempt to hide itself IPC I/O Parent 2537 firefox-bin Changes the process name, possibly in an attempt to hide itself Timer 2538 firefox-bin Changes the process name, possibly in an attempt to hide itself Timer 2538 firefox-bin Changes the process name, possibly in an attempt to hide itself Netlink Monitor 2539 firefox-bin Changes the process name, possibly in an attempt to hide itself Netlink Monitor 2539 firefox-bin Changes the process name, possibly in an attempt to hide itself Socket Thread 2540 firefox-bin Changes the process name, possibly in an attempt to hide itself Socket Thread 2540 firefox-bin Changes the process name, possibly in an attempt to hide itself IPDL Background 2541 firefox-bin Changes the process name, possibly in an attempt to hide itself IPDL Background 2541 firefox-bin Changes the process name, possibly in an attempt to hide itself Backgro~Pool #1 2542 firefox-bin Changes the process name, possibly in an attempt to hide itself Backgro~Pool #1 2542 firefox-bin Changes the process name, possibly in an attempt to hide itself HTML5 Parser 2543 firefox-bin Changes the process name, possibly in an attempt to hide itself HTML5 Parser 2543 firefox-bin Changes the process name, possibly in an attempt to hide itself pool-firefox 2544 firefox-bin Changes the process name, possibly in an attempt to hide itself pool-firefox 2545 firefox-bin Changes the process name, possibly in an attempt to hide itself JS Watchdog 2547 firefox-bin Changes the process name, possibly in an attempt to hide itself JS Watchdog 2547 firefox-bin Changes the process name, possibly in an attempt to hide itself BGReadURLs 2548 firefox-bin Changes the process name, possibly in an attempt to hide itself BGReadURLs 2548 firefox-bin Changes the process name, possibly in an attempt to hide itself Cache2 I/O 2549 firefox-bin Changes the process name, possibly in an attempt to hide itself Cookie 2550 firefox-bin Changes the process name, possibly in an attempt to hide itself Cookie 2550 firefox-bin Changes the process name, possibly in an attempt to hide itself TaskCon~ller #1 2552 firefox-bin Changes the process name, possibly in an attempt to hide itself TaskCon~ller #0 2551 firefox-bin Changes the process name, possibly in an attempt to hide itself StreamTrans #1 2553 firefox-bin Changes the process name, possibly in an attempt to hide itself StreamTrans #1 2553 firefox-bin Changes the process name, possibly in an attempt to hide itself BgIOThr~Pool #1 2554 firefox-bin Changes the process name, possibly in an attempt to hide itself BgIOThr~Pool #1 2554 firefox-bin Changes the process name, possibly in an attempt to hide itself StreamTrans #2 2555 firefox-bin Changes the process name, possibly in an attempt to hide itself StreamTrans #2 2555 firefox-bin Changes the process name, possibly in an attempt to hide itself StreamTrans #3 2556 firefox-bin Changes the process name, possibly in an attempt to hide itself StreamTrans #3 2556 firefox-bin Changes the process name, possibly in an attempt to hide itself Worker Launcher 2557 firefox-bin Changes the process name, possibly in an attempt to hide itself Worker Launcher 2557 firefox-bin Changes the process name, possibly in an attempt to hide itself QuotaManager IO 2558 firefox-bin Changes the process name, possibly in an attempt to hide itself QuotaManager IO 2558 firefox-bin Changes the process name, possibly in an attempt to hide itself glxtest:disk$0 2562 glxtest Changes the process name, possibly in an attempt to hide itself Softwar~cThread 2563 firefox-bin Changes the process name, possibly in an attempt to hide itself Softwar~cThread 2563 firefox-bin Changes the process name, possibly in an attempt to hide itself Softwar~cThread 2563 firefox-bin Changes the process name, possibly in an attempt to hide itself Renderer 2564 firefox-bin Changes the process name, possibly in an attempt to hide itself Renderer 2564 firefox-bin Changes the process name, possibly in an attempt to hide itself WRWorker#0 2565 firefox-bin Changes the process name, possibly in an attempt to hide itself WRWorkerLP#0 2566 firefox-bin Changes the process name, possibly in an attempt to hide itself Glyph rasterize 2567 firefox-bin Changes the process name, possibly in an attempt to hide itself WrGlyph~terizer 2567 firefox-bin Changes the process name, possibly in an attempt to hide itself CanvasRenderer 2569 firefox-bin Changes the process name, possibly in an attempt to hide itself Compositor 2568 firefox-bin Changes the process name, possibly in an attempt to hide itself CanvasRenderer 2569 firefox-bin Changes the process name, possibly in an attempt to hide itself Compositor 2568 firefox-bin Changes the process name, possibly in an attempt to hide itself WRWorker#0 2565 firefox-bin Changes the process name, possibly in an attempt to hide itself WRWorkerLP#0 2566 firefox-bin Changes the process name, possibly in an attempt to hide itself ImageIO 2570 firefox-bin Changes the process name, possibly in an attempt to hide itself ImageIO 2570 firefox-bin Changes the process name, possibly in an attempt to hide itself SandboxReporter 2572 firefox-bin Changes the process name, possibly in an attempt to hide itself IPC Launch 2573 firefox-bin Changes the process name, possibly in an attempt to hide itself SandboxReporter 2572 firefox-bin -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo firefox-bin -
Reads CPU attributes 1 TTPs 10 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/present firefox-bin File opened for reading /sys/devices/system/cpu/possible glxtest File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity glxtest File opened for reading /sys/devices/system/cpu/present firefox-bin File opened for reading /sys/devices/system/cpu/possible firefox-bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size firefox-bin File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus firefox-bin File opened for reading /sys/devices/system/cpu/possible firefox-bin File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq firefox-bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size firefox-bin -
Enumerates kernel/hardware configuration 1 TTPs 42 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/bus/pci/devices/0000:00:05.0/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.1/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:03.0/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:04.0/vendor glxtest File opened for reading /sys/fs/cgroup/system.slice/agent.service/cpu.max firefox-bin File opened for reading /sys/bus/pci/devices/0000:00:02.0/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.1/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:00.0/device glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/drm/renderD128 firefox-bin File opened for reading /sys/bus/pci/devices/0000:00:05.0/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.3/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:04.0/device glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/uevent glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/subsystem_device glxtest File opened for reading /sys/devices/system/node firefox-bin File opened for reading /sys/bus/pci/devices glxtest File opened for reading /sys/bus/pci/devices/0000:00:02.0/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:02.0/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:06.0/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:03.0/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:00.0/class glxtest File opened for reading /sys/fs/cgroup/system.slice/agent.service/cpu.max firefox-bin File opened for reading /sys/module/apparmor/parameters/enabled dbus-daemon File opened for reading /sys/bus/pci/devices/0000:00:06.0/device glxtest File opened for reading /sys/bus/pci/devices/0000:00:00.0/vendor glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/vendor glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/device glxtest File opened for reading /sys/class/drm/card0/device/boot_vga glxtest File opened for reading /sys/kernel/security/apparmor/features/dbus/mask dbus-daemon File opened for reading /sys/bus/pci/devices/0000:00:04.0/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.0/device glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0/drm/card1 firefox-bin File opened for reading /sys/bus/pci/devices/0000:00:01.1/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:03.0/class glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.0/class glxtest File opened for reading /sys/devices/pci0000:00/0000:00:02.0 firefox-bin File opened for reading /sys/bus/pci/devices/0000:00:01.0/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:05.0/vendor glxtest File opened for reading /sys/bus/pci/devices/0000:00:01.3/device glxtest -
description ioc Process File opened for reading /proc/2815/stat firefox-bin File opened for reading /proc/self/task/3449/stat firefox-bin File opened for reading /proc/3872/stat firefox-bin File opened for reading /proc/4553/stat firefox-bin File opened for reading /proc/self/task/4816/stat firefox-bin File opened for reading /proc/self/task/5060/stat firefox-bin File opened for reading /proc/filesystems dbus-daemon File opened for reading /proc/self/task/4040/stat firefox-bin File opened for reading /proc/self/task/4253/stat firefox-bin File opened for reading /proc/self/task/5239/stat firefox-bin File opened for reading /proc/self/maps firefox-bin File opened for reading /proc/self/fd/111 firefox-bin File opened for reading /proc/2518/cgroup xdg-desktop-portal File opened for reading /proc/self/task/4975/stat firefox-bin File opened for reading /proc/5420/stat firefox-bin File opened for reading /proc/filesystems xdg-document-portal File opened for reading /proc/self/task/2807/stat firefox-bin File opened for reading /proc/self/task/2979/stat firefox-bin File opened for reading /proc/self/task/3538/stat firefox-bin File opened for reading /proc/3477/stat firefox-bin File opened for reading /proc/self/task/3875/stat firefox-bin File opened for reading /proc/3951/stat firefox-bin File opened for reading /proc/self/task/4897/stat firefox-bin File opened for reading /proc/filesystems at-spi-bus-launcher File opened for reading /proc/self/task/3104/stat firefox-bin File opened for reading /proc/self/task/3219/stat firefox-bin File opened for reading /proc/4813/stat firefox-bin File opened for reading /proc/4893/stat firefox-bin File opened for reading /proc/self/task/5165/stat firefox-bin File opened for reading /proc/self/task/5423/stat firefox-bin File opened for reading /proc/self/mountinfo firefox-bin File opened for reading /proc/filesystems xdg-desktop-portal-gtk File opened for reading /proc/self/fd/129 firefox-bin File opened for reading /proc/meminfo firefox-bin File opened for reading /proc/self/task/3269/stat firefox-bin File opened for reading /proc/self/task/3881/stat firefox-bin File opened for reading /proc/5162/stat firefox-bin File opened for reading /proc/2838/stat firefox-bin File opened for reading /proc/2532/attr/apparmor/current dbus-daemon File opened for reading /proc/self/task/4473/stat firefox-bin File opened for reading /proc/5426/stat firefox-bin File opened for reading /proc/filesystems glxtest File opened for reading /proc/self/cgroup firefox-bin File opened for reading /proc/self/task/3051/stat firefox-bin File opened for reading /proc/3095/stat firefox-bin File opened for reading /proc/self/task/4124/stat firefox-bin File opened for reading /proc/4092/stat firefox-bin File opened for reading /proc/3986/stat firefox-bin File opened for reading /proc/self/task/5015/stat firefox-bin File opened for reading /proc/filesystems firefox-bin File opened for reading /proc/sys/kernel/cap_last_cap dbus-daemon File opened for reading /proc/self/fd/80 firefox-bin File opened for reading /proc/3100/stat firefox-bin File opened for reading /proc/self/fd/107 firefox-bin File opened for reading /proc/self/fd/87 firefox-bin File opened for reading /proc/5012/stat firefox-bin File opened for reading /proc/self/task/5321/stat firefox-bin File opened for reading /proc/self/stat firefox-bin File opened for reading /proc/filesystems xdg-permission-store File opened for reading /proc/3155/stat firefox-bin File opened for reading /proc/self/task/3519/stat firefox-bin File opened for reading /proc/self/fd/143 firefox-bin File opened for reading /proc/self/task/3995/stat firefox-bin File opened for reading /proc/3923/stat firefox-bin -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/firefox/.parentlock firefox-bin File opened for modification /tmp/tmpaddon firefox-bin File opened for modification /tmp/tmpaddon-1 firefox-bin File opened for modification /tmp/tmpaddon-2 firefox-bin File opened for modification /tmp/mozilla-temp-1792628376 firefox-bin File opened for modification /tmp/mozilla-temp-148095617 firefox-bin File opened for modification /tmp/mozilla-temp-262795806 firefox-bin File opened for modification /tmp/mozilla-temp-1237259166 firefox-bin File opened for modification /tmp/mozilla-temp-1171750587 firefox-bin File opened for modification /tmp/e522c815-075f-4821-8319-93c05f200891.zip.tmp firefox-bin File opened for modification /tmp/mozilla-temp-921656553 firefox-bin
Processes
-
/usr/bin/firefoxfirefox -new-tab https://rdo-m.blogspot.com/1⤵PID:2518
-
/usr/lib/firefox/firefox-binfirefox -new-tab https://rdo-m.blogspot.com/1⤵
- Changes its process name
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:2518 -
/usr/local/sbin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2528
-
-
/usr/local/bin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2528
-
-
/usr/sbin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2528
-
-
/usr/bin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2528
-
/usr/bin/dbus-daemon/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2530 -
/usr/libexec/xdg-desktop-portal/usr/libexec/xdg-desktop-portal4⤵
- Reads runtime system information
PID:2582
-
-
/usr/libexec/at-spi-bus-launcher/usr/libexec/at-spi-bus-launcher4⤵
- Reads runtime system information
PID:2584
-
-
/usr/libexec/xdg-document-portal/usr/libexec/xdg-document-portal4⤵
- Reads runtime system information
PID:2599 -
/usr/bin/fusermount3fusermount3 -o "rw,nosuid,nodev,fsname=portal,auto_unmount,subtype=portal" -- /root/.cache/doc5⤵PID:2613
-
-
-
/usr/libexec/xdg-permission-store/usr/libexec/xdg-permission-store4⤵
- Reads runtime system information
PID:2606
-
-
/usr/libexec/xdg-desktop-portal-gtk/usr/libexec/xdg-desktop-portal-gtk4⤵
- Reads runtime system information
PID:2618
-
-
/usr/libexec/gvfsd/usr/libexec/gvfsd4⤵PID:2623
-
-
-
-
/usr/local/sbin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2534
-
-
/usr/local/bin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2534
-
-
/usr/sbin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2534
-
-
/usr/bin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2534
-
-
/usr/lib/firefox/glxtest/usr/lib/firefox/glxtest -f 162⤵
- Changes its process name
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2536
-
-
/usr/local/sbin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2559
-
-
/usr/local/bin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2559
-
-
/usr/sbin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2559
-
-
/usr/bin/dbus-launchdbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr2⤵PID:2559
-
-
/usr/lib/firefox/firefox-bin/usr/lib/firefox/firefox-bin -contentproc -ipcHandle 0 -sandboxReporter 1 -initialChannelId "{dba1a8da-1fdf-4f62-b9a1-160a398dec5a}" -parentPid 2518 -crashReporter 2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser 1 forkserver2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2574
-
-
/usr/libexec/gvfsd-fuse/usr/libexec/gvfsd-fuse /root/.gvfs -f1⤵PID:2629
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD581c94043bc26d547d26980e60e3a02dc
SHA14f46cbebff3884593d888ac0113cdb0c1815a542
SHA256daab05b0d114e943f06d15e04de518b8b1cd9d979e5b7897af5c687f40008f7a
SHA5121bcb98dd613b5f266fdc01164311964a00b91b7c68ddc9698ef0ec535b62d2fb4259662b92987a5eddd7ed27a2b326e951f45a5cb9936e6c90fb5075940913e9
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
235KB
MD5325fe4969a79462d008b0542144852a3
SHA1cd1341a3226077eb965ad69e063bc74598ee97ed
SHA256823877ae154b493f842372ba9faa2ea0037ccd2bab8e0946cd80d4d508375f7f
SHA5125e7b8c2527d7b1133be6696b71888e01a628e17013274b3124f1bf7e1607e4a0e67387f10a4f71aa508a0bc0855414cce79497e342c29e9b4d27a828e696a7a1
-
Filesize
575KB
MD52aa72a97657774b1eefabe0490b3c088
SHA117f12db36fc49b9cf38d61ed2dbde55e71b81b85
SHA256997b6e1c0e07307de3adf5d0d7a3ddc5d81cd522afe675dfdb43154f73f5b0d0
SHA512f5246bf14d038adf4ce0c4360262ab722bc3de4220f047c3d542b4c564074b4877dc8659e3125c5171c749e7ce93f20cc63777eb5e1539e960670cbc5f30ac85