b55255b769b79c816bb799bff2ad5ffd7cdb3642523d88da4b4164527ed68613

Analysis

max time kernel
173s
max time network
899s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
28/03/2025, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MUSCLE CELL.pdf
Size

1.1MB
MD5

96a1fb6c119f7b94a4c3e9ecdf219d69
SHA1

91a0286db74a4918db97eeba619ad6ed12d752d3
SHA256

b55255b769b79c816bb799bff2ad5ffd7cdb3642523d88da4b4164527ed68613
SHA512

59a4a4179e2c3dd8328a61116aa9082733b459ce9a2d4a5c58a7a77dc1cb297a991059c4e2d05aba8a5c2b93f1f717431282a6de567abc2740580857b8e437f2
SSDEEP

24576:NIiz1dMuOznzAD1uEwsXWcvnwiA71C0Yuphx+Z+AjeCK:NIbuMnED1cpcv1ABCVChxrt

Score

4^/10

discovery

Malware Config

Signatures

Changes its process name 32 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	gmain	1581	evince
Changes the process name, possibly in an attempt to hide itself	gdbus	1583	evince
Changes the process name, possibly in an attempt to hide itself	pool	1584	evince
Changes the process name, possibly in an attempt to hide itself	gmain	1587	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	gdbus	1588	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	pool	1589	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	gdbus	1593	xdg-document-portal
Changes the process name, possibly in an attempt to hide itself	gmain	1592	xdg-document-portal
Changes the process name, possibly in an attempt to hide itself	pool	1597	xdg-permission-store
Changes the process name, possibly in an attempt to hide itself	gmain	1596	xdg-permission-store
Changes the process name, possibly in an attempt to hide itself	gdbus	1598	xdg-permission-store
Changes the process name, possibly in an attempt to hide itself	pool	1599	xdg-document-portal
Changes the process name, possibly in an attempt to hide itself	fuse mainloop	1601	xdg-document-portal
Changes the process name, possibly in an attempt to hide itself	dconf worker	1604	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	gdbus	1608	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	gmain	1607	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	gdbus	1612	gvfsd
Changes the process name, possibly in an attempt to hide itself	gmain	1611	gvfsd
Changes the process name, possibly in an attempt to hide itself	pool	1613	gvfsd
Changes the process name, possibly in an attempt to hide itself	gmain	1619	gvfsd-fuse
Changes the process name, possibly in an attempt to hide itself	gdbus	1620	gvfsd-fuse
Changes the process name, possibly in an attempt to hide itself	gvfs-fuse-sub	1621	gvfsd-fuse
Changes the process name, possibly in an attempt to hide itself	pool	1622	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	pool	1625	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	pool	1624	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	pool	1623	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	gmain	1628	evinced
Changes the process name, possibly in an attempt to hide itself	gdbus	1629	evinced
Changes the process name, possibly in an attempt to hide itself	dconf worker	1630	evince
Changes the process name, possibly in an attempt to hide itself	EvJobScheduler	1631	evince
Changes the process name, possibly in an attempt to hide itself	pool	1640	evinced
Changes the process name, possibly in an attempt to hide itself	pool	1641	xdg-desktop-portal

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon
File opened for reading	/sys/kernel/security/apparmor/.access	dbus-daemon

Reads runtime system information 33 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1586/cmdline	dbus-daemon
File opened for reading	/proc/1595/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	gvfsd-fuse
File opened for reading	/proc/1483/attr/current	dbus-daemon
File opened for reading	/proc/1580/cmdline	dbus-daemon
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/filesystems	evince
File opened for reading	/proc/1606/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	gvfsd
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	xdg-permission-store
File opened for reading	/proc/1610/cmdline	dbus-daemon
File opened for reading	/proc/1483/status	dbus-daemon
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/filesystems	xdg-document-portal
File opened for reading	/proc/1615/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	evinced
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd	evince
File opened for reading	/proc/1514/cmdline	dbus-daemon
File opened for reading	/proc/1591/cmdline	dbus-daemon
File opened for reading	/proc/1627/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	xdg-desktop-portal-gtk
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/sys/kernel/cap_last_cap	dbus-daemon
File opened for reading	/proc/1478/cmdline	dbus-daemon
File opened for reading	/proc/1502/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	xdg-desktop-portal

/usr/bin/xdg-open
xdg-open "/tmp/MUSCLE CELL.pdf"
1⤵
PID:1477
- /usr/bin/dbus-send
  dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
  2⤵
  - Reads runtime system information
  PID:1478
- - /usr/bin/dbus-launch
    dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr
    3⤵
    PID:1479
  - - /usr/bin/dbus-daemon
      /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1481
    - - /usr/libexec/xdg-desktop-portal
        
        /usr/libexec/xdg-desktop-portal
        5⤵
        Changes its process name
        Reads runtime system information
        
        PID:1586
    - - /usr/libexec/xdg-document-portal
        
        /usr/libexec/xdg-document-portal
        5⤵
        Changes its process name
        Reads runtime system information
        
        PID:1591
    - - /usr/libexec/xdg-permission-store
        
        /usr/libexec/xdg-permission-store
        5⤵
        Changes its process name
        Reads runtime system information
        
        PID:1595
    - - /usr/libexec/xdg-desktop-portal-gtk
        
        /usr/libexec/xdg-desktop-portal-gtk
        5⤵
        Changes its process name
        Reads runtime system information
        
        PID:1606
    - - /usr/lib/gvfs/gvfsd
        
        /usr/lib/gvfs/gvfsd
        5⤵
        Changes its process name
        Reads runtime system information
        
        PID:1610
    - - /usr/lib/evince/evinced
        
        /usr/lib/evince/evinced
        5⤵
        Changes its process name
        Reads runtime system information
        
        PID:1627
- /bin/grep
  grep " = \\\"xfce4\\\"\$"
  2⤵
  PID:1485
- /usr/bin/xprop
  xprop -root _DT_SAVE_MODE
  2⤵
  PID:1484
- /bin/grep
  grep -i "^xfce_desktop_window"
  2⤵
  PID:1487
- /usr/bin/xprop
  xprop -root
  2⤵
  PID:1486
- /bin/grep
  grep -q "^Enlightenment"
  2⤵
  PID:1489
- /bin/uname
  uname
  2⤵
  PID:1490
- /bin/grep
  grep -q "^file://"
  2⤵
  PID:1492
- /bin/egrep
  egrep -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1494
- /usr/local/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1494
- /usr/local/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1494
- /usr/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1494
- /usr/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1494
- /sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1494
- /bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1494
- /bin/grep
  grep -q "^file:///"
  2⤵
  PID:1497
- /bin/sed
  sed "s/;.*//"
  2⤵
  - Reads runtime system information
  PID:1500
- /usr/bin/xdg-mime
  xdg-mime query filetype "/tmp/MUSCLE CELL.pdf"
  2⤵
  PID:1499
- - /bin/readlink
    readlink -f -- "/tmp/MUSCLE CELL.pdf"
    3⤵
    PID:1501
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    - Reads runtime system information
    PID:1502
  - - /usr/bin/dbus-launch
      dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr
      4⤵
      PID:1503
- - /bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    PID:1505
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:1504
- - /bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    PID:1507
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:1506
- - /bin/grep
    grep -q "^Enlightenment"
    3⤵
    PID:1509
- - /bin/uname
    uname
    3⤵
    PID:1510
- - /usr/bin/mimetype
    mimetype --version
    3⤵
    PID:1511
- - /usr/bin/mimetype
    mimetype --brief --dereference "/tmp/MUSCLE CELL.pdf"
    3⤵
    PID:1512
- /usr/bin/xdg-mime
  xdg-mime query default application/pdf
  2⤵
  PID:1513
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    - Reads runtime system information
    PID:1514
  - - /usr/bin/dbus-launch
      dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr
      4⤵
      PID:1515
- - /bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    PID:1517
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:1516
- - /bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    PID:1519
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:1518
- - /bin/grep
    grep -q "^Enlightenment"
    3⤵
    PID:1521
- - /bin/uname
    uname
    3⤵
    PID:1522
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1525
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1530
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1529
- - /bin/grep
    grep "application/pdf=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    PID:1527
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1528
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1538
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1537
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1536
- - /bin/grep
    grep "application/pdf=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    PID:1535
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1543
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1542
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1541
- - /bin/grep
    grep "application/pdf=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    PID:1540
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1547
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1548
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1546
- - /bin/grep
    grep "application/pdf=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    PID:1545
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1553
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1552
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1551
- - /bin/grep
    grep "application/pdf=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
    3⤵
    PID:1550
- /bin/sed
  sed "s/:/ /g"
  2⤵
  - Reads runtime system information
  PID:1556
- /bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1559
- /bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1562
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1567
- /usr/bin/which
  which evince
  2⤵
  PID:1568
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1571
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1574
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1579
- /usr/bin/evince
  /usr/bin/evince "/tmp/MUSCLE CELL.pdf"
  2⤵
  - Changes its process name
  - Reads runtime system information
  PID:1580
- - /usr/local/sbin/dbus-launch
    dbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr
    3⤵
    PID:1582
- - /usr/local/bin/dbus-launch
    dbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr
    3⤵
    PID:1582
- - /usr/sbin/dbus-launch
    dbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr
    3⤵
    PID:1582
- - /usr/bin/dbus-launch
    dbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr
    3⤵
    PID:1582

/usr/lib/gvfs/gvfsd-fuse
/usr/lib/gvfs/gvfsd-fuse /root/.gvfs -f -o big_writes
1⤵
- Changes its process name
- Reads runtime system information
PID:1615

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads