Edit tour

Windows Analysis Report
https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0

Overview

General Information

Sample URL:	https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0
Analysis ID:	1626170
Infos:

Detection

Score:	0
Range:	0 - 100
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4408 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2200 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=2020,i,6988893784052022274,9947833774328402582,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5316 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Phishing
• Networking
• System Summary
• Boot Survival

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0

HTTP Parser: No favicon

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0 HTTP/1.1Host: littlenation.com.auConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: littlenation.com.auConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: littlenation.com.au

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Feb 2025 00:33:46 GMTContent-Type: text/htmlContent-Length: 548Connection: closeVary: Accept-Encoding

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=2020,i,6988893784052022274,9947833774328402582,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=2020,i,6988893784052022274,9947833774328402582,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
https://littlenation.com.au/favicon.ico	0%	Avira URL Cloud	safe
https://trademark.iglesiaelarca.com/oBiWuds69dDEOqyLly	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Antivirus Detection	Reputation
littlenation.com.au	45.65.61.130	true	false		unknown
www.google.com	142.250.184.196	true	false		high

Name	Malicious	Antivirus Detection	Reputation
https://littlenation.com.au/favicon.ico	false	Avira URL Cloud: safe	unknown
https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0	false		unknown

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
45.65.61.130	littlenation.com.au	Australia	135543	NETWORKDYNAMICS-PTY-LTD-AS-APNetworkDynamicsPtyLtdAU	false

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1626170
Start date and time:	2025-02-28 01:32:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@16/10@4/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

IP
192.168.2.6
192.168.2.5

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 30 23:33:39 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9660992873696457
Encrypted:	false
SSDEEP:	48:8EdLTTPfPHYidAKZdA19ehwiZUklqehNy+3:8In+Ky
MD5:	6BB73ECDA9A0461CC04AD13727DDE06D
SHA1:	FD07CB58738D7050522DD1373E191B8F16CF322D
SHA-256:	E4ADC512486EE143C2320E2D74418F1E46CA31770DC2BB714AAF2CB12D66EA7B
SHA-512:	112470F2CB2B0D6F12290085DA22E0BE99516954831A08B487256D5A14E8C4B22413EEFC49143ADECA561A4EE601D88B2B3E4408EA679EC1607DDAF1E6EE3EDB
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Jgix...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I\Z2.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V\Z2.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V\Z2.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V\Z2............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V\Z4............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........6.b......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 30 23:33:39 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9815437272553384
Encrypted:	false
SSDEEP:	48:8V3dLTTPfPHYidAKZdA1weh/iZUkAQkqeh6y+2:8jnc9Q/y
MD5:	19F3F484E4F464DA5457EBE12997A213
SHA1:	A570FA09694577914BE7FA960D20786B5AACBCB6
SHA-256:	4D751BE0BE971C9195DC1A9F08BC1B8F0DF4FA05BD89D01EE5B4BD72DC612AB7
SHA-512:	AB0CAB56AD2C79C21D9124A1ECB807294C43B54EC647DC2FB2D62665EE6BF2D13C58356F74C6D948DD112899080295B45EFC1CA1657F244BF868AF27007A5A88
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....4.]ix...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I\Z2.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V\Z2.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V\Z2.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V\Z2............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V\Z4............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........6.b......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	3.9966522946471637
Encrypted:	false
SSDEEP:	48:8xYdLTTPfsHYidAKZdA14tseh7sFiZUkmgqeh7s8y+BX:8xMnhn2y
MD5:	71CE34163B92F8268818F04B613A366B
SHA1:	F7EDF2531B89F237370CB63860F76FE265C2199F
SHA-256:	CDCFC7F29E50774FB151E7E39B4AAC69748206F1A11C86D006A8C9560E708E3D
SHA-512:	A44190995227A9AB9C6D46EAA85EDE0C9E70D02C66DBAAD616E00968FE72780DFA10C7B0F7FFF978AC8C7FC6C7ED7D4328C249E6825E2EE9278335C38848C725
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I\Z2.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V\Z2.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V\Z2.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V\Z2............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........6.b......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 28, 2025 01:33:30.134140015 CET	49675	443	192.168.2.5	23.1.237.91
Feb 28, 2025 01:33:30.134227991 CET	49674	443	192.168.2.5	23.1.237.91
Feb 28, 2025 01:33:30.243721008 CET	49673	443	192.168.2.5	23.1.237.91
Feb 28, 2025 01:33:39.739026070 CET	49674	443	192.168.2.5	23.1.237.91
Feb 28, 2025 01:33:39.768749952 CET	49675	443	192.168.2.5	23.1.237.91
Feb 28, 2025 01:33:39.911046028 CET	49673	443	192.168.2.5	23.1.237.91
Feb 28, 2025 01:33:41.594515085 CET	443	49703	23.1.237.91	192.168.2.5
Feb 28, 2025 01:33:41.594599009 CET	49703	443	192.168.2.5	23.1.237.91
Feb 28, 2025 01:33:42.293742895 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:42.293837070 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:33:42.293930054 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:42.294164896 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:42.294202089 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:33:42.974549055 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:33:42.978084087 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:42.978120089 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:33:42.979196072 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:33:42.979265928 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:42.984486103 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:42.984556913 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:33:43.034668922 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:43.034739017 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:33:43.081526041 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:44.188257933 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:44.188299894 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:44.188735962 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:44.188922882 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:44.188973904 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:44.189035892 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:44.189312935 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:44.189326048 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:44.189656019 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:44.189671993 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.134264946 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.134546041 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.134560108 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.135797977 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.135965109 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.135978937 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.136331081 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.136404037 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.137463093 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.137545109 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.140136003 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.140245914 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.140762091 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.140772104 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.141587019 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.141676903 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.194447041 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.194691896 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.194701910 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.238866091 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.708865881 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.708951950 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:45.709376097 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.710710049 CET	49716	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:45.710721970 CET	443	49716	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:46.017841101 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:46.059350967 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:46.345880985 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:46.345978975 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:46.346060038 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:46.346734047 CET	49715	443	192.168.2.5	45.65.61.130
Feb 28, 2025 01:33:46.346755028 CET	443	49715	45.65.61.130	192.168.2.5
Feb 28, 2025 01:33:52.870008945 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:33:52.870086908 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:33:52.870146990 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:54.146851063 CET	49712	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:33:54.146930933 CET	443	49712	142.250.184.196	192.168.2.5
Feb 28, 2025 01:34:42.348617077 CET	49990	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:34:42.348706961 CET	443	49990	142.250.184.196	192.168.2.5
Feb 28, 2025 01:34:42.348803997 CET	49990	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:34:42.349118948 CET	49990	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:34:42.349155903 CET	443	49990	142.250.184.196	192.168.2.5
Feb 28, 2025 01:34:43.009455919 CET	443	49990	142.250.184.196	192.168.2.5
Feb 28, 2025 01:34:43.009870052 CET	49990	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:34:43.009919882 CET	443	49990	142.250.184.196	192.168.2.5
Feb 28, 2025 01:34:43.010219097 CET	443	49990	142.250.184.196	192.168.2.5
Feb 28, 2025 01:34:43.010525942 CET	49990	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:34:43.010591984 CET	443	49990	142.250.184.196	192.168.2.5
Feb 28, 2025 01:34:43.050513029 CET	49990	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:34:52.921392918 CET	443	49990	142.250.184.196	192.168.2.5
Feb 28, 2025 01:34:52.921554089 CET	443	49990	142.250.184.196	192.168.2.5
Feb 28, 2025 01:34:52.921946049 CET	49990	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:34:54.145991087 CET	49990	443	192.168.2.5	142.250.184.196
Feb 28, 2025 01:34:54.146034956 CET	443	49990	142.250.184.196	192.168.2.5

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 28, 2025 01:33:37.924000978 CET	53	61444	1.1.1.1	192.168.2.5
Feb 28, 2025 01:33:37.925405025 CET	53	65414	1.1.1.1	192.168.2.5
Feb 28, 2025 01:33:39.276779890 CET	53	53647	1.1.1.1	192.168.2.5
Feb 28, 2025 01:33:42.285531998 CET	59505	53	192.168.2.5	1.1.1.1
Feb 28, 2025 01:33:42.285597086 CET	54314	53	192.168.2.5	1.1.1.1
Feb 28, 2025 01:33:42.292807102 CET	53	59505	1.1.1.1	192.168.2.5
Feb 28, 2025 01:33:42.292860031 CET	53	54314	1.1.1.1	192.168.2.5
Feb 28, 2025 01:33:43.668684006 CET	61789	53	192.168.2.5	1.1.1.1
Feb 28, 2025 01:33:43.668909073 CET	61253	53	192.168.2.5	1.1.1.1
Feb 28, 2025 01:33:43.931039095 CET	53	61253	1.1.1.1	192.168.2.5
Feb 28, 2025 01:33:44.187407017 CET	53	61789	1.1.1.1	192.168.2.5
Feb 28, 2025 01:33:56.279670000 CET	53	58534	1.1.1.1	192.168.2.5
Feb 28, 2025 01:34:15.152405024 CET	53	55492	1.1.1.1	192.168.2.5
Feb 28, 2025 01:34:37.608427048 CET	53	61684	1.1.1.1	192.168.2.5
Feb 28, 2025 01:34:38.060035944 CET	53	58983	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
2025-02-28 00:33:45 UTC	794	OUT	GET /wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0 HTTP/1.1 Host: littlenation.com.au Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-02-28 00:33:45 UTC	368	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Feb 2025 00:33:45 GMT Content-Type: application/javascript Content-Length: 953 Last-Modified: Fri, 31 Jan 2025 12:51:00 GMT Connection: close Vary: Accept-Encoding ETag: "679cc734-3b9" Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 Access-Control-Allow-Origin: * Accept-Ranges: bytes
2025-02-28 00:33:45 UTC	953	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 20 61 64 65 6d 74 69 5f 64 69 73 6d 69 73 73 69 62 6c 65 5f 77 70 5f 6e 6f 74 69 63 65 73 5f 68 61 6e 64 6c 65 28 20 65 6c 65 6d 2c 20 61 63 74 69 6f 6e 20 29 20 7b 0a 09 63 6f 6e 73 74 20 73 6c 75 67 20 3d 20 6a 51 75 65 72 79 28 20 65 6c 65 6d 20 29 2e 64 61 74 61 28 20 27 61 64 65 6d 74 69 2d 6e 6f 74 69 63 65 2d 73 6c 75 67 27 20 29 3b 0a 09 69 66 20 28 20 73 6c 75 67 20 3d 3d 3d 20 27 27 20 29 20 7b 0a 09 09 72 65 74 75 72 6e 3b 0a 09 7d 0a 09 63 6f 6e 73 74 20 64 61 74 61 20 3d 20 7b 0a 09 09 61 63 74 69 6f 6e 3a 20 61 63 74 69 6f 6e 2c 0a 09 09 73 6c 75 67 3a 20 73 6c 75 67 2c 0a 09 09 6e 6f 6e 63 65 3a 20 64 69 73 6d 69 73 73 69 62 6c 65 57 70 4e 6f 74 69 63 65 73 2e 6e 6f 6e 63 65 2c 0a 09 7d 3b 0a 09 6a 51 75 65 72 79 2e Data Ascii: function ademti_dismissible_wp_notices_handle( elem, action ) {const slug = jQuery( elem ).data( 'ademti-notice-slug' );if ( slug === '' ) {return;}const data = {action: action,slug: slug,nonce: dismissibleWpNotices.nonce,};jQuery.

Timestamp	Bytes transferred	Direction	Data
2025-02-28 00:33:46 UTC	726	OUT	GET /favicon.ico HTTP/1.1 Host: littlenation.com.au Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-02-28 00:33:46 UTC	166	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 28 Feb 2025 00:33:46 GMT Content-Type: text/html Content-Length: 548 Connection: close Vary: Accept-Encoding
2025-02-28 00:33:46 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Target ID:	0
Start time:	19:33:33
Start date:	27/02/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	19:33:36
Start date:	27/02/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=2020,i,6988893784052022274,9947833774328402582,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	19:33:42
Start date:	27/02/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 59

Chrome Cache Entry: 60

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 4408, Parent PID: 5460

General

File Activities

File Opened

File Created

File Deleted

File Moved

Windows Analysis Report
https://littlenation.com.au/wp-content/plugins/woocommerce-product-feeds/vendor-prefixed/leewillis77/dismissible-wp-notices/js/dismissible-wp-notices.js?ver=1.0

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre