Malware analysis brutils_2.7-0_amd64.deb Malicious activity

Add for printing

File name:	brutils_2.7-0_amd64.deb
Full analysis:	https://app.any.run/tasks/4c7b9ce2-7009-4ec3-b02e-e9326b86e610
Verdict:	Malicious activity
Analysis date:	April 29, 2025, 11:38:21
OS:	Ubuntu 22.04.2
MIME:	application/vnd.debian.binary-package
File info:	Debian binary package (format 2.0), with control.tar.xz , data compression xz
MD5:	480011A6E71DB7E49883CB6B76959FE1
SHA1:	123D952C035FF656D58B526A56A27D924B813EA4
SHA256:	172AFBEB056712EAA355934676EB40B3922C0F6F5A7524453F98873F2D791936
SSDEEP:	24576:4o9GkJeNMCB/3QDjDvRoNpxlBDrnMzEC11Z8Ilvi:4o9GkwNMCB/3kjDvRoNpxlBDrnMzEC1m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- Modifies hosts file
  - dpkg (PID: 40663)
SUSPICIOUS
- Executes commands using command-line interpreter
  - sudo (PID: 40657)
- Creates or rewrites file in the "bin" folder
  - dpkg (PID: 40663)
- Reads passwd file
  - dpkg (PID: 40663)
  - tar (PID: 40668)
  - mandb (PID: 40676)
- Executes the "rm" command to delete files or directories
  - dpkg (PID: 40663)
- Writes to Systemd service files (likely for persistence achievement)
  - sudo (PID: 40661)
INFO
- Checks timezone
  - dpkg (PID: 40663)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.deb	\|	Debian Linux Package (77.4)
.ar	\|	ar archive (22.5)

EXIF

EXE

CreateDate:	2024:01:08 09:15:23+00:00

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

243

Monitored processes

22

Malicious processes

2

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
40656	/bin/sh -c "DISPLAY=:0 sudo -iu user sudo dpkg -i /tmp/brutils_2\.7-0_amd64\.deb "	/usr/bin/dash	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 256
40657	sudo -iu user sudo dpkg -i /tmp/brutils_2.7-0_amd64.deb	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 256
40659	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
40661	sudo dpkg -i /tmp/brutils_2.7-0_amd64.deb	/usr/bin/sudo	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 256
40662	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
40663	dpkg -i /tmp/brutils_2.7-0_amd64.deb	/usr/bin/dpkg	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 256
40664	dpkg-split -Qao /var/lib/dpkg/reassemble.deb /tmp/brutils_2.7-0_amd64.deb	/usr/bin/dpkg-split	—	dpkg
User: root Integrity Level: UNKNOWN Exit code: 256
40665	dpkg-deb --control /tmp/brutils_2.7-0_amd64.deb /var/lib/dpkg/tmp.ci	/usr/bin/dpkg-deb	—	dpkg
User: root Integrity Level: UNKNOWN Exit code: 0
40666	dpkg-deb --control /tmp/brutils_2.7-0_amd64.deb /var/lib/dpkg/tmp.ci	/usr/bin/dpkg-deb	—	dpkg-deb
User: root Integrity Level: UNKNOWN Exit code: 0
40667	dpkg-deb --control /tmp/brutils_2.7-0_amd64.deb /var/lib/dpkg/tmp.ci	/usr/bin/dpkg-deb	—	dpkg-deb
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

0

Text files

280

Unknown types

0

Dropped files

PID	Process	Filename		Type
40668	tar	/var/lib/dpkg/tmp.ci/conffiles		text
		MD5:—	SHA256:—
40668	tar	/var/lib/dpkg/tmp.ci/control		text
		MD5:—	SHA256:—
40668	tar	/var/lib/dpkg/tmp.ci/md5sums		text
		MD5:—	SHA256:—
40663	dpkg	/var/lib/dpkg/tmp.ci/conffiles		text
		MD5:—	SHA256:—
40663	dpkg	/var/lib/dpkg/tmp.ci/control		text
		MD5:—	SHA256:—
40663	dpkg	/var/lib/dpkg/tmp.ci/md5sums		text
		MD5:—	SHA256:—
40663	dpkg	/var/lib/dpkg/updates/0000		text
		MD5:—	SHA256:—
40663	dpkg	/etc/brutils/local.conf.dpkg-new		text
		MD5:—	SHA256:—
40663	dpkg	/usr/sbin/brutils		text
		MD5:—	SHA256:—
40663	dpkg	/usr/share/brutils/backup/BLOCKCLONE/default/400_copy_disk_struct_files.sh		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

11

DNS requests

9

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.49:80	—	Canonical Group Limited	GB	unknown
—	—	185.125.190.98:80	—	Canonical Group Limited	GB	unknown
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.98:80	—	Canonical Group Limited	US	unknown
—	—	195.181.170.19:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.142 2a00:1450:4001:81c::200e	whitelisted
odrs.gnome.org	195.181.170.19 169.150.255.180 212.102.56.178 37.19.194.80 195.181.175.40 169.150.255.184 207.211.211.26 2a02:6ea0:c700::11 2a02:6ea0:c700::107 2a02:6ea0:c700::101 2a02:6ea0:c700::112 2a02:6ea0:c700::18 2a02:6ea0:c700::21 2a02:6ea0:c700::19	whitelisted
api.snapcraft.io	185.125.188.58 185.125.188.59 185.125.188.54 185.125.188.55 2620:2d:4000:1010::42 2620:2d:4000:1010::6d 2620:2d:4000:1010::344 2620:2d:4000:1010::117	whitelisted
4.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	—	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

brutils_2.7-0_amd64.deb

480011A6E71DB7E49883CB6B76959FE1

123D952C035FF656D58B526A56A27D924B813EA4

172AFBEB056712EAA355934676EB40B3922C0F6F5A7524453F98873F2D791936

24576:4o9GkJeNMCB/3QDjDvRoNpxlBDrnMzEC11Z8Ilvi:4o9GkwNMCB/3kjDvRoNpxlBDrnMzEC1m

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Modifies hosts file

SUSPICIOUS

Executes commands using command-line interpreter

Creates or rewrites file in the "bin" folder

Reads passwd file

Executes the "rm" command to delete files or directories

Writes to Systemd service files (likely for persistence achievement)

INFO

Checks timezone

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings