Malware analysis brutils_2.7-0_amd64.deb Malicious activity

Add for printing

File name:	brutils_2.7-0_amd64.deb
Full analysis:	https://app.any.run/tasks/66070bea-796d-407b-9c0c-205690e34844
Verdict:	Malicious activity
Analysis date:	April 29, 2025, 11:41:36
OS:	Ubuntu 22.04.2
MIME:	application/vnd.debian.binary-package
File info:	Debian binary package (format 2.0), with control.tar.xz , data compression xz
MD5:	480011A6E71DB7E49883CB6B76959FE1
SHA1:	123D952C035FF656D58B526A56A27D924B813EA4
SHA256:	172AFBEB056712EAA355934676EB40B3922C0F6F5A7524453F98873F2D791936
SSDEEP:	24576:4o9GkJeNMCB/3QDjDvRoNpxlBDrnMzEC11Z8Ilvi:4o9GkwNMCB/3kjDvRoNpxlBDrnMzEC1m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- Modifies hosts file
  - dpkg (PID: 40664)
SUSPICIOUS
- Executes commands using command-line interpreter
  - sudo (PID: 40661)
- Reads passwd file
  - dpkg (PID: 40664)
  - tar (PID: 40669)
  - mandb (PID: 40680)
- Creates or rewrites file in the "bin" folder
  - dpkg (PID: 40664)
- Executes the "rm" command to delete files or directories
  - dpkg (PID: 40664)
- Writes to Systemd service files (likely for persistence achievement)
  - sudo (PID: 40662)
INFO
- Checks timezone
  - dpkg (PID: 40664)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.deb	\|	Debian Linux Package (77.4)
.ar	\|	ar archive (22.5)

EXIF

EXE

CreateDate:	2024:01:08 09:15:23+00:00

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

240

Monitored processes

20

Malicious processes

2

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
40660	/bin/sh -c "DISPLAY=:0 sudo -iu user sudo dpkg -i /tmp/brutils_2\.7-0_amd64\.deb "	/usr/bin/dash	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 256
40661	sudo -iu user sudo dpkg -i /tmp/brutils_2.7-0_amd64.deb	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 256
40662	sudo dpkg -i /tmp/brutils_2.7-0_amd64.deb	/usr/bin/sudo	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 256
40663	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
40664	dpkg -i /tmp/brutils_2.7-0_amd64.deb	/usr/bin/dpkg	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 256
40665	dpkg-split -Qao /var/lib/dpkg/reassemble.deb /tmp/brutils_2.7-0_amd64.deb	/usr/bin/dpkg-split	—	dpkg
User: root Integrity Level: UNKNOWN Exit code: 256
40666	dpkg-deb --control /tmp/brutils_2.7-0_amd64.deb /var/lib/dpkg/tmp.ci	/usr/bin/dpkg-deb	—	dpkg
User: root Integrity Level: UNKNOWN Exit code: 0
40667	dpkg-deb --control /tmp/brutils_2.7-0_amd64.deb /var/lib/dpkg/tmp.ci	/usr/bin/dpkg-deb	—	dpkg-deb
User: root Integrity Level: UNKNOWN Exit code: 0
40668	dpkg-deb --control /tmp/brutils_2.7-0_amd64.deb /var/lib/dpkg/tmp.ci	/usr/bin/dpkg-deb	—	dpkg-deb
User: root Integrity Level: UNKNOWN Exit code: 0
40669	tar -x -f - --warning=no-timestamp	/usr/bin/tar	—	dpkg-deb
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

0

Text files

281

Unknown types

0

Dropped files

PID	Process	Filename		Type
40669	tar	/var/lib/dpkg/tmp.ci/conffiles		text
		MD5:—	SHA256:—
40669	tar	/var/lib/dpkg/tmp.ci/control		text
		MD5:—	SHA256:—
40669	tar	/var/lib/dpkg/tmp.ci/md5sums		text
		MD5:—	SHA256:—
40664	dpkg	/var/lib/dpkg/tmp.ci/conffiles		text
		MD5:—	SHA256:—
40664	dpkg	/var/lib/dpkg/tmp.ci/control		text
		MD5:—	SHA256:—
40664	dpkg	/var/lib/dpkg/tmp.ci/md5sums		text
		MD5:—	SHA256:—
40664	dpkg	/etc/brutils/local.conf.dpkg-new		text
		MD5:—	SHA256:—
40664	dpkg	/usr/sbin/brutils		text
		MD5:—	SHA256:—
40664	dpkg	/usr/share/brutils/backup/BLOCKCLONE/default/400_copy_disk_struct_files.sh		text
		MD5:—	SHA256:—
40664	dpkg	/usr/share/brutils/backup/BLOCKCLONE/default/500_start_clone.sh		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

15

DNS requests

14

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.98:80	—	Canonical Group Limited	GB	unknown
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.48:80	—	Canonical Group Limited	GB	unknown
—	—	169.150.255.181:443	odrs.gnome.org	—	GB	whitelisted
—	—	91.189.91.98:80	—	Canonical Group Limited	US	unknown
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
1178	snap-store	185.125.188.36:443	appstream.ubuntu.com	Canonical Group Limited	GB	whitelisted

DNS requests

Domain	IP	Reputation
odrs.gnome.org	169.150.255.181 207.211.211.26 195.181.170.19 37.19.194.81 195.181.175.40 212.102.56.179 169.150.255.184	whitelisted
1527653184.rsc.cdn77.org	—	unknown
google.com	142.250.186.142 2a00:1450:4001:829::200e	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.58 185.125.188.54 185.125.188.55 2620:2d:4000:1010::42 2620:2d:4000:1010::6d 2620:2d:4000:1010::117 2620:2d:4000:1010::344	whitelisted
8.100.168.192.in-addr.arpa	—	unknown
appstream.ubuntu.com	185.125.188.36	whitelisted
connectivity-check.ubuntu.com	2620:2d:4002:1::197 2001:67c:1562::23 2620:2d:4000:1::2b 2620:2d:4000:1::96 2620:2d:4000:1::22 2620:2d:4000:1::23 2620:2d:4002:1::198 2620:2d:4000:1::97 2620:2d:4000:1::98 2001:67c:1562::24 2620:2d:4002:1::196 2620:2d:4000:1::2a	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

brutils_2.7-0_amd64.deb

480011A6E71DB7E49883CB6B76959FE1

123D952C035FF656D58B526A56A27D924B813EA4

172AFBEB056712EAA355934676EB40B3922C0F6F5A7524453F98873F2D791936

24576:4o9GkJeNMCB/3QDjDvRoNpxlBDrnMzEC11Z8Ilvi:4o9GkwNMCB/3kjDvRoNpxlBDrnMzEC1m

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Modifies hosts file

SUSPICIOUS

Executes commands using command-line interpreter

Reads passwd file

Creates or rewrites file in the "bin" folder

Executes the "rm" command to delete files or directories

Writes to Systemd service files (likely for persistence achievement)

INFO

Checks timezone

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings