Malware analysis application.gz Malicious activity | ANY.RUN

Add for printing

File name:	application.gz
Full analysis:	https://app.any.run/tasks/1f96f1e3-7da0-4b6a-8fff-16d70a5d93dd
Verdict:	Malicious activity
Analysis date:	May 03, 2024, 01:49:36
OS:	Ubuntu 22.04.2
MIME:	application/gzip
File info:	gzip compressed data, from Unix, original size modulo 2^32 1402
MD5:	58DABAC4471F37C945F50A6041236D51
SHA1:	6E3C15DF01EE5147DB59DF21FADF25B949F3AACF
SHA256:	344D86AEDF7F6F83AB2C29B369485C04CF7D54D7EE3A9F22FD9CA5552A2BF30F
SSDEEP:	48:wn+Av5O2px4k5PneLcTl7KaIB/IDloQqgOEB5HKn:wn+AM2px4ktnJp7KaIB/eGvEB5HK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executes the "rm" command to delete files or directories
  - file-roller (PID: 9265)
- Checks DMI information (probably VM detection)
  - systemd-hostnamed (PID: 9304)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.z/gz/gzip	\|	GZipped data (100)

EXIF

ZIP

Compression:	Deflated
Flags:	(none)
ModifyDate:	0000:00:00 00:00:00
ExtraFlags:	(none)
OperatingSystem:	Unix

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

241

Monitored processes

19

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
9263	/bin/sh -c "DISPLAY=:0 sudo -iu user file-roller /home/user/Desktop/application\.gz "	/bin/sh	—	any-guest-agent
User: user Integrity Level: UNKNOWN
9264	sudo -iu user file-roller /home/user/Desktop/application.gz	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN
9265	file-roller /home/user/Desktop/application.gz	/usr/bin/file-roller	—	sudo
User: user Integrity Level: UNKNOWN
9266	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	file-roller
User: user Integrity Level: UNKNOWN Exit code: 0
9280	gzip -l -q /home/user/Desktop/application.gz	/usr/bin/gzip	—	file-roller
User: user Integrity Level: UNKNOWN Exit code: 9265
9281	cp -f /home/user/Desktop/application.gz /home/user/.cache/.fr-gDgkKn/application.gz	/usr/bin/cp	—	file-roller
User: user Integrity Level: UNKNOWN Exit code: 9265
9282	gzip -f -d -n /home/user/.cache/.fr-gDgkKn/application.gz	/usr/bin/gzip	—	file-roller
User: user Integrity Level: UNKNOWN Exit code: 496
9283	cp -f /home/user/.cache/.fr-gDgkKn/application /home/user/.cache/.fr-rjbERD/application	/usr/bin/cp	—	file-roller
User: user Integrity Level: UNKNOWN Exit code: 496
9284	rm -rf /home/user/.cache/.fr-gDgkKn	/usr/bin/rm	—	file-roller
User: user Integrity Level: UNKNOWN Exit code: 496
9304	/lib/systemd/systemd-hostnamed	/lib/systemd/systemd-hostnamed	—	systemd
User: root Integrity Level: UNKNOWN Exit code: 9314

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
9265	file-roller	/dconf/user		—
		MD5:—	SHA256:—
9265	file-roller	/home/user/.local/share/recently-used.xbel.EC31M2		—
		MD5:—	SHA256:—
9281	cp	/home/user/.cache/.fr-gDgkKn/application.gz		—
		MD5:—	SHA256:—
9282	gzip	/home/user/.cache/.fr-gDgkKn/application		—
		MD5:—	SHA256:—
9283	cp	/home/user/.cache/.fr-rjbERD/application		—
		MD5:—	SHA256:—
9307	cp	/home/user/.cache/.fr-efmoiL/application.gz		—
		MD5:—	SHA256:—
9309	gzip	/home/user/.cache/.fr-efmoiL/application		—
		MD5:—	SHA256:—
9310	cp	/home/user/Documents/application		—
		MD5:—	SHA256:—
9265	file-roller	/home/user/.local/share/recently-used.xbel.O3R6M2		—
		MD5:—	SHA256:—
9320	nautilus	/home/user/.local/share/nautilus/tags/meta.db-wal		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

6

DNS requests

6

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.98:80	—	Canonical Group Limited	GB	unknown
—	—	91.189.91.49:80	—	Canonical Group Limited	US	unknown
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	unknown

DNS requests

Domain	IP	Reputation
169.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2620:2d:4002:1::198 2620:2d:4000:1::98 2620:2d:4002:1::196 2001:67c:1562::24 2001:67c:1562::23 2620:2d:4000:1::23 2620:2d:4000:1::2a 2620:2d:4000:1::22 2620:2d:4000:1::96 2620:2d:4000:1::2b 2620:2d:4000:1::97 2620:2d:4002:1::197	unknown
api.snapcraft.io	185.125.188.55 185.125.188.58 185.125.188.59 185.125.188.54	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

application.gz

58DABAC4471F37C945F50A6041236D51

6E3C15DF01EE5147DB59DF21FADF25B949F3AACF

344D86AEDF7F6F83AB2C29B369485C04CF7D54D7EE3A9F22FD9CA5552A2BF30F

48:wn+Av5O2px4k5PneLcTl7KaIB/IDloQqgOEB5HKn:wn+AM2px4ktnJp7KaIB/eGvEB5HK

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Executes the "rm" command to delete files or directories

Checks DMI information (probably VM detection)

INFO

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings