analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MDE_File_Sample_c164d1d42da10cac9f4247170e29b43b1f2e7204.zip

Full analysis: https://app.any.run/tasks/fb4aa815-4b96-46b6-ba0f-d53c16413875
Verdict: Malicious activity
Analysis date: January 29, 2024, 16:54:01
OS: Ubuntu 22.04.2
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A0D2B36F76EECC83F96DB231C200F2D1

SHA1:

D0BAF18630C7FB5402B079347EA9514203820FCD

SHA256:

7E3DD1E6D31222E3EDAD452C4C1B22BF4ACB22D78B56F08660326BC01CD2D3C7

SSDEEP:

768:iBAiU+ezEaDJzuLomwW40UGS63kfhpoWvjzDdo/l1yEJZwDcMvwCdw7Xen1VEAXf:ioPQa5uLzwWfFkfzoWvjn+Nl+wCdyeNf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads /proc/mounts (likely used to find writable filesystems)

      • firefox (PID: 7036)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: odsp.react.lib-ed8a68f7[1].js
ZipUncompressedSize: 130559
ZipCompressedSize: 42341
ZipCRC: 0x1b94e71e
ZipModifyDate: 2024:01:29 16:53:14
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
457
Monitored processes
91
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs file-roller no specs locale-check no specs 7z no specs 7z no specs gnome-text-editor no specs 7z no specs nautilus no specs sh no specs dash no specs sh no specs dash no specs gnome-text-editor no specs firefox no specs snap-seccomp no specs snap-confine no specs snap-confine no specs 5 no specs date no specs chmod no specs bash no specs md5sum no specs cat no specs bash no specs md5sum no specs cat no specs grep no specs snapctl no specs snapctl no specs realpath no specs realpath no specs xdg-user-dirs-update no specs bash no specs bash no specs realpath no specs realpath no specs bash no specs realpath no specs bash no specs bash no specs bash no specs realpath no specs realpath no specs realpath no specs bash no specs bash no specs realpath no specs realpath no specs ln no specs rm no specs ln no specs firefox no specs snapctl no specs snapctl no specs glxtest no specs snap no specs firefox no specs firefox no specs firefox no specs firefox no specs xdg-settings no specs dbus-send no specs cut no specs xdg-settings no specs awk no specs awk no specs firefox no specs firefox no specs xdg-settings no specs dbus-send no specs cut no specs xdg-settings no specs which no specs awk no specs awk no specs xdg-settings no specs dbus-send no specs cut no specs xdg-settings no specs awk no specs awk no specs firefox no specs firefox no specs firefox no specs firefox no specs firefox no specs firefox no specs firefox no specs firefox no specs firefox no specs

Process information

PID
CMD
Path
Indicators
Parent process
6852/bin/sh -c "DISPLAY=:0 sudo -iu user file-roller \"/tmp/MDE_File_Sample_c164d1d42da10cac9f4247170e29b43b1f2e7204\.zip\" " /bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
6879
6853sudo -iu user file-roller /tmp/MDE_File_Sample_c164d1d42da10cac9f4247170e29b43b1f2e7204.zip /usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
6879
6854file-roller /tmp/MDE_File_Sample_c164d1d42da10cac9f4247170e29b43b1f2e7204.zip /usr/bin/file-rollersudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
6879
6855/usr/bin/locale-check C.UTF-8 /usr/bin/locale-checkfile-roller
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6871/usr/lib/p7zip/7z x -bd -bb1 -y -o/home/user/.cache/.fr-aGO8wE -- /tmp/MDE_File_Sample_c164d1d42da10cac9f4247170e29b43b1f2e7204.zip odsp.react.lib-ed8a68f7[1].js /usr/lib/p7zip/7zfile-roller
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
6876/usr/lib/p7zip/7z x -bd -bb1 -y -p1234 -o/home/user/.cache/.fr-s8LQ2N -- /tmp/MDE_File_Sample_c164d1d42da10cac9f4247170e29b43b1f2e7204.zip odsp.react.lib-ed8a68f7[1].js /usr/lib/p7zip/7zfile-roller
User:
user
Integrity Level:
UNKNOWN
Exit code:
1214
6879/usr/bin/gnome-text-editor --gapplication-service /usr/bin/gnome-text-editordbus-daemon
User:
user
Integrity Level:
UNKNOWN
6930/usr/lib/p7zip/7z x -bd -bb1 -y -p1234 -o/home/user/Desktop -- /tmp/MDE_File_Sample_c164d1d42da10cac9f4247170e29b43b1f2e7204.zip /usr/lib/p7zip/7zfile-roller
User:
user
Integrity Level:
UNKNOWN
Exit code:
6879
6946/usr/bin/nautilus --gapplication-service /usr/bin/nautilusdbus-daemon
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
6977/bin/sh /home/user/Desktop/odsp.react.lib-ed8a68f7[1].js /bin/shgjs-console
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
68717z/home/user/.cache/.fr-aGO8wE/odsp.react.lib-ed8a68f7[1].js
MD5:
SHA256:
68767z/home/user/.cache/.fr-s8LQ2N/odsp.react.lib-ed8a68f7[1].js
MD5:
SHA256:
6879gnome-text-editor/home/user/.local/share/org.gnome.TextEditor/recently-used.xbel.91WJI2
MD5:
SHA256:
6879gnome-text-editor/home/user/.config/enchant/en_IE.dic
MD5:
SHA256:
6879gnome-text-editor/home/user/.config/enchant/en_IE.exc
MD5:
SHA256:
6879gnome-text-editor/home/user/.cache/mesa_shader_cache/bc/42e08f7002fdc6e1d467570cdbf1468ff1b628.tmp
MD5:
SHA256:
6879gnome-text-editor/home/user/.cache/mesa_shader_cache/2b/614a0f3c7fb73a9936c95e88466e635fc5f43b.tmp
MD5:
SHA256:
6879gnome-text-editor/home/user/.cache/mesa_shader_cache/39/f73ae7cc41bcad2026c47fc283d17c76640575.tmp
MD5:
SHA256:
6879gnome-text-editor/home/user/.cache/mesa_shader_cache/e5/9c805a99e570ccff2d7ec9333594a898aaedbb.tmp
MD5:
SHA256:
6879gnome-text-editor/home/user/.cache/mesa_shader_cache/55/ab1504d05fe24e7ff0e4c43ca7ce085c95e047.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
35
DNS requests
82
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.49:80
http://connectivity-check.ubuntu.com/
unknown
unknown
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
text
8 b
unknown
POST
200
142.250.186.99:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
unknown
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
text
90 b
unknown
POST
200
184.24.77.48:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
POST
200
184.24.77.48:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
POST
200
184.24.77.48:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
POST
200
18.66.142.91:80
http://ocsp.r2m02.amazontrust.com/
unknown
binary
471 b
unknown
POST
200
184.24.77.48:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
224.0.0.251:5353
unknown
185.125.190.18:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
156.146.33.141:443
Datacamp Limited
DE
unknown
212.102.56.179:443
Datacamp Limited
DE
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
unknown
34.117.237.239:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
3.208.221.93:443
spocs.getpocket.com
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
232.100.168.192.in-addr.arpa
unknown
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.59
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::23
  • 2001:67c:1562::24
  • 185.125.190.18
  • 35.224.170.84
  • 91.189.91.49
  • 91.189.91.48
  • 185.125.190.17
  • 35.232.111.17
  • 185.125.190.49
  • 34.122.121.32
  • 185.125.190.48
unknown
detectportal.firefox.com
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.117.237.239
whitelisted
spocs.getpocket.com
  • 3.208.221.93
  • 52.22.97.188
  • 3.228.133.50
  • 34.205.194.46
shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com
unknown
example.org
  • 93.184.216.34
  • 2606:2800:220:1:248:1893:25c8:1946
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted
r3.o.lencr.org
  • 184.24.77.48
  • 184.24.77.54
  • 184.24.77.72
  • 184.24.77.53
  • 184.24.77.77
  • 2a02:26f0:3500:e::1732:8353
  • 2a02:26f0:3500:e::1732:835c
  • 184.24.77.58
  • 184.24.77.46
  • 184.24.77.59
  • 184.24.77.81
  • 184.24.77.51
  • 184.24.77.65
  • 184.24.77.61
  • 184.24.77.76
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MDE_File_Sample_c164d1d42da10cac9f4247170e29b43b1f2e7204.zip