Malware analysis Utility.pm Malicious activity | ANY.RUN

Add for printing

File name:	Utility.pm
Full analysis:	https://app.any.run/tasks/b88fe91c-d3fa-42eb-88e4-be07182c468e
Verdict:	Malicious activity
Analysis date:	January 10, 2025, 19:03:34
OS:	Ubuntu 22.04.2 LTS
Tags:	discord arch-scr
MIME:	text/plain
File info:	Perl5 module source, ASCII text, with very long lines (429)
MD5:	A71B8771E4E276CC041CAF1166D33B6D
SHA1:	9641F675D53A37554FA1B56C7ADA8A50F08E9868
SHA256:	850FD39C01995E52B0A004553FFAE6D39481F628C34E492E6BD9DB9391679E19
SSDEEP:	1536:NEbt4OVUfRq/tEQDk7Kt3/3N13gvUwVBrp2zfWCxSJj7QPCv:NECVJz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Checks DMI information (probably VM detection)
  - systemd-hostnamed (PID: 38874)
- Gets information about currently running processes
  - dash (PID: 38958)
- Executes the "rm" command to delete files or directories
  - dpkg (PID: 38941)
  - dash (PID: 38958)
- Executes commands using command-line interpreter
  - gnome-terminal-server (PID: 38907)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

470

Monitored processes

259

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
38746	/bin/sh -c "DISPLAY=:0 sudo -iu user gnome-text-editor /tmp/Utility\.pm "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
38747	sudo -iu user gnome-text-editor /tmp/Utility.pm	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38748	gnome-text-editor /tmp/Utility.pm	/usr/bin/gnome-text-editor	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
38749	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	gnome-text-editor
User: user Integrity Level: UNKNOWN Exit code: 0
38802	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
38803	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
38805	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
38813	/usr/libexec/tracker-extract-3	/usr/libexec/tracker-extract-3	—	systemd
User: user Integrity Level: UNKNOWN Exit code: 0
38838	/usr/libexec/tracker-extract-3	/usr/libexec/tracker-extract-3	—	systemd
User: user Integrity Level: UNKNOWN Exit code: 0
38855	gjs /usr/share/gnome-shell/extensions/[email protected]/ding.js -E -P /usr/share/gnome-shell/extensions/[email protected] -M 0 -D 0:0:1280:720:1:27:0:74:0:0	/usr/bin/gjs-console	—	gjs-console
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

1

Suspicious files

640

Text files

226

Unknown types

14

Dropped files

PID	Process	Filename		Type
38748	gnome-text-editor	/home/user/.local/share/org.gnome.TextEditor/session.gvariant		binary
		MD5:—	SHA256:—
38748	gnome-text-editor	/home/user/.cache/mesa_shader_cache/d2/ea27fa2c8972e4719271e6ea166eb60cb88796		binary
		MD5:—	SHA256:—
38748	gnome-text-editor	/home/user/.cache/mesa_shader_cache/74/0feed80fcc6c9ed6fbc025c5e0aa962968fa40		binary
		MD5:—	SHA256:—
38748	gnome-text-editor	/home/user/.local/share/org.gnome.TextEditor/recently-used.xbel		xml
		MD5:—	SHA256:—
38748	gnome-text-editor	/home/user/.cache/mesa_shader_cache/ef/9264a26aff24effa3ab2448c5e2b0d43efb799		binary
		MD5:—	SHA256:—
38748	gnome-text-editor	/home/user/.cache/mesa_shader_cache/48/a0ff10489db7ebfc0d92f468cbc86c7b0efa5a		binary
		MD5:—	SHA256:—
38748	gnome-text-editor	/home/user/.cache/mesa_shader_cache/1e/249eaecfafcd47969e43f2f113e00fcb7dc5ee		binary
		MD5:—	SHA256:—
38856	file-roller	/home/user/.local/share/recently-used.xbel		xml
		MD5:—	SHA256:—
38941	dpkg	/var/lib/dpkg/tmp.ci/postinst		text
		MD5:—	SHA256:—
38941	dpkg	/var/lib/dpkg/tmp.ci/control		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

3

TCP/UDP connections

33

DNS requests

41

Threats

4

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
39036	Discord	GET	—	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pjnu5jyln4kujhcmwstuyyvyyu_4.10.2830.0/oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_linux_ace35m3jiw32bj5wzzow5nia7yta.crx3	unknown	—	—	whitelisted
—	—	GET	204	185.125.190.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
488	NetworkManager	GET	204	91.189.91.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.97:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	212.102.56.179:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
38885	gvfsd-smb-browse	192.168.100.255:137	—	—	—	whitelisted
39036	Discord	216.58.206.78:443	redirector.gvt1.com	GOOGLE	US	whitelisted
39036	Discord	95.168.222.205:443	r2---sn-n02xgoxufvg3-2gb6.gvt1.com	—	—	whitelisted
39036	Discord	142.250.185.227:443	update.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.78 2a00:1450:4001:828::200e	whitelisted
connectivity-check.ubuntu.com	185.125.190.97 91.189.91.97 91.189.91.96 185.125.190.48 185.125.190.17 91.189.91.98 91.189.91.49 185.125.190.98 185.125.190.18 91.189.91.48 185.125.190.49 185.125.190.96 2620:2d:4000:1::2b 2620:2d:4000:1::98 2620:2d:4002:1::196 2620:2d:4000:1::2a 2620:2d:4000:1::22 2620:2d:4000:1::97 2620:2d:4000:1::23 2620:2d:4002:1::197 2001:67c:1562::23 2620:2d:4000:1::96 2001:67c:1562::24 2620:2d:4002:1::198	whitelisted
odrs.gnome.org	212.102.56.179 195.181.175.40 169.150.255.184 195.181.170.18 37.19.194.81 169.150.255.180 207.211.211.27 2a02:6ea0:c700::19 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c700::21 2a02:6ea0:c700::112 2a02:6ea0:c700::107 2a02:6ea0:c700::18	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.54 185.125.188.58 185.125.188.55 2620:2d:4000:1010::6d 2620:2d:4000:1010::2e6 2620:2d:4000:1010::42 2620:2d:4000:1010::117	whitelisted
40.100.168.192.in-addr.arpa	—	unknown
redirector.gvt1.com	216.58.206.78	whitelisted
update.googleapis.com	142.250.185.227	whitelisted
r2---sn-n02xgoxufvg3-2gb6.gvt1.com	95.168.222.205	whitelisted
edgedl.me.gvt1.com	34.104.35.123	whitelisted
discord.com	162.159.135.232 162.159.128.233 162.159.136.232 162.159.137.232 162.159.138.232	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
—	—	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
—	—	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
—	—	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)

Add for printing

No debug info

General Info

Utility.pm

A71B8771E4E276CC041CAF1166D33B6D

9641F675D53A37554FA1B56C7ADA8A50F08E9868

850FD39C01995E52B0A004553FFAE6D39481F628C34E492E6BD9DB9391679E19

1536:NEbt4OVUfRq/tEQDk7Kt3/3N13gvUwVBrp2zfWCxSJj7QPCv:NECVJz

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Checks DMI information (probably VM detection)

Gets information about currently running processes

Executes the "rm" command to delete files or directories

Executes commands using command-line interpreter

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings