Malware analysis google.com Malicious activity | ANY.RUN

Add for printing

URL:	google.com
Full analysis:	https://app.any.run/tasks/7343d449-21b5-4727-b5af-17bda6a587d9
Verdict:	Malicious activity
Analysis date:	May 09, 2025, 18:22:40
OS:	Ubuntu 22.04.2
MD5:	1D5920F4B44B27A802BD77C4F0536F5A
SHA1:	BAEA954B95731C68AE6E45BD1E252EB4560CDC45
SHA256:	D4C9D9027326271A89CE51FCAF328ED673F17BE33469FF979E8AB8DD501E664F
SSDEEP:	3:duK:IK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executes commands using command-line interpreter
  - sudo (PID: 39491)
  - gnome-terminal-server (PID: 39710)
  - chrome (PID: 39492)
  - sudo (PID: 39789)
  - gdm-wayland-session (PID: 40273)
- Reads passwd file
  - useradd (PID: 39757)
  - perl (PID: 39750)
  - passwd (PID: 39768)
  - chfn (PID: 39775)
  - chfn (PID: 39769)
  - chfn (PID: 39781)
  - dbus-daemon (PID: 39862)
  - gnome-shell (PID: 39928)
  - gdm-session-worker (PID: 39827)
  - pipewire-media-session (PID: 39841)
  - pipewire (PID: 39840)
  - dbus-daemon (PID: 39851)
  - ibus-daemon (PID: 40029)
  - gsd-print-notifications (PID: 40044)
  - gsd-media-keys (PID: 40072)
  - ibus-daemon (PID: 40174)
  - dbus-daemon (PID: 39962)
  - gvfs-udisks2-volume-monitor (PID: 39973)
  - pipewire (PID: 40234)
  - pipewire-media-session (PID: 40235)
  - dbus-daemon (PID: 40263)
  - gdm-wayland-session (PID: 40273)
  - gsd-power (PID: 40084)
  - gdm-session-worker (PID: 40220)
  - dbus-daemon (PID: 40430)
  - gnome-session-binary (PID: 40276)
  - gnome-initial-setup-copy-worker (PID: 40343)
  - gvfs-udisks2-volume-monitor (PID: 40506)
  - ibus-daemon (PID: 40568)
  - gsd-print-notifications (PID: 40611)
  - gnome-shell (PID: 40433)
  - evolution-calendar-factory (PID: 40477)
  - whoopsie (PID: 40796)
  - whoopsie (PID: 40815)
  - gsd-media-keys (PID: 40580)
  - gsd-power (PID: 40600)
  - ubuntu-advantage-desktop-daemon (PID: 40946)
  - gsd-xsettings (PID: 40785)
  - whoopsie (PID: 40921)
  - gnome-initial-setup (PID: 40878)
- Modifies bash configuration script
  - perl (PID: 39750)
- Checks the user who created the process
  - passwd (PID: 39768)
  - gdm-session-worker (PID: 40220)
- Executes the "rm" command to delete files or directories
  - bash (PID: 39790)
- Reads /proc/mounts (likely used to find writable filesystems)
  - dbus-daemon (PID: 39862)
  - dbus-daemon (PID: 39851)
  - gnome-shell (PID: 39928)
  - gjs-console (PID: 40020)
  - dbus-daemon (PID: 39962)
  - dbus-daemon (PID: 40263)
  - gjs-console (PID: 40186)
  - dbus-daemon (PID: 40430)
  - gnome-shell (PID: 40433)
  - gjs-console (PID: 40547)
  - gjs-console (PID: 40839)
  - python3.10 (PID: 40840)
  - python3.10 (PID: 41071)
- Checks DMI information (probably VM detection)
  - udevadm (PID: 39879)
  - gnome-shell (PID: 39928)
  - pulseaudio (PID: 39842)
  - pipewire (PID: 39840)
  - pipewire (PID: 40234)
  - udevadm (PID: 40292)
  - pulseaudio (PID: 40236)
  - gnome-shell (PID: 40433)
  - pulseaudio (PID: 40436)
  - pulseaudio (PID: 40704)
  - pulseaudio (PID: 40764)
  - pulseaudio (PID: 40457)
  - pulseaudio (PID: 40514)
  - udevadm (PID: 41011)
- Reads profile file
  - gnome-session-binary (PID: 40276)
- Check the Environment Variables Related to System Identification (os-release)
  - ubuntu-report (PID: 40590)
  - python3.10 (PID: 41085)
  - python3.10 (PID: 41086)
  - python3.10 (PID: 41087)
  - python3.10 (PID: 41088)
  - update-notifier (PID: 41057)
  - gnome-initial-setup (PID: 40878)
INFO
- Checks timezone
  - useradd (PID: 39757)
  - python3.10 (PID: 39703)
  - chrome (PID: 39492)
  - groupadd (PID: 39751)
  - gdm-session-worker (PID: 39827)
  - passwd (PID: 39768)
  - chfn (PID: 39769)
  - chfn (PID: 39775)
  - chfn (PID: 39781)
  - dbus-daemon (PID: 39851)
  - gnome-session-binary (PID: 39874)
  - python3.10 (PID: 39919)
  - python3.10 (PID: 39907)
  - gnome-shell (PID: 39928)
  - python3.10 (PID: 40046)
  - gsd-print-notifications (PID: 40044)
  - spice-vdagent (PID: 40168)
  - tracker-miner-fs-3 (PID: 39955)
  - gdm-session-worker (PID: 40220)
  - dbus-daemon (PID: 40263)
  - gsd-color (PID: 40038)
  - python3.10 (PID: 40404)
  - gnome-session-binary (PID: 40388)
  - gnome-shell (PID: 40433)
  - gnome-keyring-daemon (PID: 40241)
  - python3.10 (PID: 40369)
  - python3.10 (PID: 40379)
  - python3.10 (PID: 40408)
  - gnome-shell-calendar-server (PID: 40459)
  - python3.10 (PID: 40573)
  - spice-vdagent (PID: 40576)
  - gsd-print-notifications (PID: 40611)
  - evolution-calendar-factory (PID: 40477)
  - whoopsie (PID: 40796)
  - ibus-x11 (PID: 40180)
  - python3.10 (PID: 40803)
  - python3.10 (PID: 40804)
  - whoopsie (PID: 40815)
  - evolution-alarm-notify (PID: 40603)
  - python3.10 (PID: 40816)
  - python3.10 (PID: 40840)
  - python3.10 (PID: 40926)
  - whoopsie (PID: 40921)
  - tracker-miner-fs-3 (PID: 40938)
  - tracker-miner-fs-3 (PID: 40947)
  - tracker-miner-fs-3 (PID: 40963)
  - tracker-miner-fs-3 (PID: 40895)
  - tracker-miner-fs-3 (PID: 40879)
  - tracker3 (PID: 40901)
  - python3.10 (PID: 40933)
  - python3.10 (PID: 41086)
  - python3.10 (PID: 41090)
  - python3.10 (PID: 41071)
  - python3.10 (PID: 41085)
  - python3.10 (PID: 41087)
  - python3.10 (PID: 41088)
  - tracker-miner-fs-3 (PID: 41138)
  - tracker-miner-fs-3 (PID: 41118)
  - tracker-miner-fs-3 (PID: 41123)
  - tracker-miner-fs-3 (PID: 41128)
  - tracker-miner-fs-3 (PID: 41133)
- Creates file in the temporary folder
  - gnome-shell (PID: 39928)
  - gnome-shell (PID: 40433)
  - python3.10 (PID: 40840)
  - python3.10 (PID: 41071)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

796

Monitored processes

574

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
39489	/bin/sh -c "DISPLAY=:0 sudo -iu user google-chrome google\.com "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
39490	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
39491	sudo -iu user google-chrome google.com	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39492	/usr/bin/google-chrome google.com	/opt/google/chrome/chrome	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
39493	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	chrome
User: user Integrity Level: UNKNOWN Exit code: 0
39494	readlink -f /usr/bin/google-chrome	/usr/bin/readlink	—	chrome
User: user Integrity Level: UNKNOWN Exit code: 0
39495	dirname /opt/google/chrome/google-chrome	/usr/bin/dirname	—	chrome
User: user Integrity Level: UNKNOWN Exit code: 0
39496	mkdir -p /home/user/.local/share/applications	/usr/bin/mkdir	—	chrome
User: user Integrity Level: UNKNOWN Exit code: 0
39497	cat	/usr/bin/cat	—	chrome
User: user Integrity Level: UNKNOWN Exit code: 0
39498	cat	/usr/bin/cat	—	chrome
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

Suspicious files

249

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
39492	chrome	/home/user/.config/google-chrome/ShaderCache/data_3		binary
		MD5:—	SHA256:—
39492	chrome	/home/user/.config/google-chrome/ShaderCache/data_2		binary
		MD5:—	SHA256:—
39492	chrome	/home/user/.config/google-chrome/ShaderCache/data_0		binary
		MD5:—	SHA256:—
39492	chrome	/home/user/.config/google-chrome/Default/Sync Data/LevelDB/MANIFEST-000001		binary
		MD5:—	SHA256:—
39492	chrome	/home/user/.config/google-chrome/Default/shared_proto_db/metadata/MANIFEST-000001		binary
		MD5:—	SHA256:—
39492	chrome	/home/user/.config/google-chrome/Default/Extension State/MANIFEST-000001		binary
		MD5:—	SHA256:—
39492	chrome	/home/user/.config/google-chrome/Default/shared_proto_db/MANIFEST-000001		binary
		MD5:—	SHA256:—
39492	chrome	/home/user/.config/google-chrome/GrShaderCache/data_3		binary
		MD5:—	SHA256:—
39492	chrome	/home/user/.config/google-chrome/GrShaderCache/data_2		binary
		MD5:—	SHA256:—
39492	chrome	/home/user/.config/google-chrome/GrShaderCache/data_0		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.96:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
488	NetworkManager	GET	204	185.125.190.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	185.125.190.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	37.19.194.81:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	185.125.190.96:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted

DNS requests

Domain	IP	Reputation
odrs.gnome.org	37.19.194.81 169.150.255.181 195.181.175.41 195.181.170.19 207.211.211.27 212.102.56.178 169.150.255.183 2a02:6ea0:c700::107 2a02:6ea0:c700::21 2a02:6ea0:c700::101 2a02:6ea0:c700::112 2a02:6ea0:c700::19 2a02:6ea0:c700::18 2a02:6ea0:c700::11	whitelisted
google.com	142.250.186.46 2a00:1450:4001:831::200e	whitelisted
api.snapcraft.io	185.125.188.58 185.125.188.54 185.125.188.59 185.125.188.57 2620:2d:4000:1010::2e6 2620:2d:4000:1010::42 2620:2d:4000:1010::117 2620:2d:4000:1010::344	whitelisted
clientservices.googleapis.com	142.250.186.163	whitelisted
safebrowsingohttpgateway.googleapis.com	142.250.186.170 142.250.186.106 172.217.16.138 172.217.16.202 216.58.206.42 142.250.186.138 216.58.206.74 216.58.212.138 142.250.185.138 142.250.185.74 142.250.184.202 142.250.185.106 142.250.186.74 142.250.184.234 142.250.186.42 172.217.18.10	whitelisted
accounts.google.com	108.177.119.84	whitelisted
www.google.com	142.250.184.228	whitelisted
fonts.gstatic.com	142.250.185.163	whitelisted
www.gstatic.com	172.217.18.3	whitelisted
content-autofill.googleapis.com	142.250.185.138 142.250.186.170 142.250.185.106 142.250.186.138 142.250.185.234 172.217.18.10 142.250.185.202 142.250.181.234 142.250.186.74 142.250.185.74 142.250.186.106 216.58.206.74 142.250.184.234 142.250.184.202 216.58.212.138 142.250.185.170	whitelisted

Threats

PID	Process	Class	Message
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
39540	chrome	Generic Protocol Command Decode	SURICATA QUIC failed decrypt

Add for printing

No debug info

General Info

google.com

1D5920F4B44B27A802BD77C4F0536F5A

BAEA954B95731C68AE6E45BD1E252EB4560CDC45

D4C9D9027326271A89CE51FCAF328ED673F17BE33469FF979E8AB8DD501E664F

3:duK:IK

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Executes commands using command-line interpreter

Reads passwd file

Modifies bash configuration script

Checks the user who created the process

Executes the "rm" command to delete files or directories

Reads /proc/mounts (likely used to find writable filesystems)

Checks DMI information (probably VM detection)

Reads profile file

Check the Environment Variables Related to System Identification (os-release)

INFO

Checks timezone

Creates file in the temporary folder

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings