Linux Analysis Report
bluefish-data_2.2.12-1.1_all(1).deb

Overview

General Information

Sample name: bluefish-data_2.2.12-1.1_all(1).deb
Analysis ID: 1543714
MD5: f3b0147686843cf4b09551c626bdd77d
SHA1: 4f9f4570ba5e21f859744b4f20122b30235dfb02
SHA256: 1e6b6f39d9384307e8110aafcaa9323412abf9084391448b2b10b5c0c19527b7
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false

Signatures

Creates hidden files and/or directories
Executes the "rm" command used to delete files or directories
Reads the 'hosts' file potentially containing internal network hosts
Sample tries to set the executable flag
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/bin/gnome-software (PID: 4772) Reads hosts file: /etc/hosts Jump to behavior
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: reviews.ubuntu.com replaycode: Name error (3)
Source: global traffic DNS traffic detected: DNS query: reviews.ubuntu.com
Source: control.59.dr String found in binary or memory: http://bluefish.openoffice.nl
Source: classification engine Classification label: clean3.linDEB@0/7@8/0
Creates hidden files and/or directories
Source: /usr/bin/exo-open (PID: 4746) Directory: /home/james/.Xauthority Jump to behavior
Source: /usr/bin/exo-open (PID: 4746) Directory: /home/james/.cache Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4754) Directory: /home/james/.Xauthority Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772) Directory: /home/james/.Xauthority Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772) Directory: /home/james/.Xauthority Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772) Directory: /home/james/.Xdefaults-ubuntu Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772) Directory: /home/james/.cache Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4789) Directory: /home/james/.Xauthority Jump to behavior
Source: /bin/tar (PID: 4948) Directory: ./. Jump to behavior
Source: /usr/bin/dpkg (PID: 5004) Directory: /home/james/.dpkg.cfg Jump to behavior
Source: /usr/bin/dpkg (PID: 5005) Directory: /home/james/.dpkg.cfg Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/fwupd/fwupd (PID: 4887) Directory: /root/.cache Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dpkg-deb (PID: 4976) Rm executable: /bin/rm -> rm -rf -- /tmp/dpkg-deb.YO0WnW Jump to behavior
Sample tries to set the executable flag
Source: /bin/tar (PID: 4948) File: ./. (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: submitted sample Stderr: (gnome-software:4772): GsPlugin-WARNING **: could not lookup cached macaroon: Error calling StartServiceByName for org.freedesktop.secrets: Timeout was reached(gnome-software:4772): IBUS-WARNING **: The owner of /home/james/.config/ibus/bus is not root!(gnome-software:4772): GsPlugin-WARNING **: Failed to get Ubuntu review statistics: Got status code Cannot resolve hostname from reviews.ubuntu.com: exit code = 0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/exo-open (PID: 4746) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4754) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4789) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/fwupd/fwupd (PID: 4887) Queries kernel information via 'uname': Jump to behavior
windows-stand
No contacted IP infos

Contacted Domains

Name IP Active
reviews.ubuntu.com unknown unknown