Edit tour

Linux Analysis Report
bluefish-data_2.2.12-1.1_all(1).deb

Overview

General Information

Sample name:	bluefish-data_2.2.12-1.1_all(1).deb
Analysis ID:	1543714
MD5:	f3b0147686843cf4b09551c626bdd77d
SHA1:	4f9f4570ba5e21f859744b4f20122b30235dfb02
SHA256:	1e6b6f39d9384307e8110aafcaa9323412abf9084391448b2b10b5c0c19527b7
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false

Signatures

Creates hidden files and/or directories

Executes the "rm" command used to delete files or directories

Reads the 'hosts' file potentially containing internal network hosts

Sample tries to set the executable flag

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543714
Start date and time:	2024-10-28 09:50:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Sample name:	bluefish-data_2.2.12-1.1_all(1).deb
Detection:	CLEAN
Classification:	clean3.linDEB@0/7@8/0

Warnings

Excluded IPs from analysis (whitelisted): 185.125.188.54, 185.125.188.55, 185.125.188.59, 185.125.188.58
Excluded domains from analysis (whitelisted): api.snapcraft.io
VT rate limit hit for: bluefish-data_2.2.12-1.1_all(1).deb

Runtime Messages

Command:	xdg-open "/tmp/bluefish-data_2.2.12-1.1_all(1).deb"
PID:	4686
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	(gnome-software:4772): GsPlugin-WARNING : could not lookup cached macaroon: Error calling StartServiceByName for org.freedesktop.secrets: Timeout was reached (gnome-software:4772): IBUS-WARNING : The owner of /home/james/.config/ibus/bus is not root! (gnome-software:4772): GsPlugin-WARNING **: Failed to get Ubuntu review statistics: Got status code Cannot resolve hostname from reviews.ubuntu.com

Process Tree

system is lnxubuntu1

exo-open (PID: 4746, Parent: 4686, MD5: 39c5fa78f1cb3d950b9944f784018d3a) Arguments: exo-open /tmp/bluefish-data_2.2.12-1.1_all(1).deb

exo-open New Fork (PID: 4754, Parent: 4746)

dbus-launch (PID: 4754, Parent: 4746, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr

exo-open New Fork (PID: 4767, Parent: 4746)

exo-open New Fork (PID: 4772, Parent: 4767)

gnome-software (PID: 4772, Parent: 1656, MD5: 8676fce47b3f3e8c729aaaa8c935c235) Arguments: gnome-software --local-filename=/tmp/bluefish-data_2.2.12-1.1_all(1).deb

gnome-software New Fork (PID: 4789, Parent: 4772)

dbus-launch (PID: 4789, Parent: 4772, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr

gnome-software New Fork (PID: 4945, Parent: 4772)

dpkg-deb (PID: 4945, Parent: 4772, MD5: 6833acbbb76db8e5a5f14dd5073929af) Arguments: /usr/bin/dpkg-deb --showformat=${Package}\\n${Version}\\n${Installed-Size}\\n${Homepage}\\n${Description} -W /tmp/bluefish-data_2.2.12-1.1_all(1).deb

dpkg-deb New Fork (PID: 4946, Parent: 4945)

dpkg-deb New Fork (PID: 4947, Parent: 4945)

dpkg-deb New Fork (PID: 4948, Parent: 4945)

tar (PID: 4948, Parent: 4945, MD5: dbc4507f4db5b41f7358b28bce65a15d) Arguments: tar -x -m -f - --warning=no-timestamp

dpkg-deb New Fork (PID: 4976, Parent: 4945)

rm (PID: 4976, Parent: 4945, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf -- /tmp/dpkg-deb.YO0WnW

gnome-software New Fork (PID: 5004, Parent: 4772)

dpkg (PID: 5004, Parent: 4772, MD5: 7084d55d63a41425e1a2c1adcced4f14) Arguments: /usr/bin/dpkg --print-foreign-architectures

gnome-software New Fork (PID: 5005, Parent: 4772)

dpkg (PID: 5005, Parent: 4772, MD5: 7084d55d63a41425e1a2c1adcced4f14) Arguments: /usr/bin/dpkg --print-foreign-architectures

systemd New Fork (PID: 4887, Parent: 1)

fwupd (PID: 4887, Parent: 1, MD5: 4d2507b12cd401bed306a719c3c7b863) Arguments: /usr/lib/x86_64-linux-gnu/fwupd/fwupd

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: /usr/bin/gnome-software (PID: 4772)

Reads hosts file: /etc/hosts

Jump to behavior

Source: unknown

DNS traffic detected: query: reviews.ubuntu.com replaycode: Name error (3)

Source: global traffic

DNS traffic detected: DNS query: reviews.ubuntu.com

Source: control.59.dr

String found in binary or memory: http://bluefish.openoffice.nl

Source: classification engine

Classification label: clean3.linDEB@0/7@8/0

Source: /usr/bin/exo-open (PID: 4746)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/exo-open (PID: 4746)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4754)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772)	Directory: /home/james/.Xdefaults-ubuntu	Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4789)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /bin/tar (PID: 4948)	Directory: ./.	Jump to behavior
Source: /usr/bin/dpkg (PID: 5004)	Directory: /home/james/.dpkg.cfg	Jump to behavior
Source: /usr/bin/dpkg (PID: 5005)	Directory: /home/james/.dpkg.cfg	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/fwupd/fwupd (PID: 4887)	Directory: /root/.cache	Jump to behavior

Source: /usr/bin/dpkg-deb (PID: 4976)

Rm executable: /bin/rm -> rm -rf -- /tmp/dpkg-deb.YO0WnW

Jump to behavior

Source: /bin/tar (PID: 4948)

File: ./. (bits: - usr: rx grp: rx all: rwx)

Jump to behavior

Source: submitted sample

Stderr: (gnome-software:4772): GsPlugin-WARNING **: could not lookup cached macaroon: Error calling StartServiceByName for org.freedesktop.secrets: Timeout was reached(gnome-software:4772): IBUS-WARNING **: The owner of /home/james/.config/ibus/bus is not root!(gnome-software:4772): GsPlugin-WARNING **: Failed to get Ubuntu review statistics: Got status code Cannot resolve hostname from reviews.ubuntu.com: exit code = 0

Source: /usr/bin/exo-open (PID: 4746)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4754)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gnome-software (PID: 4772)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4789)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/fwupd/fwupd (PID: 4887)	Queries kernel information via 'uname':	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File and Directory Permissions Modification	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Hidden Files and Directories	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bluefish-data_2.2.12-1.1_all(1).deb	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reviews.ubuntu.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://bluefish.openoffice.nl	control.59.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/home/james/.cache/dconf/user

Download File

Process:	/usr/bin/gnome-software
File Type:	data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	C4103F122D27677C9DB144CAE1394A66
SHA1:	1489F923C4DCA729178B3E3233458550D8DDDF29
SHA-256:	96A296D224F285C67BEE93C30F8A309157F0DAA35DC5B87E410B78630A09CFC7
SHA-512:	5EA71DC6D0B4F57BF39AADD07C208C35F06CD2BAC5FDE210397F70DE11D439C62EC1CDF3183758865FD387FCEA0BADA2F6C37A4A17851DD1D78FEFE6F204EE54
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..

/home/james/.local/share/gnome-software/ubuntu-reviews.db

Download File

Process:	/usr/bin/gnome-software
File Type:	SQLite 3.x database, last written using SQLite version 3011000, page size 1024, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.8137112654833607
Encrypted:	false
SSDEEP:	96:5WtpHVGjjKopHVGjIKopHVGj4KopHVGjz:6HVGjDHVGjuHVGjeHVGjz
MD5:	05D33ECA3AA5CBC65852527223C7F6DD
SHA1:	A731EF942D48F6B76F551FC6C8EEDCE3AAAE0117
SHA-256:	65C96D2253A4E620FEB9F5709E5C2ACA2E5D6E1CA5371802E230CF41D36DC49D
SHA-512:	B513C92C7B93F72E8AA997491773BB23F072BD15BB58582D69A3DCD7D91360A96038042E001E6C3755FA7576B092F8E2D0B9DC3395F6566BD89CBF45190AC393
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .........................................................................-.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................%%..Qtablereview_statsreview_stats.CREATE TABLE review_stats (package_name TEXT PRIMARY KEY,one_star_count INTEGER DEFAULT 0,two_star_count INTEGER DEFAULT 0,three_star_count INTEGER DEFAULT 0,four_star_count INTEGER DEFAULT 0,five_star_count INTEGER DEFAULT 0)7...K%..indexsqlite_autoindex_review_stat

/home/james/.local/share/gnome-software/ubuntu-reviews.db-journal

Download File

Process:	/usr/bin/gnome-software
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	7208
Entropy (8bit):	2.1830879500652727
Encrypted:	false
SSDEEP:	96:7eiekOWtpHVGjx/xKopHVGjMpAmKopHVGj1:7j3tHVGjhFHVGjH4HVGj1
MD5:	7F0B97BFBD8BEE75041CD538A16CEE93
SHA1:	0C62C0C467FB8B5BB40FEAD8CF7B43F7E595FEA1
SHA-256:	CBF96A442BBD4CC1B2A3719C45DE98BAE9BE78DD9EF98D91C36E4847FD08E5AA
SHA-512:	17185C49DA1D44312096EA3EFD6F7C822C3B3B43C9440EFC401EB57552FA931182D25741EBF49809C4E6215BC9ABE30AE8C53E00D5C0F8783CDB9545DCE6CEE9
Malicious:	false
Reputation:	low
Preview:	.... .c......./..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .c.....4...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/tmp/dpkg-deb.YO0WnW/control

Download File

Process:	/bin/tar
File Type:	ASCII text
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	4.711367082300045
Encrypted:	false
SSDEEP:	24:vpDO/gM4LLvHGgw054tI5WUgWM5g/0hQYXsHEvwsiMk:vpDO/gM4LbHGTltIQzSyQYWsk
MD5:	AC0912B8BDF42F80C5D25299D143CD22
SHA1:	DB5B50F394D02A6D026205120132AAACC2A6C68D
SHA-256:	AEC437B8D145A13165107650B3DE1C3824694300491E305BB4130DBF263D133E
SHA-512:	BB9B0A08B56839252E8BF7CB83020EF42FBD6EADAAB4AD29D90A64BCB60506A6676FED79158DCF3C9FFF61FE2FD34B14EE673EB9A02FBBB9C91F33A1670AF33F
Malicious:	false
Reputation:	low
Preview:	Package: bluefish-data.Source: bluefish.Version: 2.2.12-1.1.Architecture: all.Maintainer: Jonathan Carter <jcc@debian.org>.Installed-Size: 8087.Section: web.Priority: optional.Homepage: http://bluefish.openoffice.nl.Description: advanced Gtk+ text editor (data). Bluefish is a powerful editor targeted towards programmers and web. developers, with many options to write websites, scripts and programming. code. Bluefish supports a wide variety of programming and markup languages. and has many features, e.g.. .. - Customizable code folding, auto indenting and completion. - Support for remote files operation over FTP, SFTP, HTTPS, WebDAV, etc.. - Site upload and download. - Powerful search and replace engine. - Customizable integration of external programs such as lint, make, etc. - Snippets plugin to automate often used code. - Code-aware in-line spell checking. - Zencoding or Emmet support. - Bookmarks panel. .. but is still lightweight and fast.. .. This package contains the arch

/tmp/dpkg-deb.YO0WnW/md5sums

Download File

Process:	/bin/tar
File Type:	ASCII text
Category:	dropped
Size (bytes):	37217
Entropy (8bit):	5.193725989322713
Encrypted:	false
SSDEEP:	384:tPIT+LTMzM0G2ui1ml7pES2nTI5pCeuzt50mGv5XOLVHXOgXO15JWr2aEykwnVut:tc+LTIM0Jwb248rVTiRyUnt1
MD5:	47566FA13D2F9D759976F4FB78408073
SHA1:	CAF4C37B38AA4AE0192E8C45725F6B867D481B6E
SHA-256:	A0FFCA064E5527F3D0A05C4AB0AA28BFAC24D97DD6E9F801095A260BAA1B9143
SHA-512:	54E96A0F3EB4A8534AEACFC8AC75D46D0569780EA89035A3D3D15C9708051C9A57DD56DC0F3F300E5E6CAE9E4EBF6B9CB9FA513637B5CBB7610DBAA534626467
Malicious:	false
Reputation:	low
Preview:	281db4538f70e88409a7e1abb45d087e usr/share/bluefish/bflang/JQuery.bfinc.1824494834786e40af67108517914ef5 usr/share/bluefish/bflang/ada.bflang2.3d0c1c56d16b981219971ff3bfc1ed86 usr/share/bluefish/bflang/all-html.bfinc.3616d9b5a5e39064d4203c59d131d938 usr/share/bluefish/bflang/all-html5.bfinc.c35b605a7bda40763526f2392f743bc5 usr/share/bluefish/bflang/all-javascript.bfinc.5c97b771d64c6d933ae8aaad60d1522a usr/share/bluefish/bflang/all-php.bfinc.5e76f4c09beaad2024c0d7ba0a050e6e usr/share/bluefish/bflang/all-vbscript.bfinc.a236136af2a160eb8164fec10f38aec8 usr/share/bluefish/bflang/asp-vbscript.bflang2.bf4dd4498cfc4cec3633b1303f4f1fcb usr/share/bluefish/bflang/asp.bflang2.83d2e83743bec029777778e9cabfef1f usr/share/bluefish/bflang/bflang2.bflang2.eba7be59facb753b79f8db553952b0db usr/share/bluefish/bflang/c.bflang2.19583a43418bf48463cf5ca3511fa0a0 usr/share/bluefish/bflang/cfml.bflang2.d0e1f3cc344c4ad940170de55ba00215 usr/share/bluefish/bflang/chuck.bflang2.54993799667d19c5d23d4b5e

/var/lib/fwupd/pending.db

Download File

Process:	/usr/lib/x86_64-linux-gnu/fwupd/fwupd
File Type:	SQLite 3.x database, last written using SQLite version 3011000, page size 1024, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	1.1422572379832086
Encrypted:	false
SSDEEP:	12:HLiuWkHS51C6p08GZVMMf8J3ajJj2gT5oDGS3K:riuWUS5cDXZVIqsgTRS3
MD5:	8363D24E246DF601D7A309537767C270
SHA1:	6B92F004A6B213919893C789B38CBBF93EB2DA04
SHA-256:	24E3C058D82CDCCEEF7E556D244E06AA9EB9CE34715C879BC8E96D883444EEAD
SHA-512:	1A45D1EC6F01F3F999C1DE23FE81D8EC128A7AE28949FC9761974D611518F06C5F44529294ED589EE5E66978A6FFE794E3DAB2777A01F3010AB01FF96746DFD8
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .........................................................................-.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................atablependingpending.CREATE TABLE pending (device_id TEXT PRIMARY KEY,unique_id TEXT,state INTEGER DEFAULT 0,timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,error TEXT,filename TEXT,display_name TEXT,provider TEXT,version_old TEXT,version_new TEXT)-...A...indexsqlite_autoindex_p

/var/lib/fwupd/pending.db-journal

Download File

Process:	/usr/lib/x86_64-linux-gnu/fwupd/fwupd
File Type:	data
Category:	dropped
Size (bytes):	524
Entropy (8bit):	0.27937671757176796
Encrypted:	false
SSDEEP:	3:Eh1FlxllxFEG2l/n:Eb+/l/n
MD5:	10966F52590C99EE6AEA33C5A5535E66
SHA1:	14B55393B15936C8C8100F969161A59796AE342A
SHA-256:	7F3BA0A058BF6CD39AB7C4CE1C730983632EF7D6696F4CF99E730EFBF45655A5
SHA-512:	46280C67566F473D32EA8994380AEE12E3843BDE4DB99D9AD2F5B2BEC25EC473D943074AB0340A707906D290ACC48C08A410D9217FA90ABE7C205320010EFAF5
Malicious:	false
Reputation:	low
Preview:	.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................. .c.....

File type:	Debian binary package (format 2.0), with control.tar.xz, data compression xz
Entropy (8bit):	7.999825201790194
TrID:	Debian Linux Package (24024/1) 100.00%
File name:	bluefish-data_2.2.12-1.1_all(1).deb
File size:	2'412'364 bytes
MD5:	f3b0147686843cf4b09551c626bdd77d
SHA1:	4f9f4570ba5e21f859744b4f20122b30235dfb02
SHA256:	1e6b6f39d9384307e8110aafcaa9323412abf9084391448b2b10b5c0c19527b7
SHA512:	c73203d2fc210e5e1ffb21532cb3204ea8a55c8f72601ef8d9d930b3a62430c372d549aba83d6b0afee8d660bf43add7d1e520756c5fd681d0467bfe9731ece5
SSDEEP:	49152:yK8ucGBX5zsXtngg51KHPQ9Dftw+insblQMdE3QhkVSza2ops+e:yzg+tngg5+o9bxisZQMdR/a2o++e
TLSH:	39B533C95F93DB91E66932F51C079606FBDCB02708E6A381221E27E2BF21550BE578F4
File Content Preview:	!<arch>.debian-binary 1616548588 0 0 100644 4 `.2.0.control.tar.xz 1616548588 0 0 100644 9824 `..7zXZ......F...L...!..........]'...&.].....}....J>y...&.a<>..\p.-.&h.u^$.TK.Qdhw..5]..V.~.4..J..i:........%.mF.e<....J#.$..

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 09:51:16.585254908 CET	41684	53	192.168.2.20	8.8.8.8
Oct 28, 2024 09:51:16.585254908 CET	41684	53	192.168.2.20	8.8.8.8
Oct 28, 2024 09:51:16.827763081 CET	53	41684	8.8.8.8	192.168.2.20
Oct 28, 2024 09:51:16.828702927 CET	53	41684	8.8.8.8	192.168.2.20
Oct 28, 2024 09:51:16.828989983 CET	49469	53	192.168.2.20	8.8.8.8
Oct 28, 2024 09:51:16.828989983 CET	49469	53	192.168.2.20	8.8.8.8
Oct 28, 2024 09:51:16.836492062 CET	53	49469	8.8.8.8	192.168.2.20
Oct 28, 2024 09:51:16.850305080 CET	53	49469	8.8.8.8	192.168.2.20
Oct 28, 2024 09:51:41.888442993 CET	42012	53	192.168.2.20	8.8.8.8
Oct 28, 2024 09:51:41.888442993 CET	42012	53	192.168.2.20	8.8.8.8
Oct 28, 2024 09:51:41.909545898 CET	53	42012	8.8.8.8	192.168.2.20
Oct 28, 2024 09:51:41.910207033 CET	53	42012	8.8.8.8	192.168.2.20
Oct 28, 2024 09:51:41.910430908 CET	60307	53	192.168.2.20	8.8.8.8
Oct 28, 2024 09:51:41.910522938 CET	60307	53	192.168.2.20	8.8.8.8
Oct 28, 2024 09:51:41.935436964 CET	53	60307	8.8.8.8	192.168.2.20
Oct 28, 2024 09:51:41.935879946 CET	53	60307	8.8.8.8	192.168.2.20

Start time (UTC):	08:50:45
Start date (UTC):	28/10/2024
Path:	/usr/bin/exo-open
Arguments:	exo-open /tmp/bluefish-data_2.2.12-1.1_all(1).deb
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Start time (UTC):	08:51:15
Start date (UTC):	28/10/2024
Path:	/usr/bin/gnome-software
Arguments:	-
File size:	701296 bytes
MD5 hash:	8676fce47b3f3e8c729aaaa8c935c235

Start time (UTC):	08:51:41
Start date (UTC):	28/10/2024
Path:	/usr/bin/gnome-software
Arguments:	-
File size:	701296 bytes
MD5 hash:	8676fce47b3f3e8c729aaaa8c935c235

Start time (UTC):	08:51:10
Start date (UTC):	28/10/2024
Path:	/lib/systemd/systemd
Arguments:	-
File size:	0 bytes
MD5 hash:	unknown

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report bluefish-data_2.2.12-1.1_all(1).deb

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/james/.cache/dconf/user

/home/james/.local/share/gnome-software/ubuntu-reviews.db

/home/james/.local/share/gnome-software/ubuntu-reviews.db-journal

/tmp/dpkg-deb.YO0WnW/control

/tmp/dpkg-deb.YO0WnW/md5sums

/var/lib/fwupd/pending.db

/var/lib/fwupd/pending.db-journal

Static File Info

General

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: exo-open PID: 4746, Parent PID: 4686

General

Chronological Activities

Analysis Process: exo-open PID: 4754, Parent PID: 4746

General

Chronological Activities

Analysis Process: dbus-launch PID: 4754, Parent PID: 4746

General

Chronological Activities

Analysis Process: exo-open PID: 4767, Parent PID: 4746

General

Chronological Activities

Analysis Process: exo-open PID: 4772, Parent PID: 4767

General

Chronological Activities

Analysis Process: gnome-software PID: 4772, Parent PID: 1656

General

Chronological Activities

Analysis Process: gnome-software PID: 4789, Parent PID: 4772

General

Linux Analysis Report
bluefish-data_2.2.12-1.1_all(1).deb