Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

SGNConnect_v5.0.20.deb

Debian binary package (format 2.0), with control.tar.xz, data compression xz

initial sample

Details

Filetype:	Debian binary package (format 2.0), with control.tar.xz, data compression xz
Entropy:	7.999996207675499
Filename:	SGNConnect_v5.0.20.deb
Filesize:	49183836
MD5:	8aa66ae2a690b14f05dcd0289714e99d
SHA1:	32a4113918a775b59bc2273fc11c48bc62272e89
SHA256:	7383858f6f991035ec2a43e70af6e103dc6bfc6e06c62e1d1474d638c8fb4867
SHA512:	4b5bb1a9626deee12cce7308a142af72e977c176ab4a973b4fc9bf70470ad7541920d9601b620e69472257659f84ea18698e67f3b9e5b0e6fca0a661d37f8677
SSDEEP:	786432:V/2Jb+Vupk2WAUD5Sxt0zPNLaPodwSj9MppcVcX4xd7/8JcZmsYaf3RebKVniIdp:V/oQupXODUx+zPN2AwSjIyJxd7UaX3RJ
Preview:	!<arch>.debian-binary 1633376706 0 0 100644 4 `.2.0.control.tar.xz 1633376706 0 0 100644 4028 `..7zXZ......F.......!.............O..q].....}....J>y...&.^....5...6..=../0.IDBgS$.(35....].y.........x...:..j.#..}.....T;<Mr

/root/.cache/dconf/user

data

dropped

Details

File:	/root/.cache/dconf/user
Category:	dropped
Dump:	user.39.dr
ID:	dr_0
Target ID:	39
Process:	/usr/bin/engrampa
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2
Whitelisted:	false
Reputation:	moderate

/tmp/dpkg-deb.7lBi6l/conffiles

ASCII text

dropped

Details

File:	/tmp/dpkg-deb.7lBi6l/conffiles
Category:	dropped
Dump:	conffiles.50.dr
ID:	dr_1
Target ID:	50
Process:	/usr/bin/tar
Type:	ASCII text
Entropy:	4.357558369976583
Encrypted:	false
Ssdeep:	3:MteoiECAHRayqmr8SLv:roiUHIyqob
Size:	53
Whitelisted:	false
Reputation:	low

/tmp/dpkg-deb.7lBi6l/control

ASCII text, with very long lines (477)

dropped

Details

File:	/tmp/dpkg-deb.7lBi6l/control
Category:	dropped
Dump:	control.50.dr
ID:	dr_2
Target ID:	50
Process:	/usr/bin/tar
Type:	ASCII text, with very long lines (477)
Entropy:	5.142130985735185
Encrypted:	false
Ssdeep:	24:/XgnLzKHJW93wzIuu+9Q3BWiHxiK5MCXLjRMCX:/wnLzKH09IIYQRWIDMq/RMW
Size:	784
Whitelisted:	false
Reputation:	low

/tmp/dpkg-deb.7lBi6l/md5sums

ASCII text

dropped

Details

File:	/tmp/dpkg-deb.7lBi6l/md5sums
Category:	dropped
Dump:	md5sums.50.dr
ID:	dr_3
Target ID:	50
Process:	/usr/bin/tar
Type:	ASCII text
Entropy:	5.002582166122907
Encrypted:	false
Ssdeep:	192:/2h3DcaBiy2mcPLDQP/XzK7vEgpHwW+BXy:YYaktmcjDQPPm7ZKw
Size:	9491
Whitelisted:	false
Reputation:	low

/tmp/dpkg-deb.7lBi6l/postinst

POSIX shell script, ASCII text executable

dropped

Details

File:	/tmp/dpkg-deb.7lBi6l/postinst
Category:	dropped
Dump:	postinst.50.dr
ID:	dr_4
Target ID:	50
Process:	/usr/bin/tar
Type:	POSIX shell script, ASCII text executable
Entropy:	4.441739966294269
Encrypted:	false
Ssdeep:	12:GYQ+wPB4W2WxKTKl21lPaZgTKgUuPGMGkTKR:2fOGADlo8BTO
Size:	502
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes shell script file to disk with an unusual file extension	Persistence and Installation Behavior

/tmp/dpkg-deb.7lBi6l/prerm

POSIX shell script, ASCII text executable

dropped

Details

File:	/tmp/dpkg-deb.7lBi6l/prerm
Category:	dropped
Dump:	prerm.50.dr
ID:	dr_5
Target ID:	50
Process:	/usr/bin/tar
Type:	POSIX shell script, ASCII text executable
Entropy:	4.492250677892201
Encrypted:	false
Ssdeep:	12:ioiFGBQL7wAFv4bGDTKYggTKoN/pfzfqrFeFFeFIPt74H:NiFeQL7Dv4SnZg89N/pfzfC4FaIPCH
Size:	566
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes shell script file to disk with an unusual file extension	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/usr/bin/exo-open

exo-open /tmp/SGNConnect_v5.0.20.deb

/usr/bin/exo-open

/usr/bin/dbus-launch

dbus-launch --autolaunch=ee49dfd4fa47433baee88884e2d7de7c --binary-syntax --close-stderr

/usr/bin/exo-open

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh engrampa /tmp/SGNConnect_v5.0.20.deb

/usr/bin/engrampa

engrampa /tmp/SGNConnect_v5.0.20.deb

/usr/bin/engrampa

/usr/bin/dbus-launch

dbus-launch --autolaunch=ee49dfd4fa47433baee88884e2d7de7c --binary-syntax --close-stderr

/usr/bin/engrampa

/usr/bin/dpkg-deb

dpkg-deb -I /tmp/SGNConnect_v5.0.20.deb

/usr/bin/dpkg-deb

/usr/bin/tar

tar -x -m -f - --warning=no-timestamp

/usr/bin/dpkg-deb

/usr/bin/rm

rm -rf -- /tmp/dpkg-deb.7lBi6l

/usr/bin/engrampa

/usr/bin/dpkg-deb

dpkg-deb -c /tmp/SGNConnect_v5.0.20.deb

/usr/bin/dpkg-deb

/usr/bin/tar

tar -tv -f - --warning=no-timestamp

There are 13 hidden processes, click here to show them.

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SGNConnect_v5.0.20.deb

Files

Processes

Domains

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSGNConnect_v5.0.20.deb

Files

Processes

Domains

IOC Report
SGNConnect_v5.0.20.deb