Automated Malware Analysis Report for Sqlninja 0

ID: 130390 Sample Name: sqlninja_0.2.6- r1-1raring0_all.deb Cookbook: defaultlinuxfilecookbook.jbs Time: 20:49:43 Date: 09/05/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report sqlninja_0.2.6-r1-1raring0_all.deb 4 Overview 4 General Information 4 Detection 4 Classification 4 Mitre Att&ck Matrix 5 Signature Overview 5 AV Detection: 6 Networking: 6 System Summary: 6 Persistence and Installation Behavior: 6 Malware Analysis System Evasion: 6 Runtime Messages 6 Behavior Graph 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Joe Sandbox View / Context 7 IPs 7 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Antivirus and Machine Learning Detection 8 Initial Sample 8 Dropped Files 8 Domains 9 URLs 9 Screenshots 9 Thumbnails 9 Startup 9 Created / dropped Files 10 Domains and IPs 12 Contacted Domains 12 Contacted IPs 12 Public 12 Static File Info 12 General 12 Network Behavior 13 Network Port Distribution 13 TCP Packets 13 UDP Packets 13 DNS Queries 13 DNS Answers 13 HTTPS Packets 13 System Behavior 14 Analysis Process: gnome-software PID: 20951 Parent PID: 20139 14 General 14 File Activities 14 File Deleted 14 File Read 14 File Written 14 Directory Enumerated 14 Directory Created 14 Owner / Group Modified 14 Permission Modified 14 Analysis Process: gnome-software PID: 20974 Parent PID: 20951 14 General 14

Copyright Joe Security LLC 2019 Page 2 of 19 File Activities 15 Directory Enumerated 15 Analysis Process: dbus-launch PID: 20974 Parent PID: 20951 15 General 15 File Activities 15 File Read 15 Analysis Process: gnome-software PID: 21043 Parent PID: 20951 15 General 15 File Activities 15 Directory Enumerated 15 Analysis Process: dpkg-deb PID: 21043 Parent PID: 20951 15 General 15 File Activities 15 File Read 15 Directory Created 15 Directory Deleted 16 Analysis Process: dpkg-deb PID: 21044 Parent PID: 21043 16 General 16 File Activities 16 File Read 16 Analysis Process: dpkg-deb PID: 21045 Parent PID: 21043 16 General 16 File Activities 16 File Read 16 Analysis Process: dpkg-deb PID: 21046 Parent PID: 21043 16 General 16 Analysis Process: tar PID: 21046 Parent PID: 21043 16 General 16 File Activities 17 File Read 17 File Written 17 Directory Created 17 Owner / Group Modified 17 Permission Modified 17 Analysis Process: dpkg-deb PID: 21048 Parent PID: 21043 17 General 17 Analysis Process: rm PID: 21048 Parent PID: 21043 17 General 17 File Activities 17 File Deleted 17 File Read 17 Directory Enumerated 17 Analysis Process: gnome-software PID: 21116 Parent PID: 20951 17 General 17 File Activities 17 Directory Enumerated 18 Analysis Process: dpkg PID: 21116 Parent PID: 20951 18 General 18 File Activities 18 File Read 18 Directory Enumerated 18 Analysis Process: gnome-software PID: 21117 Parent PID: 20951 18 General 18 File Activities 18 Directory Enumerated 18 Analysis Process: dpkg PID: 21117 Parent PID: 20951 18 General 18 File Activities 18 File Read 18 Directory Enumerated 18 Analysis Process: systemd PID: 21014 Parent PID: 1 18 General 19 Analysis Process: fwupd PID: 21014 Parent PID: 1 19 General 19 File Activities 19 File Deleted 19 File Read 19 File Written 19 Directory Enumerated 19 Directory Created 19 Owner / Group Modified 19

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 130390 Start date: 09.05.2019 Start time: 20:49:43 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 36s Hypervisor based Inspection enabled: false Report type: light Sample file name: sqlninja_0.2.6-r1-1raring0_all.deb Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: MAL Classification: mal48.linDEB@0/7@4/0

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 48 0 - 100 false

Classification

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Hidden Files Port Monitors Hidden Files Credential Security Application Data from Local Data Standard Remote and and Dumping Software Deployment System Encrypted 1 Cryptographic Management Directories 1 Directories 1 Discovery 1 Software Protocol 1 Replication Service Port Monitors Accessibility File Deletion 1 Network Application Remote Data from Exfiltration Over Standard Non- Through Execution Features Sniffing Window Services Removable Other Network Application Removable Discovery Media Medium Layer Media Protocol 2 Drive-by Windows Accessibility Path Rootkit Input Query Registry Windows Data from Automated Standard Compromise Management Features Interception Capture Remote Network Shared Exfiltration Application Instrumentation Management Drive Layer Protocol 2

Signature Overview

Copyright Joe Security LLC 2019 Page 5 of 19 • AV Detection • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Networking:

Connects to IPs without corresponding DNS lookups

Performs DNS lookups

Uses HTTPS

System Summary:

Classification label

Persistence and Installation Behavior:

Creates hidden files and/or directories

Executes the "rm" command used to delete files or directories

Sample tries to set the executable flag

Samples exit code indicates no error despite standard error output

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Runtime Messages

Command: xdg-open "/tmp/sqlninja_0.2.6-r1-1raring0_all.deb" Exit Code: 0 Exit Code Info: Killed: False Standard Output: Standard Error: (gnome-software:20951): GsPlugin-WARNING **: could not lookup cached macaroon: Error calling StartServiceByName for org.freedesktop.secrets: Timeout was reached

(gnome-software:20951): IBUS-WARNING **: The owner of /home/user/.config/ibus/bus is not root!

Behavior Graph

Copyright Joe Security LLC 2019 Page 6 of 19 Hide Legend Behavior Graph Legend: ID: 130390 Process Sample: sqlninja_0.2.6-r1-1raring0_all.deb Startdate: 09/05/2019 Signature Architecture: LINUX Created File Score: 48 DNS/IP Info Is Dropped

reviews.ubuntu.com 91.189.92.41, 443, 58830 Number of created Files 91.189.94.244, 443, 47334, 47336 unknown Is malicious United Kingdom unknown United Kingdom Internet

started started

Multi AV Scanner detection for submitted file

systemd gnome-software fwupd

started started started started

gnome-software gnome-software gnome-software gnome-software dpkg-deb dbus-launch dpkg dpkg

started started started started

dpkg-deb dpkg-deb dpkg-deb dpkg-deb tar rm

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 91.189.92.41 173.208.186.54/g.txt Get hash malicious Browse zmcat.txt Get hash malicious Browse f4cdc407 Get hash malicious Browse a.sh Get hash malicious Browse 4Zcb1GzjZE Get hash malicious Browse

Copyright Joe Security LLC 2019 Page 7 of 19 Match Associated Sample Name / URL SHA 256 Detection Link Context KzFtsE2yzc.bin Get hash malicious Browse hostmu Get hash malicious Browse FqpYARHxM1 Get hash malicious Browse

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown request.doc Get hash malicious Browse 192.168.0.44 FERK444259.doc Get hash malicious Browse 192.168.0.44 b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7 Get hash malicious Browse 192.168.0.40 f3cd4e5bb150a4.js Setup.exe Get hash malicious Browse 192.168.0.40 base64.pdf Get hash malicious Browse 192.168.0.40 file.pdf Get hash malicious Browse 192.168.0.40 Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40 request_08.30.doc Get hash malicious Browse 192.168.0.44 P_2038402.xlsx Get hash malicious Browse 192.168.0.44 48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22 seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40 Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40 QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40 pptxb.pdf Get hash malicious Browse 192.168.0.40 unknown request.doc Get hash malicious Browse 192.168.0.44 FERK444259.doc Get hash malicious Browse 192.168.0.44 b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7 Get hash malicious Browse 192.168.0.40 f3cd4e5bb150a4.js Setup.exe Get hash malicious Browse 192.168.0.40 base64.pdf Get hash malicious Browse 192.168.0.40 file.pdf Get hash malicious Browse 192.168.0.40 Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40 request_08.30.doc Get hash malicious Browse 192.168.0.44 P_2038402.xlsx Get hash malicious Browse 192.168.0.44 48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22 seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40 Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40 QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40 pptxb.pdf Get hash malicious Browse 192.168.0.40

JA3 Fingerprints

No context

Dropped Files

No context

Antivirus and Machine Learning Detection

Initial Sample

Source Detection Scanner Label Link sqlninja_0.2.6-r1-1raring0_all.deb 38% virustotal Browse sqlninja_0.2.6-r1-1raring0_all.deb 83% metadefender Browse

Dropped Files

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

Copyright Joe Security LLC 2019 Page 9 of 19 system is lnxubuntu1 gnome-software (PID: 20951, Parent: 20139, MD5: 2f6a627632bb6e2de787afca7991385a) gnome-software New Fork (PID: 20974, Parent: 20951) dbus-launch (PID: 20974, Parent: 20951, MD5: e4a469f27d130d783c21ce9c1c4456c3) gnome-software New Fork (PID: 21043, Parent: 20951) dpkg-deb (PID: 21043, Parent: 20951, MD5: 7c78968571f39afad418396db4543563) dpkg-deb New Fork (PID: 21044, Parent: 21043) dpkg-deb New Fork (PID: 21045, Parent: 21043) dpkg-deb New Fork (PID: 21046, Parent: 21043) tar (PID: 21046, Parent: 21043, MD5: dbc4507f4db5b41f7358b28bce65a15d) dpkg-deb New Fork (PID: 21048, Parent: 21043) rm (PID: 21048, Parent: 21043, MD5: b79876063d894c449856cca508ecca7f) gnome-software New Fork (PID: 21116, Parent: 20951) dpkg (PID: 21116, Parent: 20951, MD5: c2dc0f2569ffaebda7332d968a0e32f7) gnome-software New Fork (PID: 21117, Parent: 20951) dpkg (PID: 21117, Parent: 20951, MD5: c2dc0f2569ffaebda7332d968a0e32f7) systemd New Fork (PID: 21014, Parent: 1) fwupd (PID: 21014, Parent: 1, MD5: e6fa9d74e9230801b2e3a830a5d21445) cleanup

Created / dropped Files

/home/user/.cache/dconf/user Process: /usr/bin/gnome-software File Type: data Size (bytes): 2 Entropy (8bit): 0.0 Encrypted: false MD5: C4103F122D27677C9DB144CAE1394A66 SHA1: 1489F923C4DCA729178B3E3233458550D8DDDF29 SHA-256: 96A296D224F285C67BEE93C30F8A309157F0DAA35DC5B87E410B78630A09CFC7 SHA-512: 5EA71DC6D0B4F57BF39AADD07C208C35F06CD2BAC5FDE210397F70DE11D439C62EC1CDF3183758865FD387FCEA0BADA2F6C37A4A17851DD1D78FEFE6F204E E54 Malicious: false Reputation: moderate, very likely benign file Preview: ..

/home/user/.local/share/gnome-software/ubuntu-reviews.db Process: /usr/bin/gnome-software File Type: SQLite 3.x database, last written using SQLite version 3011000 Size (bytes): 15360 Entropy (8bit): 1.9194588338253045 Encrypted: false MD5: AB2D06902504408F54099B7CC4F5340E SHA1: F17FEC0D9096E3DF5AF449F67E046A32DB4A8764 SHA-256: AC434986E5C85CA7F8BD73E436A669DB724AECA5E7F51ACCFA69481BADDB381D SHA-512: 92F45A5B32C28155CDFC7B0F1EB4A3F75AFB0A7DE4C13F73CA27D2779A8DAE933731524ADD06A3E8440CE1012684F485BFBA301EB0F6079F1B480BB461B4A26 F Malicious: false Reputation: low Preview: SQLite format 3...... @ ...... -...... %%..Qtablereview_statsreview_stats.CREATE TABLE revie w_stats (package_name TEXT PRIMARY KEY,one_star_count INTEGER DEFAULT 0,two_star_count INTEGER DEFAULT 0,three_star_count INTEGER DEFAULT 0, four_star_count INTEGER DEFAULT 0,five_star_count INTEGER DEFAULT 0)7...K%..indexsqlite_autoindex_review_stat

/home/user/.local/share/gnome-software/ubuntu-reviews.db-journal Process: /usr/bin/gnome-software File Type: SQLite Rollback Journal Size (bytes): 10816 Entropy (8bit): 2.140716504792173 Encrypted: false MD5: 779B5289BEA50E8B026F674F05EA132E SHA1: AB1E63DA53F3F33239FFE992EAA9BE92BFF488B1 SHA-256: 81B6CF1E4E1A96182F75B2B97966FB6C554492D981A8EE9DA80C7BD2EEDE5702 SHA-512: 197DDCA6A4B9B02879D9C53F06A2E24DC2D980EDC7708AEB9ACFB9B486CF4EC5136FC8E2DF099C3F111DFA3C47CC91CC9022E0BBDDF6F755D9953BE3B33FB 91F Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 10 of 19 /home/user/.local/share/gnome-software/ubuntu-reviews.db-journal Preview: .... .c...... q...... c...... /I......

/tmp/dpkg-deb.mdbWan/control Process: /bin/tar File Type: ASCII text Size (bytes): 766 Entropy (8bit): 4.797119540872652 Encrypted: false MD5: 5EF2C1EF0365478BA8E997888956A4BC SHA1: 70059DD115BF0466D06E82D9911C94D15266E143 SHA-256: 62A5B3D3F7CBF41AEE8D90D924DD40003FE78DA4176DDC90E63CBF82658005F8 SHA-512: 754DF8B23030AC11DF6B489E637BDBF64295C336CDF30CC5AFB5023C7F23D2C4A6FDBAC418AB70433C1E9D8F0A53C9EFB5F45C5C95B8E2A47DE106F1EFCC7 AAE Malicious: false Reputation: low Preview: Package: sqlninja.Version: 0.2.6-r1-1raring0.Architecture: all.Maintainer: Devon Kearns .Installed-Size: 1169.Depends: perl, libnetpacket-perl, libnet-pc ap-perl, libnet-dns-perl, libnet-rawip-perl, libio-socket-ip-perl.Section: utils.Priority: extra.Homepage: http://sqlninja.sourceforge.net/.Description: SQL server injection and ta keover tool. Fancy going from a SQL Injection on Microsoft SQL Server to. a full GUI access on the DB? Take a few new SQL Injection. tricks, add a couple of remote shots in the registry to. disable Data Execution Prevention, mix with a little Perl. that automatically generates a debug script, put all this. in a shaker with a Metasploit wr apper, shake well and you. have just one of the attack modules of sqlninja!.

/tmp/dpkg-deb.mdbWan/md5sums Process: /bin/tar File Type: ASCII text Size (bytes): 3559 Entropy (8bit): 4.956274145236225 Encrypted: false MD5: 438ADA027253B346E3690B9AC4B4218A SHA1: 706FF7BA034709482D5DBFDE41E89D195B8DDF42 SHA-256: 37596742DFA639A185C582ACEDC04072C6EC24A1E557330B234695BD2C230F66 SHA-512: 82BFAC3340DCC368B4124AA43EF8D3FC5F514991C2A725FE3F3D4E710478A1E55167BCC80B6520FD9912071C3424B76CB2EA572FDF5AA33E3E7654B3D7334AFF Malicious: false Reputation: low Preview: b1e28fe77953f3edbb5fad41ba9a0099 usr/bin/sqlninja.9f8e2c152c019dc403540dbd0b7695e8 usr/share/doc/sqlninja/ChangeLog.d8a4dc201a808cd33c4b7f3863bce35f usr/share/doc/sqlninja/README.4a8886e4d8565d462814363ffe4b32e2 usr/share/doc/sqlninja/changelog.Debian.gz.f17ae03db4e2a121cd1b2ae4c66719eb usr/sha re/doc/sqlninja/copyright.c2de6809cb6e68d6287c541d68910cf3 usr/share/doc/sqlninja/sqlninja-howto.html.2e9523b6266de3e974d86aff27895a8e usr/share/doc/sqlninja/ sqlninja.conf.example.gz.956c97d1290c6bc5fa669f387cca97fe usr/share/sqlninja/apps/churrasco.exe.f4f9a7aa8a8dc2dd4190d116840c2293 usr/share/sqlninja/ apps/dnstun.exe.0c371a2ee5af91b1b1573725b025b0b0 usr/share/sqlninja/apps/icmpsh.exe.beea7f3a28a1c08f47f25a042be5cea9 usr/share/sqlninja/apps/nc.exe. 9c5806f6b50a3cccb152df1e95b18629 usr/share/sqlninja/apps/vdmallowed.exe.cc03f6dbcf0ae1a03388aec92f7ba79b usr/share/sqlninja/apps/vdmexploit.dll.4fc8 2920cf30e5b773e845831601e43d usr/share/sqlninja/scripts/churrasco.scr.458ee6abe5a1db1e98f

/var/lib/fwupd/pending.db Process: /usr/lib/x86_64-linux-gnu/fwupd/fwupd File Type: SQLite 3.x database, last written using SQLite version 3011000 Size (bytes): 3072 Entropy (8bit): 1.1422572379832086 Encrypted: false MD5: 8363D24E246DF601D7A309537767C270 SHA1: 6B92F004A6B213919893C789B38CBBF93EB2DA04 SHA-256: 24E3C058D82CDCCEEF7E556D244E06AA9EB9CE34715C879BC8E96D883444EEAD SHA-512: 1A45D1EC6F01F3F999C1DE23FE81D8EC128A7AE28949FC9761974D611518F06C5F44529294ED589EE5E66978A6FFE794E3DAB2777A01F3010AB01FF96746DFD8 Malicious: false Reputation: low Preview: SQLite format 3...... @ ...... -...... atablependingpending.CREATE TABLE pending (device_id TEXT PRIMARY KEY,unique_id TEXT,state INTEGER DEFAULT 0,timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,error TEXT,fi lename TEXT,display_name TEXT,provider TEXT,version_old TEXT,version_new TEXT)-...A...indexsqlite_autoindex_p

/var/lib/fwupd/pending.db-journal Process: /usr/lib/x86_64-linux-gnu/fwupd/fwupd File Type: data Size (bytes): 524 Entropy (8bit): 0.2594559886383577 Encrypted: false MD5: 507960C48B90203F1B7D05C1CCD320A7 SHA1: 8050C09CE7B2F45C273416FD21BD78C12F7BF4A1 Copyright Joe Security LLC 2019 Page 11 of 19 /var/lib/fwupd/pending.db-journal SHA-256: F3DAA7E7929534229D1298FE9876475A5F96CF19D88C991AD4751564A53AF851 SHA-512: 7EF34ECD022FEBD0B5ADB6E66E516DBC36C58ECAD34E6FCE7B9A1DBE5BC60A87C57CDBA46E75B6B656D75F2D04627335BBA0FA8C037D427AE1A955DFEA94 58B3 Malicious: false Reputation: low Preview: ...... x6...... c.....

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation reviews.ubuntu.com 91.189.94.244 true false high

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 91.189.94.244 United Kingdom 41231 unknown false 91.189.92.41 United Kingdom 41231 unknown false

Static File Info

General File type: Debian binary package (format 2.0) Entropy (8bit): 7.99899346141662 TrID: Debian Linux Package (24024/1) 100.00%

File name: sqlninja_0.2.6-r1-1raring0_all.deb File size: 440528 MD5: 449dc88c69e2a58474305cc30dc706e4

Copyright Joe Security LLC 2019 Page 12 of 19 General SHA1: e6d4c1b3901903249c6758943261d44ae0663ab2 SHA256: a181f62e4b92e4a6cbe7c92c277a011a959d32568820b0 54f0e180c703c61220 SHA512: 1dfb21ccee00361ea39903848352e406b7d69cae6f78d01 a027f798731d53693aa26711b304127fb832d6ce73e8b15 757794fa9539b024ee64ba2c7aeea26264 SSDEEP: 12288:5QwsioHGcrw835IsBPNY8wZcOYTEWfX7WfBa J:5Qws/HB7I0VlOoHfrWJa File Content Preview: !.debian-binary 1363943546 0 0 100644 4 `.2.0.control.tar.gz 1363943546 0 0 1006 44 1730 `...... Wms...... O...... A..6.v.].v...Z .q...... N;...... `....,....RI....K...... *.m{6.C=6.s..Ge

Network Behavior

Network Port Distribution

Total Packets: 36 • 53 (DNS) • 443 (HTTPS)

TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class May 9, 2019 20:51:50.436897039 CEST 192.168.2.20 8.8.8.8 0x8a6a Standard query reviews.ub A (IP address) IN (0x0001) (0) untu.com May 9, 2019 20:51:50.437041998 CEST 192.168.2.20 8.8.8.8 0xda93 Standard query reviews.ub 28 IN (0x0001) (0) untu.com May 9, 2019 20:52:15.742047071 CEST 192.168.2.20 8.8.8.8 0x127f Standard query reviews.ub A (IP address) IN (0x0001) (0) untu.com May 9, 2019 20:52:15.742283106 CEST 192.168.2.20 8.8.8.8 0x31bc Standard query reviews.ub 28 IN (0x0001) (0) untu.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class May 9, 2019 8.8.8.8 192.168.2.20 0x8a6a No error (0) reviews.ub 91.189.94.244 A (IP address) IN (0x0001) 20:51:50.472755909 untu.com CEST May 9, 2019 8.8.8.8 192.168.2.20 0x127f No error (0) reviews.ub 91.189.94.244 A (IP address) IN (0x0001) 20:52:15.770432949 untu.com CEST

HTTPS Packets

Copyright Joe Security LLC 2019 Page 13 of 19 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest May 9, 2019 91.189.94.244 443 192.168.2.20 47334 CN=reviews.ubuntu.com CN=Let's Encrypt Tue Mar Mon Jun 771,49195-49196- 2b8aaa95a836171ffc6466 20:51:50.553039074 CN=Let's Encrypt Authority X3, Authority X3, 12 10 49286-49287- 237edc9dee CEST O=Let's Encrypt, C=US O=Let's Encrypt, 05:32:14 06:32:14 49161-49187- C=US CN=DST CET CEST 49162-49188- Root CA X3, 2019 2019 49266-49267- O=Digital Thu Mar Wed 49324-49325- Signature Trust 17 Mar 17 49160-49199- Co. 17:40:46 17:40:46 49200-49290- CET CET 49291-49171- 2016 2021 49191-49172- 49192-49270- CN=Let's Encrypt Authority X3, CN=DST Root CA Thu Mar Wed 49271-49170-156- O=Let's Encrypt, C=US X3, O=Digital 17 Mar 17 157-49274-49275- Signature Trust 17:40:46 17:40:46 47-60-53-61-65- Co. CET CET 186-132-192- 2016 2021 49308-49309-10- 158-159-49276- 49277-51-103-57- 107-69-190-136- 196-49310-49311- 22,5-0-65281-35- 10-11-13,23-24-25- 21-19,0

System Behavior

Analysis Process: gnome-software PID: 20951 Parent PID: 20139

General

Start time: 20:51:21 Start date: 09/05/2019 Path: /usr/bin/gnome-software Arguments: gnome-software --local-filename=/tmp/sqlninja_0.2.6-r1-1raring0_all.deb File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

File Deleted

File Read

File Written

Directory Enumerated

Directory Created

Owner / Group Modified

Permission Modified

Analysis Process: gnome-software PID: 20974 Parent PID: 20951

General

Start time: 20:51:21 Start date: 09/05/2019 Path: /usr/bin/gnome-software

Copyright Joe Security LLC 2019 Page 14 of 19 Arguments: n/a File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

Directory Enumerated

Analysis Process: dbus-launch PID: 20974 Parent PID: 20951

General

Start time: 20:51:21 Start date: 09/05/2019 Path: /usr/bin/dbus-launch Arguments: dbus-launch --autolaunch=f0b45546524a75b2e6e8e8a55aab94da --binary-syntax --close-stderr File size: 26616 bytes MD5 hash: e4a469f27d130d783c21ce9c1c4456c3

File Activities

File Read

Analysis Process: gnome-software PID: 21043 Parent PID: 20951

General

Start time: 20:51:49 Start date: 09/05/2019 Path: /usr/bin/gnome-software Arguments: n/a File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

Directory Enumerated

Analysis Process: dpkg-deb PID: 21043 Parent PID: 20951

General

Start time: 20:51:49 Start date: 09/05/2019 Path: /usr/bin/dpkg-deb Arguments: /usr/bin/dpkg-deb --showformat=${Package}\\n${Version}\\n${Installed-Size}\\n${Homepage}\\n${Description} -W /tmp/sqlninja_0.2.6-r1-1raring0_all.deb File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

File Activities

File Read

Directory Created

Analysis Process: dpkg-deb PID: 21044 Parent PID: 21043

General

Start time: 20:51:49 Start date: 09/05/2019 Path: /usr/bin/dpkg-deb Arguments: n/a File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

File Activities

File Read

Analysis Process: dpkg-deb PID: 21045 Parent PID: 21043

General

Start time: 20:51:49 Start date: 09/05/2019 Path: /usr/bin/dpkg-deb Arguments: n/a File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

File Activities

File Read

Analysis Process: dpkg-deb PID: 21046 Parent PID: 21043

General

Start time: 20:51:49 Start date: 09/05/2019 Path: /usr/bin/dpkg-deb Arguments: n/a File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

Analysis Process: tar PID: 21046 Parent PID: 21043

General

Start time: 20:51:49 Start date: 09/05/2019 Path: /bin/tar Arguments: tar -x -m -f - --warning=no-timestamp File size: 383632 bytes MD5 hash: dbc4507f4db5b41f7358b28bce65a15d

File Read

File Written

Directory Created

Owner / Group Modified

Permission Modified

Analysis Process: dpkg-deb PID: 21048 Parent PID: 21043

General

Start time: 20:51:49 Start date: 09/05/2019 Path: /usr/bin/dpkg-deb Arguments: n/a File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

Analysis Process: rm PID: 21048 Parent PID: 21043

General

Start time: 20:51:49 Start date: 09/05/2019 Path: /bin/rm Arguments: rm -rf -- /tmp/dpkg-deb.mdbWan File size: 60272 bytes MD5 hash: b79876063d894c449856cca508ecca7f

File Activities

File Deleted

File Read

Directory Enumerated

Analysis Process: gnome-software PID: 21116 Parent PID: 20951

General

Start time: 20:52:15 Start date: 09/05/2019 Path: /usr/bin/gnome-software Arguments: n/a File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

Analysis Process: dpkg PID: 21116 Parent PID: 20951

General

Start time: 20:52:15 Start date: 09/05/2019 Path: /usr/bin/dpkg Arguments: /usr/bin/dpkg --print-foreign-architectures File size: 278264 bytes MD5 hash: c2dc0f2569ffaebda7332d968a0e32f7

File Activities

File Read

Directory Enumerated

Analysis Process: gnome-software PID: 21117 Parent PID: 20951

General

Start time: 20:52:15 Start date: 09/05/2019 Path: /usr/bin/gnome-software Arguments: n/a File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

Directory Enumerated

Analysis Process: dpkg PID: 21117 Parent PID: 20951

General

Start time: 20:52:15 Start date: 09/05/2019 Path: /usr/bin/dpkg Arguments: /usr/bin/dpkg --print-foreign-architectures File size: 278264 bytes MD5 hash: c2dc0f2569ffaebda7332d968a0e32f7

File Activities

File Read

Directory Enumerated

Analysis Process: systemd PID: 21014 Parent PID: 1

Start time: 20:51:46 Start date: 09/05/2019 Path: /lib/systemd/systemd Arguments: n/a File size: 0 bytes MD5 hash: 00000000000000000000000000000000

Analysis Process: fwupd PID: 21014 Parent PID: 1

General

Start time: 20:51:46 Start date: 09/05/2019 Path: /usr/lib/x86_64-linux-gnu/fwupd/fwupd Arguments: /usr/lib/x86_64-linux-gnu/fwupd/fwupd File size: 104656 bytes MD5 hash: e6fa9d74e9230801b2e3a830a5d21445

File Activities

File Deleted

File Read

File Written

Directory Enumerated

Directory Created

Owner / Group Modified