Automated Malware Analysis Report for Veraport-G3 Amd64.Deb

ID: 154829 Sample Name: veraport- g3_amd64.deb Cookbook: defaultlinuxfilecookbook.jbs Time: 06:34:22 Date: 22/07/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report veraport-g3_amd64.deb 4 Overview 4 General Information 4 Detection 4 Classification 4 Mitre Att&ck Matrix 5 Signature Overview 5 Networking: 6 System Summary: 6 Persistence and Installation Behavior: 6 Malware Analysis System Evasion: 6 Runtime Messages 6 Behavior Graph 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Joe Sandbox View / Context 7 IPs 7 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Antivirus and Machine Learning Detection 9 Initial Sample 9 Dropped Files 9 Domains 9 URLs 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Public 13 Static File Info 13 General 13 Network Behavior 13 Network Port Distribution 13 TCP Packets 14 UDP Packets 14 DNS Queries 14 DNS Answers 14 HTTPS Packets 14 System Behavior 15 Analysis Process: gnome-software PID: 20860 Parent PID: 20139 15 General 15 File Activities 15 File Deleted 15 File Read 15 File Written 15 Directory Enumerated 15 Directory Created 15 Owner / Group Modified 15 Permission Modified 15 Analysis Process: gnome-software PID: 20891 Parent PID: 20860 15 General 15 Copyright Joe Security LLC 2019 Page 2 of 20 File Activities 15 Directory Enumerated 15 Analysis Process: dbus-launch PID: 20891 Parent PID: 20860 15 General 15 File Activities 16 File Read 16 Analysis Process: gnome-software PID: 20960 Parent PID: 20860 16 General 16 File Activities 16 Directory Enumerated 16 Analysis Process: dpkg-deb PID: 20960 Parent PID: 20860 16 General 16 File Activities 16 File Read 16 Directory Created 16 Directory Deleted 16 Analysis Process: dpkg-deb PID: 20962 Parent PID: 20960 16 General 16 File Activities 16 File Read 16 Analysis Process: dpkg-deb PID: 20963 Parent PID: 20960 17 General 17 File Activities 17 File Read 17 Analysis Process: dpkg-deb PID: 20964 Parent PID: 20960 17 General 17 Analysis Process: tar PID: 20964 Parent PID: 20960 17 General 17 File Activities 17 File Read 17 File Written 17 Directory Created 17 Owner / Group Modified 17 Permission Modified 17 Analysis Process: dpkg-deb PID: 20973 Parent PID: 20960 17 General 17 Analysis Process: rm PID: 20973 Parent PID: 20960 18 General 18 File Activities 18 File Deleted 18 File Read 18 Directory Enumerated 18 Analysis Process: gnome-software PID: 21033 Parent PID: 20860 18 General 18 File Activities 18 Directory Enumerated 18 Analysis Process: dpkg PID: 21033 Parent PID: 20860 18 General 18 File Activities 18 File Read 18 Directory Enumerated 18 Analysis Process: gnome-software PID: 21034 Parent PID: 20860 19 General 19 File Activities 19 Directory Enumerated 19 Analysis Process: dpkg PID: 21034 Parent PID: 20860 19 General 19 File Activities 19 File Read 19 Directory Enumerated 19 Analysis Process: systemd PID: 20931 Parent PID: 1 19 General 19 Analysis Process: fwupd PID: 20931 Parent PID: 1 19 General 19 File Activities 19 File Deleted 20 File Read 20 File Written 20 Directory Enumerated 20 Directory Created 20 Owner / Group Modified 20

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 154829 Start date: 22.07.2019 Start time: 06:34:22 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 6s Hypervisor based Inspection enabled: false Report type: light Sample file name: veraport-g3_amd64.deb Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: CLEAN Classification: clean3.linDEB@0/8@4/0

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 3 0 - 100 false

Classification

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Command-Line Hidden Files Port Monitors Hidden Files Credential Security Application Data from Local Data Standard Interface 1 and and Dumping Software Deployment System Encrypted 1 Cryptographic Directories 1 Directories 1 Discovery 1 Software Protocol 1 Replication Service Port Monitors Accessibility File Deletion 1 Network Application Remote Data from Exfiltration Over Standard Non- Through Execution Features Sniffing Window Services Removable Other Network Application Removable Discovery Media Medium Layer Media Protocol 2 Drive-by Windows Accessibility Path Rootkit Input Query Registry Windows Data from Automated Standard Compromise Management Features Interception Capture Remote Network Shared Exfiltration Application Instrumentation Management Drive Layer Protocol 2

Signature Overview

Copyright Joe Security LLC 2019 Page 5 of 20 • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion

Click to jump to signature section

Networking:

Connects to IPs without corresponding DNS lookups

Performs DNS lookups

Urls found in memory or binary data

Uses HTTPS

System Summary:

Sample contains strings that are potentially command strings

Classification label

Persistence and Installation Behavior:

Creates hidden files and/or directories

Executes the "rm" command used to delete files or directories

Sample tries to set the executable flag

Writes shell script file to disk with an unusual file extension

Samples exit code indicates no error despite standard error output

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Runtime Messages

Command: xdg-open "/tmp/veraport-g3_amd64.deb" Exit Code: 0 Exit Code Info: Killed: False Standard Output: Standard Error: (gnome-software:20860): GsPlugin-WARNING **: could not lookup cached macaroon: Error calling StartServiceByName for org.freedesktop.secrets: Timeout was reached

(gnome-software:20860): IBUS-WARNING **: The owner of /home/user/.config/ibus/bus is not root!

Behavior Graph

Copyright Joe Security LLC 2019 Page 6 of 20 Hide Legend Behavior Graph Legend: ID: 154829 Process Sample: veraport-g3_amd64.deb

Startdate: 22/07/2019 Signature Architecture: LINUX Created File Score: 3 DNS/IP Info Is Dropped

reviews.ubuntu.com Number of created Files 91.189.92.19, 443, 47156 91.189.94.244, 443, 47334, 47336 unknown started staIrste dm a licious United Kingdom unknown United Kingdom Internet

systemd gnome-software fwupd

started started started started

gnome-software gnome-software gnome-software gnome-software dpkg-deb dbus-launch dpkg dpkg

started started started started

dpkg-deb dpkg-deb dpkg-deb dpkg-deb tar rm

dropped dropped

/tmp/dpkg-deb.aV8ZOc/prerm, POSIX /tmp/dpkg-deb.aV8ZOc/postinst, POSIX

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 91.189.92.19 hostmc Get hash malicious Browse file.elf Get hash malicious Browse CKvfpSM1Au Get hash malicious Browse cmmyfa3 Get hash malicious Browse hmar6.jar Get hash malicious Browse khugepageds Get hash malicious Browse Copyright Joe Security LLC 2019 Page 7 of 20 Match Associated Sample Name / URL SHA 256 Detection Link Context bwmckudohs Get hash malicious Browse 23c98d48062eac1b5cce1e7294dba92f24ad535e0b16abb403 Get hash malicious Browse 70f84552bf8a58 e1subAxOoZ.elf Get hash malicious Browse sample23 Get hash malicious Browse 178.62.117.21/bash Get hash malicious Browse genesis.bin Get hash malicious Browse seasame Get hash malicious Browse apache2 Get hash malicious Browse test7777 Get hash malicious Browse sshd Get hash malicious Browse payload Get hash malicious Browse olazvs Get hash malicious Browse 2019-02-05 23-01-02.flv Get hash malicious Browse 2019-02-05 23-01-02.flv Get hash malicious Browse 91.189.94.244 sqlninja_0.2.6-r1-1raring0_all.deb Get hash malicious Browse

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context reviews.ubuntu.com sqlninja_0.2.6-r1-1raring0_all.deb Get hash malicious Browse 91.189.94.244

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown request.doc Get hash malicious Browse 192.168.0.44 FERK444259.doc Get hash malicious Browse 192.168.0.44 b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7 Get hash malicious Browse 192.168.0.40 f3cd4e5bb150a4.js Setup.exe Get hash malicious Browse 192.168.0.40 base64.pdf Get hash malicious Browse 192.168.0.40 file.pdf Get hash malicious Browse 192.168.0.40 Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40 request_08.30.doc Get hash malicious Browse 192.168.0.44 P_2038402.xlsx Get hash malicious Browse 192.168.0.44 48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22 seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40 Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40 QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40 pptxb.pdf Get hash malicious Browse 192.168.0.40 unknown request.doc Get hash malicious Browse 192.168.0.44 FERK444259.doc Get hash malicious Browse 192.168.0.44 b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7 Get hash malicious Browse 192.168.0.40 f3cd4e5bb150a4.js Setup.exe Get hash malicious Browse 192.168.0.40 base64.pdf Get hash malicious Browse 192.168.0.40 file.pdf Get hash malicious Browse 192.168.0.40 Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40 request_08.30.doc Get hash malicious Browse 192.168.0.44 P_2038402.xlsx Get hash malicious Browse 192.168.0.44 48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22 seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40 Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40 QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40 pptxb.pdf Get hash malicious Browse 192.168.0.40

JA3 Fingerprints

Match Associated Sample Name / URL SHA 256 Detection Link Context 2b8aaa95a836171ffc6466237edc9dee sqlninja_0.2.6-r1-1raring0_all.deb Get hash malicious Browse 91.189.94.244

Dropped Files

No context

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.wizvera.com 0% virustotal Browse www.wizvera.com 0% Avira URL Cloud safe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

system is lnxubuntu1 gnome-software (PID: 20860, Parent: 20139, MD5: 2f6a627632bb6e2de787afca7991385a) Arguments: gnome-software --local-filename=/tmp/veraport-g3_amd64.deb gnome-software New Fork (PID: 20891, Parent: 20860) dbus-launch (PID: 20891, Parent: 20860, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=f0b45546524a75b2e6e8e8a55aab94da --binary- syntax --close-stderr gnome-software New Fork (PID: 20960, Parent: 20860) dpkg-deb (PID: 20960, Parent: 20860, MD5: 7c78968571f39afad418396db4543563) Arguments: /usr/bin/dpkg-deb --showformat=${Package}\\n${Version}\\n${Installed- Size}\\n${Homepage}\\n${Description} -W /tmp/veraport-g3_amd64.deb dpkg-deb New Fork (PID: 20962, Parent: 20960) dpkg-deb New Fork (PID: 20963, Parent: 20960) dpkg-deb New Fork (PID: 20964, Parent: 20960) tar (PID: 20964, Parent: 20960, MD5: dbc4507f4db5b41f7358b28bce65a15d) Arguments: tar -x -m -f - --warning=no-timestamp dpkg-deb New Fork (PID: 20973, Parent: 20960) rm (PID: 20973, Parent: 20960, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf -- /tmp/dpkg-deb.aV8ZOc gnome-software New Fork (PID: 21033, Parent: 20860) dpkg (PID: 21033, Parent: 20860, MD5: c2dc0f2569ffaebda7332d968a0e32f7) Arguments: /usr/bin/dpkg --print-foreign-architectures gnome-software New Fork (PID: 21034, Parent: 20860) dpkg (PID: 21034, Parent: 20860, MD5: c2dc0f2569ffaebda7332d968a0e32f7) Arguments: /usr/bin/dpkg --print-foreign-architectures systemd New Fork (PID: 20931, Parent: 1) fwupd (PID: 20931, Parent: 1, MD5: e6fa9d74e9230801b2e3a830a5d21445) Arguments: /usr/lib/x86_64-linux-gnu/fwupd/fwupd cleanup

Created / dropped Files

/home/user/.cache/dconf/user Process: /usr/bin/gnome-software File Type: data Size (bytes): 2 Entropy (8bit): 0.0 Encrypted: false MD5: C4103F122D27677C9DB144CAE1394A66 SHA1: 1489F923C4DCA729178B3E3233458550D8DDDF29 SHA-256: 96A296D224F285C67BEE93C30F8A309157F0DAA35DC5B87E410B78630A09CFC7 SHA-512: 5EA71DC6D0B4F57BF39AADD07C208C35F06CD2BAC5FDE210397F70DE11D439C62EC1CDF3183758865FD387FCEA0BADA2F6C37A4A17851DD1D78FEFE6F204E E54 Malicious: false Reputation: moderate, very likely benign file Preview: ..

/home/user/.local/share/gnome-software/ubuntu-reviews.db Process: /usr/bin/gnome-software File Type: SQLite 3.x database, last written using SQLite version 3011000 Size (bytes): 15360 Entropy (8bit): 1.917520168575528 Encrypted: false MD5: 6F87F4BC1CEC40452C6C81F27175F8B0 SHA1: 3E0CE9720BEB18B417D6FA6B2163683DC6F35843 SHA-256: 5C69F0DA45B783617C7FAC76F43418D7D58E68D33A6DF4715AA59760B70A504F SHA-512: F073A6844F9BB283A890831C8CD74357D18DC0512C785EA524BBB5A980EE9C0101482E18B5B6A26CDD77E13E8BFB2CF4FDCFC06A4CE191D427705A022FE46DA D Malicious: false Reputation: low Preview: SQLite format 3...... @ ...... -...... %%..Qtablereview_statsreview_stats.CREATE TABLE revie w_stats (package_name TEXT PRIMARY KEY,one_star_count INTEGER DEFAULT 0,two_star_count INTEGER DEFAULT 0,three_star_count INTEGER DEFAULT 0, four_star_count INTEGER DEFAULT 0,five_star_count INTEGER DEFAULT 0)7...K%..indexsqlite_autoindex_review_stat

/home/user/.local/share/gnome-software/ubuntu-reviews.db-journal Process: /usr/bin/gnome-software File Type: SQLite Rollback Journal Size (bytes): 10816 Entropy (8bit): 2.1333642315753916 Copyright Joe Security LLC 2019 Page 10 of 20 /home/user/.local/share/gnome-software/ubuntu-reviews.db-journal Encrypted: false MD5: 451A4E28A28A5C4C8C631332DA8E9FDF SHA1: A74448E6908A34C75E7FF5383311586156713FDA SHA-256: 85A5C707AAFE1C819C1BCE8BFC3D789D8F460368A22A956A73D6896C74C34749 SHA-512: 688723BE1245278F25C9F30151B27A490270410E842FDFACB6770EB5C2D66728C4B1CBBE5F90D12D2D7068C55B93F6CEAA2D7309220CD6FC80A72C89D68BDA87 Malicious: false Reputation: low Preview: .... .c...... e...... c.....PN.q......

/tmp/dpkg-deb.aV8ZOc/control Process: /bin/tar File Type: ASCII text Size (bytes): 471 Entropy (8bit): 5.280397698999068 Encrypted: false MD5: 2D42EE80E259126021F7FF1A105BAADB SHA1: 99854F9A5E7E689A69C29199CAC235078BEB46E4 SHA-256: D2619FF3CB7D30066BA5D27A8926192A90B85F04086FECCC4B57BC753AE32A17 SHA-512: 5C5A7213EB8A805EEC20871497E2DA70102145CD6A6B845ED008BF6AF05BA543F4327667B11D5BBACD9513D5253434E40D97CD83C51270DA2152B8489BA1A042 Malicious: false Reputation: low Preview: Package: veraport-g3.Version: 3.7.3.3.Architecture: amd64.Maintainer: wizvera .Installed-Size: 2000.Depends: libc6 (>= 2.10.1), libfontconfig1 (>= 2.6.0), libfreetype6 (>= 2.3.9), libgcc1 (>= 1:4.1.1), libglib2.0-0 (>= 2.12.0), libice6 (>= 1:1.0.0), libsm6, libstdc++6 (>= 4.1.1), libx11-6, libxext6, libxrender1, zlib1g (>= 1:1. 1.4).Section: web.Priority: extra.Homepage: http://www.wizvera.com.Description: WIZVERA Veraport G3. WIZVERA Veraport G3.

/tmp/dpkg-deb.aV8ZOc/postinst Process: /bin/tar File Type: POSIX shell script, ASCII text executable Size (bytes): 2334 Entropy (8bit): 4.5314433421668365 Encrypted: false MD5: 4E0C3DA79C30C0CEE73FDBE12561199E SHA1: E8CE8F49C5F9E84309AD72D3B1B0D451DD8E177F SHA-256: 04AEA163B04F46C63B8424D154FA7520262FBAEEFBD5F65A0CCD658DAF64C8DC SHA-512: F4D27412E1CFDC5A9D4009571A4AFD515D691A9962A589F36177055EE563DDEBA5F33DB3F11CE2E6A2E1E8CD3D9650D8EA5318A414FD2697174F8157E3A46142 Malicious: false Reputation: low Preview: #!/bin/sh.# postinst script for .#.# see: dh_installdeb(1)..set -e..# summary of how this script can be called:.# * `configure' .# * àbort-upgrade' .# * àbort-remove' ìn-favour' .# .# * àbort-remove'.# * àbort-deconfigure' ìn-favour'.# `removing'.# .# for details, see http://www.debian.org/doc/debian-policy/ or.# the debian-policy package...case "$1" in. configure). if [ "x86_64" = "$(uname -m)" ]; then. echo "x86_64". if [ ! -e /usr/lib64/libpng12.so.0 ];then. mv /opt/wizvera/veraport/libpng12.so.0 /usr/lib64/. else. rm /opt/wizvera/veraport/libpng12.so.

/tmp/dpkg-deb.aV8ZOc/prerm Process: /bin/tar File Type: POSIX shell script, ASCII text executable Size (bytes): 115 Entropy (8bit): 4.415995716345338 Encrypted: false MD5: 8B7D80E2DABEB743DD5FFD8857B1A565 SHA1: E764C865D2B0C409DFE6EEE450625866A04C762D SHA-256: 858B8DA137811C1EF752077304344966E6E9F2B3C6A9165898393E812903A9BF SHA-512: F8439204A108A0F807904D9EEC820E3890523337A679A9A7D0ABDBD38E63789B17B5468942172B9808391A577B41CEA85BFE56E1F3AAEAEB7BF696787F686DD1 Malicious: false Reputation: low Preview: #!/bin/sh.set -e..killall veraport || true..rm -rf /var/lib/update-notifier/user.d/veraport-start-required..exit 0.

/var/lib/fwupd/pending.db Process: /usr/lib/x86_64-linux-gnu/fwupd/fwupd File Type: SQLite 3.x database, last written using SQLite version 3011000 Size (bytes): 3072 Entropy (8bit): 1.1422572379832086 Encrypted: false

Copyright Joe Security LLC 2019 Page 11 of 20 /var/lib/fwupd/pending.db MD5: 8363D24E246DF601D7A309537767C270 SHA1: 6B92F004A6B213919893C789B38CBBF93EB2DA04 SHA-256: 24E3C058D82CDCCEEF7E556D244E06AA9EB9CE34715C879BC8E96D883444EEAD SHA-512: 1A45D1EC6F01F3F999C1DE23FE81D8EC128A7AE28949FC9761974D611518F06C5F44529294ED589EE5E66978A6FFE794E3DAB2777A01F3010AB01FF96746DFD8 Malicious: false Reputation: low Preview: SQLite format 3...... @ ...... -...... atablependingpending.CREATE TABLE pending (device_id TEXT PRIMARY KEY,unique_id TEXT,state INTEGER DEFAULT 0,timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,error TEXT,fi lename TEXT,display_name TEXT,provider TEXT,version_old TEXT,version_new TEXT)-...A...indexsqlite_autoindex_p

/var/lib/fwupd/pending.db-journal Process: /usr/lib/x86_64-linux-gnu/fwupd/fwupd File Type: data Size (bytes): 524 Entropy (8bit): 0.27937671757176796 Encrypted: false MD5: 99F3FF863A57E76AA675472653CAF8B4 SHA1: AE48E84B414C502761241B5E964C1A3C6EB447DC SHA-256: 90DD18BCFF10DF9FC5A5508CD5396931A3B132F8B063A6990DCF6A2E02B91C43 SHA-512: 5148271AD95CC6F66CE5F1188C4B95D771347A3BE96DADB9F4066DC35EFCEF1A13A3982671BA4D4FB68D880C190FCAE85C9DEA4E97879E4C0A369CA1A962D0 31 Malicious: false Reputation: low Preview: ...... &.n...... c.....

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation reviews.ubuntu.com 91.189.94.244 true false high

URLs from Memory and Binaries

Contacted IPs

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 91.189.92.19 United Kingdom 41231 unknown false 91.189.94.244 United Kingdom 41231 unknown false

Static File Info

General File type: Debian binary package (format 2.0) Entropy (8bit): 7.995816929036229 TrID: Debian Linux Package (24024/1) 94.12% Java Script embedded in Visual Basic Script (1500/0) 5.88% File name: veraport-g3_amd64.deb File size: 5638792 MD5: de65adb801cd6c7f427d282759f21312 SHA1: 64bee603033c147ac08f4d4cd21bca283932df6f SHA256: dde05baeac0b98779c99643a0c37c93f47bb12ef9f9a8be facc8c9e9c97b963d SHA512: 990751741aa3cc04dbee6af7fe89d561e653234caf1e4c7 28af7d43aa5ff7271eec683609d0159ce5092e8ddbb3da2 40a16897e7a113a6b37d1f9df6eec92db0 SSDEEP: 98304:VcRfy97BV2Rt7RRv4pb+Nga4Pr0CHpmPQ72R YCykyVoJ3invvwb22S8Cu/eHK0sW:iy97BVOBmD9Pg CHMPwoY3o9uvk2rjHXp File Content Preview: !.debian-binary 1542696524 0 0 100644 4 `.2.0.control.tar.gz 1542696524 0 0 1006 44 1281 `...... Wmo.6....W\..m.J.,...4h:.K...... 6.)-... ..H*.....,....Y....=.-.....yw...{G.1...?.7..w....Aw..=...... `C Ii>

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jul 22, 2019 06:35:57.405438900 CEST 192.168.2.20 8.8.8.8 0xf129 Standard query reviews.ub A (IP address) IN (0x0001) (0) untu.com Jul 22, 2019 06:35:57.412604094 CEST 192.168.2.20 8.8.8.8 0x6c0f Standard query reviews.ub 28 IN (0x0001) (0) untu.com Jul 22, 2019 06:36:22.588567972 CEST 192.168.2.20 8.8.8.8 0x287f Standard query reviews.ub A (IP address) IN (0x0001) (0) untu.com Jul 22, 2019 06:36:22.588732958 CEST 192.168.2.20 8.8.8.8 0x50c2 Standard query reviews.ub 28 IN (0x0001) (0) untu.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jul 22, 2019 8.8.8.8 192.168.2.20 0xf129 No error (0) reviews.ub 91.189.94.244 A (IP address) IN (0x0001) 06:35:57.419207096 untu.com CEST Jul 22, 2019 8.8.8.8 192.168.2.20 0x287f No error (0) reviews.ub 91.189.94.244 A (IP address) IN (0x0001) 06:36:22.602591991 untu.com CEST

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Jul 22, 2019 91.189.94.244 443 192.168.2.20 47334 CN=reviews.ubuntu.com CN=Let's Encrypt Mon Sun Aug 771,49195-49196- 2b8aaa95a836171ffc6466 06:35:57.502403975 CN=Let's Encrypt Authority X3, Authority X3, May 27 25 49286-49287- 237edc9dee CEST O=Let's Encrypt, C=US O=Let's Encrypt, 06:08:07 06:08:07 49161-49187- C=US CN=DST CEST CEST 49162-49188- Root CA X3, 2019 2019 49266-49267- O=Digital Thu Mar Wed 49324-49325- Signature Trust 17 Mar 17 49160-49199- Co. 17:40:46 17:40:46 49200-49290- CET CET 49291-49171- 2016 2021 49191-49172- 49192-49270- CN=Let's Encrypt Authority X3, CN=DST Root CA Thu Mar Wed 49271-49170-156- O=Let's Encrypt, C=US X3, O=Digital 17 Mar 17 157-49274-49275- Signature Trust 17:40:46 17:40:46 47-60-53-61-65- Co. CET CET 186-132-192- 2016 2021 49308-49309-10- 158-159-49276- 49277-51-103-57- 107-69-190-136- 196-49310-49311- 22,5-0-65281-35- 10-11-13,23-24-25- 21-19,0

Analysis Process: gnome-software PID: 20860 Parent PID: 20139

General

Start time: 06:35:28 Start date: 22/07/2019 Path: /usr/bin/gnome-software Arguments: gnome-software --local-filename=/tmp/veraport-g3_amd64.deb File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

File Deleted

File Read

File Written

Directory Enumerated

Directory Created

Owner / Group Modified

Permission Modified

Analysis Process: gnome-software PID: 20891 Parent PID: 20860

General

Start time: 06:35:28 Start date: 22/07/2019 Path: /usr/bin/gnome-software Arguments: n/a File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

Directory Enumerated

Analysis Process: dbus-launch PID: 20891 Parent PID: 20860

General

Start time: 06:35:28 Start date: 22/07/2019 Path: /usr/bin/dbus-launch Arguments: dbus-launch --autolaunch=f0b45546524a75b2e6e8e8a55aab94da --binary-syntax --close-stderr File size: 26616 bytes MD5 hash: e4a469f27d130d783c21ce9c1c4456c3

File Read

Analysis Process: gnome-software PID: 20960 Parent PID: 20860

General

Start time: 06:35:56 Start date: 22/07/2019 Path: /usr/bin/gnome-software Arguments: n/a File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

Directory Enumerated

Analysis Process: dpkg-deb PID: 20960 Parent PID: 20860

General

Start time: 06:35:56 Start date: 22/07/2019 Path: /usr/bin/dpkg-deb Arguments: /usr/bin/dpkg-deb --showformat=${Package}\\n${Version}\\n${Installed-Size}\\n${Homepage}\\n${Description} -W /tmp/veraport- g3_amd64.deb File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

File Activities

File Read

Directory Created

Directory Deleted

Analysis Process: dpkg-deb PID: 20962 Parent PID: 20960

General

Start time: 06:35:56 Start date: 22/07/2019 Path: /usr/bin/dpkg-deb Arguments: n/a File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

File Activities

File Read

General

Start time: 06:35:56 Start date: 22/07/2019 Path: /usr/bin/dpkg-deb Arguments: n/a File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

File Activities

File Read

Analysis Process: dpkg-deb PID: 20964 Parent PID: 20960

General

Start time: 06:35:56 Start date: 22/07/2019 Path: /usr/bin/dpkg-deb Arguments: n/a File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

Analysis Process: tar PID: 20964 Parent PID: 20960

General

Start time: 06:35:56 Start date: 22/07/2019 Path: /bin/tar Arguments: tar -x -m -f - --warning=no-timestamp File size: 383632 bytes MD5 hash: dbc4507f4db5b41f7358b28bce65a15d

File Activities

File Read

File Written

Directory Created

Owner / Group Modified

Permission Modified

Analysis Process: dpkg-deb PID: 20973 Parent PID: 20960

General

Start time: 06:35:56 Start date: 22/07/2019 Path: /usr/bin/dpkg-deb

Copyright Joe Security LLC 2019 Page 17 of 20 Arguments: n/a File size: 134520 bytes MD5 hash: 7c78968571f39afad418396db4543563

Analysis Process: rm PID: 20973 Parent PID: 20960

General

Start time: 06:35:56 Start date: 22/07/2019 Path: /bin/rm Arguments: rm -rf -- /tmp/dpkg-deb.aV8ZOc File size: 60272 bytes MD5 hash: b79876063d894c449856cca508ecca7f

File Activities

File Deleted

File Read

Directory Enumerated

Analysis Process: gnome-software PID: 21033 Parent PID: 20860

General

Start time: 06:36:21 Start date: 22/07/2019 Path: /usr/bin/gnome-software Arguments: n/a File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

Directory Enumerated

Analysis Process: dpkg PID: 21033 Parent PID: 20860

General

Start time: 06:36:21 Start date: 22/07/2019 Path: /usr/bin/dpkg Arguments: /usr/bin/dpkg --print-foreign-architectures File size: 278264 bytes MD5 hash: c2dc0f2569ffaebda7332d968a0e32f7

File Activities

File Read

Directory Enumerated

General

Start time: 06:36:21 Start date: 22/07/2019 Path: /usr/bin/gnome-software Arguments: n/a File size: 672464 bytes MD5 hash: 2f6a627632bb6e2de787afca7991385a

File Activities

Directory Enumerated

Analysis Process: dpkg PID: 21034 Parent PID: 20860

General

Start time: 06:36:21 Start date: 22/07/2019 Path: /usr/bin/dpkg Arguments: /usr/bin/dpkg --print-foreign-architectures File size: 278264 bytes MD5 hash: c2dc0f2569ffaebda7332d968a0e32f7

File Activities

File Read

Directory Enumerated

Analysis Process: systemd PID: 20931 Parent PID: 1

General

Start time: 06:35:53 Start date: 22/07/2019 Path: /lib/systemd/systemd Arguments: n/a File size: 0 bytes MD5 hash: 00000000000000000000000000000000

Analysis Process: fwupd PID: 20931 Parent PID: 1

General

Start time: 06:35:53 Start date: 22/07/2019 Path: /usr/lib/x86_64-linux-gnu/fwupd/fwupd Arguments: /usr/lib/x86_64-linux-gnu/fwupd/fwupd File size: 104656 bytes MD5 hash: e6fa9d74e9230801b2e3a830a5d21445

File Activities

File Read

File Written

Directory Enumerated

Directory Created

Owner / Group Modified