Malware analysis kswapd00 Malicious activity | ANY.RUN

Add for printing

File name:	kswapd00
Full analysis:	https://app.any.run/tasks/94c1c4e9-5348-4607-af51-ab4dad0ef171
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 19:17:35
OS:	Ubuntu 22.04.2
Tags:	miner
Indicators:
MIME:	application/x-executable
File info:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
MD5:	1D306F8526098519CB196D490A351591
SHA1:	7FE2FAE8509635F08861129FC0A7BA5538A3DF04
SHA256:	046E3763F2965EC5305791364AB163DC2E6F62C315EB36715799D076F90BEA78
SSDEEP:	98304:pw1TG/05FZKdYavJL5z/jm9OMcNnE+fDTOvRREo8gwJWFNwvbpg6YRxgxEXElNDw:emMPQF5I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - kswapd00.elf (PID: 39870)
  - kswapd00.elf (PID: 39887)
  - kswapd00.elf (PID: 39863)
- MINER has been detected (SURICATA)
  - kswapd00.elf (PID: 39887)
- Connects to the CnC server
  - kswapd00.elf (PID: 39887)
SUSPICIOUS
- Executes commands using command-line interpreter
  - sudo (PID: 39862)
- Modifies file or directory owner
  - sudo (PID: 39859)
- Checks DMI information (probably VM detection)
  - kswapd00.elf (PID: 39863)
- Reads /proc/mounts (likely used to find writable filesystems)
  - kswapd00.elf (PID: 39863)
- Removes file immutable attribute
  - dash (PID: 39872)
  - dash (PID: 39879)
- Executes the "rm" command to delete files or directories
  - dash (PID: 39872)
  - dash (PID: 39879)
- Potential Corporate Privacy Violation
  - kswapd00.elf (PID: 39887)
INFO
- Creates file in the temporary folder
  - kswapd00.elf (PID: 39863)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	64 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	AMD x86-64

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

158

Monitored processes

31

Malicious processes

3

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

39858

/bin/sh -c "sudo chown user /tmp/kswapd00\.elf && chmod +x /tmp/kswapd00\.elf && DISPLAY=:0 sudo -i /tmp/kswapd00\.elf "

/usr/bin/dash

—

oF5qt7VjSoEVMhQn

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39859

sudo chown user /tmp/kswapd00.elf

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

39860

chown user /tmp/kswapd00.elf

/usr/bin/chown

—

sudo

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39861

chmod +x /tmp/kswapd00.elf

/usr/bin/chmod

—

dash

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39862

sudo -i /tmp/kswapd00.elf

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

39863

/tmp/kswapd00.elf

—

sudo

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6

39864

/usr/bin/locale-check C.UTF-8

/usr/bin/locale-check

—

kswapd00.elf

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39865

-bash --login -c \/tmp\/kswapd00\.elf

/usr/bin/bash

—

kswapd00.elf

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

39866

sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null"

/usr/bin/dash

—

bash

User:

root

Integrity Level:

UNKNOWN

Exit code:

256

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39867

tr \n " "

/usr/bin/tr

—

bash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

Add for printing

Executable files

0

Suspicious files

2

Text files

4

Unknown types

0

Dropped files

PID	Process	Filename		Type
39863	kswapd00.elf	/var/tmp/.kswapd00		o
		MD5:—	SHA256:—
39863	kswapd00.elf	/tmp/.kswapd00		o
		MD5:—	SHA256:—
39863	kswapd00.elf	/var/tmp/sdfIESll923		text
		MD5:—	SHA256:—
39872	dash	/root/.ssh/authorized_keys		text
		MD5:—	SHA256:—
39863	kswapd00.elf	/root/cert.pem		text
		MD5:—	SHA256:—
39863	kswapd00.elf	/root/cert_key.pem		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

11

DNS requests

10

Threats

2

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.96:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.49:80	—	Canonical Group Limited	GB	unknown
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.96:80	—	Canonical Group Limited	GB	unknown
1178	snap-store	207.211.211.26:443	odrs.gnome.org	—	US	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
39887	kswapd00.elf	179.43.139.85:80	—	Private Layer INC	CH	malicious

DNS requests

Domain	IP	Reputation
google.com	172.217.16.142 2a00:1450:4001:82b::200e	whitelisted
odrs.gnome.org	207.211.211.26 37.19.194.80 195.181.170.18 195.181.175.41 212.102.56.179 169.150.255.180 169.150.255.183 2a02:6ea0:c700::107 2a02:6ea0:c700::19 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c700::18 2a02:6ea0:c700::112 2a02:6ea0:c700::21	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.59 185.125.188.57 185.125.188.58 2620:2d:4000:1010::117 2620:2d:4000:1010::2e6 2620:2d:4000:1010::42 2620:2d:4000:1010::344	whitelisted
6.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2001:67c:1562::24 2620:2d:4002:1::198 2620:2d:4000:1::97 2620:2d:4000:1::96 2620:2d:4000:1::23 2001:67c:1562::23 2620:2d:4000:1::98 2620:2d:4000:1::2a 2620:2d:4002:1::196 2620:2d:4000:1::22 2620:2d:4000:1::2b	whitelisted

Threats

PID	Process	Class	Message
39887	kswapd00.elf	Potential Corporate Privacy Violation	ET INFO Cryptocurrency Miner Checkin
39887	kswapd00.elf	Potential Corporate Privacy Violation	ET INFO Cryptocurrency Miner Checkin

Add for printing

No debug info

General Info

kswapd00

1D306F8526098519CB196D490A351591

7FE2FAE8509635F08861129FC0A7BA5538A3DF04

046E3763F2965EC5305791364AB163DC2E6F62C315EB36715799D076F90BEA78

98304:pw1TG/05FZKdYavJL5z/jm9OMcNnE+fDTOvRREo8gwJWFNwvbpg6YRxgxEXElNDw:emMPQF5I

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

MINER has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Executes commands using command-line interpreter

Modifies file or directory owner

Checks DMI information (probably VM detection)

Reads /proc/mounts (likely used to find writable filesystems)

Removes file immutable attribute

Executes the "rm" command to delete files or directories

Potential Corporate Privacy Violation

INFO

Creates file in the temporary folder

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings