Malware analysis Space.x86 Malicious activity | ANY.RUN

Add for printing

File name:	Space.x86
Full analysis:	https://app.any.run/tasks/b5dafd51-ac6e-4acb-a506-16ac129b2389
Verdict:	Malicious activity
Analysis date:	May 10, 2025, 06:59:03
OS:	Ubuntu 22.04.2
Indicators:
MIME:	application/x-executable
File info:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
MD5:	96EFAB98F49942F128EAFC3FCDBD6A2E
SHA1:	5A41D95FB036C372D1E00AC248BE20279EFF4A57
SHA256:	0D674E4CFE06F9579F30531E3B0E63FBFB46EB744D851047CA16C677305BCC58
SSDEEP:	768:45r8zNNOJsa3La/P4vb0dprIhYwpYkQexOVcWvyTUbTc/xuCNMWe+b31l:46Zysabans4dxIhYwpPw1yyWPqWe+b3b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - Space.x86.elf (PID: 39501)
  - Space.x86.elf (PID: 39516)
SUSPICIOUS
- Connects to unusual port
  - Space.x86.elf (PID: 39501)
  - Space.x86.elf (PID: 39516)
- Modifies file or directory owner
  - sudo (PID: 39491)
- Reads profile file
  - Space.x86.elf (PID: 39496)
- Reads passwd file
  - Space.x86.elf (PID: 39496)
- Executes commands using command-line interpreter
  - sudo (PID: 39494)
- Contacting a server suspected of hosting an CnC
  - Space.x86.elf (PID: 39516)
  - Space.x86.elf (PID: 39501)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	32 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	i386

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

233

Monitored processes

15

Malicious processes

5

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
39490	/bin/sh -c "sudo chown user /tmp/Space\.x86\.elf && chmod +x /tmp/Space\.x86\.elf && DISPLAY=:0 sudo -iu user /tmp/Space\.x86\.elf "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
39491	sudo chown user /tmp/Space.x86.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39492	chown user /tmp/Space.x86.elf	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
39493	chmod +x /tmp/Space.x86.elf	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39494	sudo -iu user /tmp/Space.x86.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39495	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
39496	/tmp/Space.x86.elf	/tmp/Space.x86.elf	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
39497	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	Space.x86.elf
User: user Integrity Level: UNKNOWN Exit code: 0
39498	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
39499	/tmp/Space.x86.elf	/tmp/Space.x86.elf	—	Space.x86.elf
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

19

DNS requests

9

Threats

4

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.98:80	—	Canonical Group Limited	US	unknown
—	—	185.125.190.48:80	—	Canonical Group Limited	GB	unknown
—	—	207.211.211.26:443	odrs.gnome.org	—	US	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
39501	Space.x86.elf	77.239.125.252:3778	—	Six Degrees Technology Group Limited	GB	unknown
39516	Space.x86.elf	77.239.125.252:3778	—	Six Degrees Technology Group Limited	GB	unknown

DNS requests

Domain	IP	Reputation
google.com	172.217.18.14 2a00:1450:4001:80b::200e	whitelisted
odrs.gnome.org	207.211.211.26 169.150.255.183 195.181.170.19 169.150.255.181 212.102.56.179 195.181.175.41 37.19.194.81 2a02:6ea0:c700::11 2a02:6ea0:c700::18 2a02:6ea0:c700::101 2a02:6ea0:c700::107 2a02:6ea0:c700::19 2a02:6ea0:c700::21 2a02:6ea0:c700::112	whitelisted
api.snapcraft.io	185.125.188.58 185.125.188.54 185.125.188.59 185.125.188.57 2620:2d:4000:1010::2e6 2620:2d:4000:1010::117 2620:2d:4000:1010::42 2620:2d:4000:1010::344	whitelisted
10.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2001:67c:1562::24 2620:2d:4000:1::2a 2620:2d:4000:1::97 2620:2d:4000:1::23 2620:2d:4002:1::196 2620:2d:4000:1::2b 2620:2d:4000:1::96 2620:2d:4002:1::198 2620:2d:4000:1::98 2001:67c:1562::23 2620:2d:4000:1::22	whitelisted

Threats

PID	Process	Class	Message
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)

Add for printing

No debug info

General Info

Space.x86

96EFAB98F49942F128EAFC3FCDBD6A2E

5A41D95FB036C372D1E00AC248BE20279EFF4A57

0D674E4CFE06F9579F30531E3B0E63FBFB46EB744D851047CA16C677305BCC58

768:45r8zNNOJsa3La/P4vb0dprIhYwpYkQexOVcWvyTUbTc/xuCNMWe+b31l:46Zysabans4dxIhYwpPw1yyWPqWe+b3b

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Connects to unusual port

Modifies file or directory owner

Reads profile file

Reads passwd file

Executes commands using command-line interpreter

Contacting a server suspected of hosting an CnC

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings