Malware analysis debug.dbg Malicious activity | ANY.RUN

Add for printing

File name:	debug.dbg
Full analysis:	https://app.any.run/tasks/2f81f76d-ce80-4b54-8a63-738e2887ff93
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 19:38:49
OS:	Ubuntu 22.04.2
Tags:	mirai botnet moobot
Indicators:
MIME:	application/x-executable
File info:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
MD5:	532EF4D5F8B26AC310B2FAABA837BE9D
SHA1:	7F21D73E2E2BF706375C7CDB1A6E3A779C161E19
SHA256:	0FEBF38F08C8C88570255162C856D0A2B7209C0D6A4A84530FE95AA7888C88D7
SSDEEP:	3072:xlk2tGaiGLvHcpc4Gl90WfkwTl2cVwTEG/xKNEAfpCJ1PGh73:xlk2tGaiGLvHcpc4Gl90W8wTl2cVwTEd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - debug.dbg.elf (PID: 41396)
- Connects to the CnC server
  - debug.dbg.elf (PID: 41396)
SUSPICIOUS
- Executes commands using command-line interpreter
  - sudo (PID: 41395)
- Modifies file or directory owner
  - sudo (PID: 41392)
- Connects to unusual port
  - debug.dbg.elf (PID: 41396)
- Contacting a server suspected of hosting an CnC
  - debug.dbg.elf (PID: 41396)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	32 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	i386

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

143

Monitored processes

9

Malicious processes

3

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

41391

/bin/sh -c "sudo chown user /tmp/debug\.dbg\.elf && chmod +x /tmp/debug\.dbg\.elf && DISPLAY=:0 sudo -iu user /tmp/debug\.dbg\.elf "

/usr/bin/dash

—

UbvyYXL4x2mYa65Q

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41392

sudo chown user /tmp/debug.dbg.elf

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41393

chown user /tmp/debug.dbg.elf

/usr/bin/chown

—

sudo

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41394

chmod +x /tmp/debug.dbg.elf

/usr/bin/chmod

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41395

sudo -iu user /tmp/debug.dbg.elf

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41396

/tmp/debug.dbg.elf

sudo

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6

41397

/usr/bin/locale-check C.UTF-8

/usr/bin/locale-check

—

debug.dbg.elf

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41398

/bin/busybox g.elf

/tmp/debug.dbg.elf

—

debug.dbg.elf

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

41399

/bin/busybox g.elf

/tmp/debug.dbg.elf

—

debug.dbg.elf

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

36

DNS requests

34

Threats

46

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.96:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	91.189.91.97:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	185.125.190.97:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	207.211.211.27:443	odrs.gnome.org	—	US	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
41396	debug.dbg.elf	103.20.102.84:56999	mdnsucchim.ddns.net	—	—	malicious

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	2620:2d:4000:1::98 2620:2d:4000:1::96 2620:2d:4000:1::22 2620:2d:4002:1::196 2620:2d:4002:1::197 2620:2d:4002:1::198 2620:2d:4000:1::97 2620:2d:4000:1::23 2620:2d:4000:1::2b 2001:67c:1562::23 2001:67c:1562::24 2620:2d:4000:1::2a 185.125.190.97 91.189.91.97 185.125.190.49 185.125.190.98 185.125.190.96 185.125.190.48 91.189.91.48 185.125.190.17 91.189.91.96 91.189.91.98 185.125.190.18 91.189.91.49	whitelisted
google.com	142.250.184.206 2a00:1450:4001:82a::200e	whitelisted
odrs.gnome.org	207.211.211.27 169.150.255.181 212.102.56.179 37.19.194.81 169.150.255.183 195.181.175.41 195.181.170.19 2a02:6ea0:c700::19 2a02:6ea0:c700::112 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c700::21 2a02:6ea0:c700::107 2a02:6ea0:c700::18	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.58 185.125.188.54 185.125.188.57 2620:2d:4000:1010::2e6 2620:2d:4000:1010::344 2620:2d:4000:1010::42 2620:2d:4000:1010::117	whitelisted
mdnsucchim.ddns.net	103.20.102.84	malicious
13.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
41396	debug.dbg.elf	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
41396	debug.dbg.elf	Malware Command and Control Activity Detected	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
41396	debug.dbg.elf	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
41396	debug.dbg.elf	Malware Command and Control Activity Detected	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
41396	debug.dbg.elf	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
41396	debug.dbg.elf	Malware Command and Control Activity Detected	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
41396	debug.dbg.elf	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
41396	debug.dbg.elf	Malware Command and Control Activity Detected	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
41396	debug.dbg.elf	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
41396	debug.dbg.elf	Malware Command and Control Activity Detected	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Add for printing

No debug info

General Info

debug.dbg

532EF4D5F8B26AC310B2FAABA837BE9D

7F21D73E2E2BF706375C7CDB1A6E3A779C161E19

0FEBF38F08C8C88570255162C856D0A2B7209C0D6A4A84530FE95AA7888C88D7

3072:xlk2tGaiGLvHcpc4Gl90WfkwTl2cVwTEG/xKNEAfpCJ1PGh73:xlk2tGaiGLvHcpc4Gl90W8wTl2cVwTEd

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Executes commands using command-line interpreter

Modifies file or directory owner

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings