File name:

amd64

Full analysis: https://app.any.run/tasks/bf74a5c9-c189-45da-b1d2-1e9e5438f623
Verdict: Malicious activity
Analysis date: August 19, 2024, 08:55:49
OS: Ubuntu 22.04.2
MIME: application/x-pie-executable
File info: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), for GNU/Linux 3.2.0, BuildID[sha1]=a5bdb209387e06cba305d4d5db76c52b7cb6ea26, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, no section header
MD5:

B5C92EA2DE82DCC743A736DDFEBA73DF

SHA1:

A36673E8D26E842A6C1FDAFA796E965BE9D83E55

SHA256:

1211514B612E2E902B41167BA361073C7A233473E65D8839F1BAC7A6AE1165A0

SSDEEP:

98304:LUP5XVpqBAekkUxaOhtK2vZRNt5tCdQZSCr8fd4v1oc2:61u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • bash (PID: 12946)
      • fileBNWFOI (PID: 12960)
      • gnome-terminal-server (PID: 13062)
      • cron (PID: 13097)
      • cron (PID: 13114)
      • cron (PID: 13165)
      • update-notifier (PID: 13147)
      • cron (PID: 13132)

    • Writes to Systemd service files (likely for persistence achievement)

      • systemd (PID: 13024)
      • systemd (PID: 12970)

    • Modifies file or directory owner

      • sudo (PID: 12939)

    • Modifies Cron jobs

      • sudo (PID: 12942)

    • Checks the user who created the process

      • cron (PID: 13097)
      • cron (PID: 13114)
      • cron (PID: 13132)
      • cron (PID: 13165)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • check-new-release-gtk (PID: 13149)

    • Connects to unusual port

      • fileBNWFOI (PID: 12960)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Shared object file
CPUType: AMD x86-64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
340
Monitored processes
127
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start sh no specs sudo no specs chown no specs chmod no specs sudo no specs amd64.o no specs locale-check no specs bash no specs sh no specs tr no specs cat no specs mesg no specs systemctl no specs systemctl no specs systemctl no specs filemmk6jn no specs amd64.o no specs filebnwfoi bash no specs systemctl no specs systemd no specs snapd-env-generator no specs systemd no specs friendly-recovery no specs netplan no specs openvpn-generator no specs snapd-generator no specs systemd-bless-boot-generator no specs systemd-cryptsetup-generator no specs systemd-debug-generator no specs systemd-fstab-generator no specs systemd-getty-generator no specs systemd-gpt-auto-generator no specs cat no specs systemd-hibernate-resume-generator no specs systemd-rc-local-generator no specs systemd-run-generator no specs mkdir no specs systemd-system-update-generator no specs systemd-sysv-generator no specs systemd-veritysetup-generator no specs ls no specs fileilsl0c no specs systemd no specs snapd-env-generator no specs systemd no specs friendly-recovery no specs systemd no specs systemd no specs snapd-generator no specs systemd-bless-boot-generator no specs systemd no specs systemd no specs systemd no specs dash no specs systemd no specs systemd no specs systemd no specs systemd no specs snapd-env-generator no specs systemd no specs friendly-recovery no specs netplan no specs openvpn-generator no specs systemd no specs systemd no specs systemd-cryptsetup-generator no specs systemd no specs systemd-fstab-generator no specs dash no specs systemd no specs dash no specs systemd-gpt-auto-generator no specs systemd no specs systemd no specs systemd no specs systemd no specs systemd no specs systemd no specs gnome-terminal no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dircolors no specs dirname no specs crontab no specs cron no specs sh no specs .mod no specs libgdi.so.0.8.2 no specs filedq49ag no specs libgdi.so.0.8.2 no specs fileo6e70j no specs crontab no specs cron no specs sh no specs .mod no specs libgdi.so.0.8.2 no specs filetjgleb no specs libgdi.so.0.8.2 no specs filehz0f0q no specs cron no specs sh no specs .mod no specs libgdi.so.0.8.2 no specs filelg6arv no specs libgdi.so.0.8.2 no specs fileq2psgr no specs update-notifier no specs sh no specs check-new-release-gtk dpkg no specs dpkg no specs lsb_release no specs lsb_release no specs lsb_release no specs lsb_release no specs cron no specs sh no specs .mod no specs libgdi.so.0.8.2 no specs file9rulso no specs libgdi.so.0.8.2 no specs filewzqyw7 no specs

Process information

PID
CMD
Path
Indicators
Parent process
12938/bin/sh -c "sudo chown user /tmp/amd64\.o && chmod +x /tmp/amd64\.o && DISPLAY=:0 sudo -i /tmp/amd64\.o "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
482
12939sudo chown user /tmp/amd64.o/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12940chown user /tmp/amd64.o/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12941chmod +x /tmp/amd64.o/usr/bin/chmodsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12942sudo -i /tmp/amd64.o/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
482
12944/tmp/amd64.o/tmp/amd64.osudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
12945/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkamd64.o
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12946-bash --login -c \/tmp\/amd64\.o/usr/bin/bashamd64.o
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12947sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null"/usr/bin/shbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12948tr \n " "/usr/bin/trbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
16
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
12944amd64.o/tmp/fileMmK6Jno
MD5:
SHA256:
12944amd64.o/usr/bin/lsbinary
MD5:
SHA256:
12959amd64.o/tmp/fileBNWFOIo
MD5:
SHA256:
12960fileBNWFOI/etc/.cfgtext
MD5:
SHA256:
13108fileo6e70j/etc/.cfgtext
MD5:
SHA256:
13124fileHz0F0q/etc/.cfgtext
MD5:
SHA256:
13142fileQ2PSgR/etc/.cfgtext
MD5:
SHA256:
13175filewZqyW7/etc/.cfgtext
MD5:
SHA256:
12960fileBNWFOI/boot/system.pubo
MD5:
SHA256:
12989ls/tmp/fileILSL0C (deleted)o
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
196
DNS requests
391
Threats
378

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.17:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
470
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
207.211.211.27:443
odrs.gnome.org
US
unknown
91.189.91.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
unknown
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
209.141.53.247:7788
botbot.ddosvps.cc
PONYNET
US
unknown
12960
fileBNWFOI
209.141.53.247:7788
botbot.ddosvps.cc
PONYNET
US
unknown
485
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
13149
check-new-release-gtk
91.189.91.49:443
connectivity-check.ubuntu.com
Canonical Group Limited
US
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.17
  • 185.125.190.48
  • 185.125.190.98
  • 91.189.91.96
  • 185.125.190.97
  • 91.189.91.97
  • 185.125.190.18
  • 185.125.190.96
  • 91.189.91.49
  • 91.189.91.48
  • 91.189.91.98
  • 185.125.190.49
  • 2620:2d:4002:1::196
  • 2001:67c:1562::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::97
  • 2001:67c:1562::24
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::98
whitelisted
google.com
  • 142.250.184.238
  • 2a00:1450:4001:831::200e
whitelisted
odrs.gnome.org
  • 207.211.211.27
  • 169.150.255.180
  • 195.181.170.19
  • 37.19.194.80
  • 212.102.56.178
  • 169.150.255.184
  • 195.181.175.41
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.58
  • 185.125.188.55
  • 185.125.188.54
whitelisted
176.100.168.192.in-addr.arpa
unknown
botbot.ddosvps.cc
  • 209.141.53.247
unknown
changelogs.ubuntu.com
  • 91.189.91.49
  • 185.125.190.17
  • 185.125.190.18
  • 91.189.91.48
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
12960
fileBNWFOI
Potentially Bad Traffic
ET DNS Query for .cc TLD
12960
fileBNWFOI
Potentially Bad Traffic
ET DNS Query for .cc TLD
12960
fileBNWFOI
Potentially Bad Traffic
ET DNS Query for .cc TLD
12960
fileBNWFOI
Potentially Bad Traffic
ET DNS Query for .cc TLD
12960
fileBNWFOI
Potentially Bad Traffic
ET DNS Query for .cc TLD
12960
fileBNWFOI
Potentially Bad Traffic
ET DNS Query for .cc TLD
12960
fileBNWFOI
Potentially Bad Traffic
ET DNS Query for .cc TLD
12960
fileBNWFOI
Potentially Bad Traffic
ET DNS Query for .cc TLD
No debug info