File name:

rep.x86_64

Full analysis: https://app.any.run/tasks/bab782cc-fb6d-4662-b909-6dd9788394d4
Verdict: Malicious activity
Analysis date: May 10, 2025, 07:00:34
OS: Ubuntu 22.04.2
Tags:
scan
ssh
sshscan
telnet
Indicators:
MIME: application/x-executable
File info: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
MD5:

EB9C20A334D7E37A6F0319466BAC5961

SHA1:

08B832A631CEC2DDC9FA14F48E0B088D481E1B73

SHA256:

1B37463F1E00DBC7FE61F828D1390EDD0EB3821CFE644E19509E2FFCA3A1F4C1

SSDEEP:

3072:7PXftQc668BHuLfgyutpLOQAkZpSVXMOR/Gkx:rXftQc668BHuLfgdtpyQAkKVXMOgkx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Attempting to connect via SSH

      • (PID: 40669)

    • Attempting to scan the network

      • (PID: 40669)

    • SSHSCAN has been detected (SURICATA)

      • (PID: 40669)

    • MIRAI has been detected (SURICATA)

      • (PID: 40667)

  • SUSPICIOUS

    • Reads profile file

      • rep.x86_64.elf (PID: 40665)

    • Reads passwd file

      • rep.x86_64.elf (PID: 40665)
      • pipewire-media-session (PID: 40723)
      • pipewire (PID: 40691)
      • gdm-session-worker (PID: 40726)
      • pipewire (PID: 40722)
      • dbus-daemon (PID: 40790)
      • dbus-daemon (PID: 40881)
      • gnome-shell (PID: 40851)
      • pipewire (PID: 40743)
      • pipewire-media-session (PID: 40744)
      • dbus-daemon (PID: 40768)
      • ibus-daemon (PID: 40957)
      • gsd-print-notifications (PID: 40964)
      • ibus-daemon (PID: 41066)
      • gvfs-udisks2-volume-monitor (PID: 40887)
      • gsd-power (PID: 41004)
      • gsd-media-keys (PID: 40983)

    • Gets active TCP connections

      • (PID: 40667)

    • Reads network configuration

      • (PID: 40667)

    • Checks DMI information (probably VM detection)

      • pipewire (PID: 40691)
      • pipewire (PID: 40722)
      • pulseaudio (PID: 40745)
      • gnome-shell (PID: 40851)
      • pipewire (PID: 40733)
      • pipewire (PID: 40743)

    • Modifies file or directory owner

      • sudo (PID: 40661)

    • Executes commands using command-line interpreter

      • sudo (PID: 40664)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • dbus-daemon (PID: 40790)
      • dbus-daemon (PID: 40768)
      • gjs-console (PID: 40942)
      • dbus-daemon (PID: 40881)
      • gnome-shell (PID: 40851)
      • gjs-console (PID: 41099)

    • Check the Environment Variables Related to System Identification (os-release)

      • snap (PID: 40919)

    • Connects to unusual port

      • (PID: 40667)

    • Potential Corporate Privacy Violation

      • (PID: 40669)

    • Contacting a server suspected of hosting an CnC

      • (PID: 40667)

  • INFO

    • Checks timezone

      • gdm-session-worker (PID: 40726)
      • python3.10 (PID: 40838)
      • gnome-session-binary (PID: 40799)
      • python3.10 (PID: 40839)
      • tracker-miner-fs-3 (PID: 40860)
      • dbus-daemon (PID: 40768)
      • python3.10 (PID: 40980)
      • gsd-print-notifications (PID: 40964)
      • gnome-shell (PID: 40851)
      • gsd-color (PID: 40955)
      • python3.10 (PID: 41068)
      • spice-vdagent (PID: 41073)

    • Creates file in the temporary folder

      • gnome-shell (PID: 40851)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: AMD x86-64
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
393
Monitored processes
170
Malicious processes
5
Suspicious processes
4

Behavior graph

Click at the process to see the details
start systemctl no specs dash no specs sudo no specs chown no specs chmod no specs sudo no specs rep.x86_64.elf no specs locale-check no specs #MIRAI         no specs #SSHSCAN         no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs dash no specs gnome-session-ctl no specs systemctl no specs gnome-session-ctl no specs gnome-session-ctl no specs pipewire no specs pipewire-media-session no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs pulseaudio no specs gnome-session-ctl no specs dash no specs dbus-update-activation-environment no specs gnome-session-ctl no specs pipewire no specs fusermount3 no specs pipewire-media-session no specs fusermount3 no specs dash no specs fusermount3 no specs pulseaudio no specs pipewire no specs systemd no specs pulseaudio no specs pipewire no specs pipewire-media-session no specs pulseaudio no specs gdm-session-worker no specs dash no specs dash no specs systemd-user-runtime-dir no specs pipewire no specs pipewire-media-session no specs pulseaudio no specs systemd no specs systemd no specs systemd no specs systemd no specs 30-systemd-environment-d-generator no specs systemd-xdg-autostart-generator no specs systemctl no specs pipewire no specs pipewire-media-session no specs pulseaudio no specs snap-confine no specs tracker-extract-3 no specs gdm-wayland-session no specs dbus-daemon no specs snap-seccomp no specs gvfsd no specs dbus-run-session no specs xdg-document-portal no specs dbus-daemon no specs gvfsd no specs gvfsd-fuse no specs xdg-permission-store no specs gnome-session-binary no specs fusermount3 no specs gst-plugin-scanner no specs fusermount3 no specs gst-plugin-scanner no specs snap-confine no specs snap-confine no specs snap-update-ns no specs session-migration no specs dash no specs gsettings no specs gsettings no specs python3.10 no specs python3.10 no specs dash no specs gsettings no specs gsettings no specs gnome-shell no specs tracker-miner-fs-3 no specs dbus-daemon no specs at-spi-bus-launcher no specs dbus-daemon no specs gvfs-udisks2-volume-monitor no specs xwayland no specs gvfs-mtp-volume-monitor no specs gvfs-gphoto2-volume-monitor no specs gvfs-goa-volume-monitor no specs dbus-daemon no specs goa-daemon no specs dbus-daemon no specs goa-identity-service no specs gvfs-afc-volume-monitor no specs snap no specs systemd-localed no specs dbus-daemon no specs xdg-permission-store no specs geoclue no specs dbus-daemon no specs dbus-daemon no specs gjs-console no specs at-spi2-registryd no specs gsd-sharing no specs gsd-wacom no specs gsd-color no specs ibus-daemon no specs gsd-keyboard no specs gsd-print-notifications no specs gsd-rfkill no specs gsd-smartcard no specs gsd-datetime no specs python3.10 no specs gsd-media-keys no specs gsd-screensaver-proxy no specs gsd-sound no specs gsd-a11y-settings no specs gsd-housekeeping no specs gsd-power no specs systemd-hostnamed no specs gsd-print-notifications no specs gsd-printer no specs dbus-daemon no specs false no specs ibus-engine-m17n no specs dash no specs xkbcomp no specs fprintd no specs ibus-daemon no specs dash no specs python3.10 no specs xkbcomp no specs ibus-engine-mozc no specs spice-vdagent no specs ibus-engine-unikey no specs xbrlapi no specs dbus-daemon no specs gvfsd no specs ibus-dconf no specs dbus-daemon no specs ibus-portal no specs ibus-engine-m17n no specs ibus-engine-mozc no specs dbus-daemon no specs gjs-console no specs ibus-engine-unikey no specs ibus-dconf no specs ibus-daemon no specs ibus-x11 no specs dbus-daemon no specs ibus-portal no specs ibus-engine-simple no specs tracker-extract-3 no specs gvfsd-metadata no specs

Process information

PID
CMD
Path
Indicators
Parent process
40659systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40660/bin/sh -c "sudo chown user /tmp/rep\.x86_64\.elf && chmod +x /tmp/rep\.x86_64\.elf && DISPLAY=:0 sudo -iu user /tmp/rep\.x86_64\.elf "/usr/bin/dashany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40661sudo chown user /tmp/rep.x86_64.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40662chown user /tmp/rep.x86_64.elf/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40663chmod +x /tmp/rep.x86_64.elf/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40664sudo -iu user /tmp/rep.x86_64.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40665/tmp/rep.x86_64.elf/tmp/rep.x86_64.elfsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40666/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkrep.x86_64.elf
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40667 /tmp/
rep.x86_64.elf
User:
user
Integrity Level:
UNKNOWN
40668 /tmp/
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
66
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
40830session-migration/var/lib/gdm3/.local/share/session_migration-(null)text
MD5:
SHA256:
40747tracker-extract-3/var/lib/gdm3/.cache/gstreamer-1.0/registry.x86_64.bin (deleted)binary
MD5:
SHA256:
40745pulseaudio/var/lib/gdm3/.cache/gstreamer-1.0/registry.x86_64.binbinary
MD5:
SHA256:
40745pulseaudio/var/lib/gdm3/.config/pulse/cookiebinary
MD5:
SHA256:
40860tracker-miner-fs-3/var/lib/gdm3/.cache/tracker3/files/meta.db-journal (deleted)binary
MD5:
SHA256:
40860tracker-miner-fs-3/var/lib/gdm3/.cache/tracker3/files/meta.dbbinary
MD5:
SHA256:
40860tracker-miner-fs-3/var/lib/gdm3/.cache/tracker3/files/ontologies.gvdbbinary
MD5:
SHA256:
40860tracker-miner-fs-3/var/lib/gdm3/.cache/tracker3/files/meta.db-shmbinary
MD5:
SHA256:
40851gnome-shell/tmp/.X1024-locktext
MD5:
SHA256:
40851gnome-shell/tmp/.X1025-locktext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
23 343
DNS requests
11
Threats
41

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.98:80
Canonical Group Limited
US
unknown
37.19.194.81:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
91.189.91.49:80
Canonical Group Limited
US
unknown
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
40669
222.62.215.55:23
China TieTong Telecommunications Corporation
CN
unknown
40669
160.174.63.134:23
Itissalat Al-MAGHRIB
MA
unknown

DNS requests

Domain
IP
Reputation
odrs.gnome.org
  • 37.19.194.81
  • 195.181.175.40
  • 207.211.211.27
  • 169.150.255.184
  • 169.150.255.180
  • 212.102.56.178
  • 195.181.170.18
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::112
whitelisted
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2620:2d:4002:1::198
  • 2001:67c:1562::23
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::24
whitelisted
google.com
  • 142.250.181.238
  • 2a00:1450:4001:82b::200e
whitelisted
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.57
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::42
whitelisted
kittlerer.ru
  • 213.209.143.24
unknown
13.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
40667
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (kittlerer .ru)
40667
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 57
40669
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to SSH scan external network
40669
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to SSH scan external network
40669
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to SSH scan external network
40669
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Received Telnet Banner
40669
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to SSH scan external network
40669
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Received Telnet Banner
40669
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Received Telnet Banner
40669
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to SSH scan external network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rep.x86_64