File name:

virus.x86_64

Full analysis: https://app.any.run/tasks/0f801aec-7678-4d8d-ac98-ee7a80363170
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: August 08, 2024, 11:51:21
OS: Ubuntu 22.04.2
Tags:
miner
Indicators:
MIME: application/x-sharedlib
File info: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, no section header
MD5:

FB95FC8C3ED253DEC1B08722F1BBF18E

SHA1:

D48D6DC76323EFA8C0AE799D245A650B9D914C09

SHA256:

215293B8BDD0A57497D5CC62421E64BB29334E088578679CBF509D66C7B7DC7E

SSDEEP:

49152:QM4HMaoo1fdQLCS1ytoWW7b/7GN2PM6jm:94Hp11aChtoB7b/7GYEZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • virus.x86_64 (PID: 13040)

    • MINER has been detected (SURICATA)

      • virus.x86_64 (PID: 13040)

  • SUSPICIOUS

    • Reads /proc/mounts (likely used to find writable filesystems)

      • virus.x86_64 (PID: 12963)
      • check-new-release-gtk (PID: 13115)

    • Executes commands using command-line interpreter

      • virus.x86_64 (PID: 12963)
      • gnome-terminal-server (PID: 13053)
      • cron (PID: 13102)
      • cron (PID: 13110)
      • update-notifier (PID: 13113)
      • cron (PID: 13127)
      • cron (PID: 13136)

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 12944)
      • virus.x86_64 (PID: 12963)

    • Modifies Cron jobs

      • sh (PID: 13016)

    • Executes the "rm" command to delete files or directories

      • sh (PID: 13016)

    • Potential Corporate Privacy Violation

      • virus.x86_64 (PID: 13040)

    • Checks the user who created the process

      • cron (PID: 13102)
      • cron (PID: 13110)
      • cron (PID: 13136)
      • cron (PID: 13127)

    • Gets information about currently running processes

      • bash (PID: 13075)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Shared object file
CPUType: AMD x86-64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
338
Monitored processes
125
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
sh no specs file no specs sh no specs sudo no specs systemctl no specs systemctl no specs nautilus no specs locale-check no specs systemd-hostnamed no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs nautilus no specs virus.x86_64 no specs sh no specs dash no specs dash no specs hostname no specs dash no specs awk no specs dash no specs cat no specs grep no specs head no specs awk no specs whoami no specs hostname no specs grep no specs dash no specs dash no specs grep no specs cut no specs sed no specs sed no specs dash no specs dash no specs awk no specs dash no specs dash no specs awk no specs dash no specs dash no specs awk no specs dash no specs dash no specs awk no specs dash no specs dash no specs awk no specs dash no specs awk no specs sh no specs ps no specs awk no specs dash no specs id no specs sh no specs id no specs ps no specs grep no specs grep no specs whoami no specs grep no specs awk no specs dash no specs sh no specs dash no specs rm no specs crontab no specs grep no specs grep no specs dash no specs crontab no specs grep no specs grep no specs sort no specs uniq no specs wc no specs crontab no specs rm no specs sh no specs id no specs whoami no specs dash no specs ps no specs grep no specs grep no specs awk no specs wc no specs systemd-resolved #MINER virus.x86_64 gnome-terminal no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dirname no specs dircolors no specs systemctl no specs pager no specs cron no specs sh no specs dash no specs top no specs cron no specs sh no specs dash no specs update-notifier no specs sh no specs check-new-release-gtk dpkg no specs dpkg no specs lsb_release no specs lsb_release no specs lsb_release no specs lsb_release no specs cron no specs sh no specs dash no specs cron no specs sh no specs dash no specs

Process information

PID
CMD
Path
Indicators
Parent process
425/lib/systemd/systemd-resolved/usr/lib/systemd/systemd-resolved
systemd
User:
systemd-resolve
Integrity Level:
UNKNOWN
12923sh -c "file --mime-type /tmp/virus\.x86_64"/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12924file --mime-type /tmp/virus.x86_64/usr/bin/filesh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12925/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus /tmp/virus\.x86_64 "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
12926sudo -iu user nautilus /tmp/virus.x86_64/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
12927systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12928systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12929nautilus /tmp/virus.x86_64/usr/bin/nautilussudo
User:
user
Integrity Level:
UNKNOWN
12930/usr/bin/locale-check C.UTF-8/usr/bin/locale-checknautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12944/lib/systemd/systemd-hostnamed/lib/systemd/systemd-hostnamedsystemd
User:
root
Integrity Level:
UNKNOWN
Exit code:
418
Executable files
0
Suspicious files
0
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
13087pager/home/user/.lesshsQtext
MD5:
SHA256:
13110cron/tmp/#6029335 (deleted)text
MD5:
SHA256:
13115check-new-release-gtk/tmp/#6029335 (deleted)text
MD5:
SHA256:
13115check-new-release-gtk/tmp/#6029359 (deleted)text
MD5:
SHA256:
13115check-new-release-gtk/tmp/#6029378 (deleted)text
MD5:
SHA256:
13115check-new-release-gtk/tmp/#6029379 (deleted)text
MD5:
SHA256:
13115check-new-release-gtk/tmp/#6029381 (deleted)text
MD5:
SHA256:
13115check-new-release-gtk/tmp/#6029987 (deleted)text
MD5:
SHA256:
13115check-new-release-gtk/home/user/.cache/update-manager-core/meta-release-ltstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
14
DNS requests
23
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
unknown
212.102.56.178:443
odrs.gnome.org
Datacamp Limited
DE
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
malicious
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
485
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
malicious
13040
virus.x86_64
209.38.202.4:80
xmr-rx0.pwndns.pw
US
unknown
13115
check-new-release-gtk
185.125.190.18:443
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 91.189.91.98
  • 185.125.190.97
  • 91.189.91.49
  • 185.125.190.98
  • 91.189.91.96
  • 185.125.190.48
  • 185.125.190.49
  • 185.125.190.96
  • 185.125.190.17
  • 185.125.190.18
  • 91.189.91.48
  • 91.189.91.97
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::197
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::22
whitelisted
google.com
  • 142.250.186.46
  • 2a00:1450:4001:829::200e
whitelisted
odrs.gnome.org
  • 212.102.56.178
  • 156.146.33.14
  • 138.199.37.38
  • 195.181.175.40
  • 138.199.37.41
  • 138.199.37.25
  • 195.181.170.18
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.58
  • 185.125.188.55
  • 185.125.188.59
whitelisted
190.100.168.192.in-addr.arpa
unknown
xmr-rx0.pwndns.pw
  • 51.210.15.231
  • 209.38.202.4
  • 167.172.144.84
unknown
changelogs.ubuntu.com
  • 185.125.190.18
  • 91.189.91.49
  • 91.189.91.48
  • 185.125.190.17
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::2a
whitelisted

Threats

PID
Process
Class
Message
425
systemd-resolved
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
425
systemd-resolved
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
13040
virus.x86_64
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
13040
virus.x86_64
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
virus.x86_64