Malware analysis x86_64 Malicious activity | ANY.RUN

Add for printing

File name:	x86_64
Full analysis:	https://app.any.run/tasks/432fcc63-1083-4094-a3af-ecdc52067595
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	April 03, 2024, 00:46:18
OS:	Ubuntu 22.04.2
Tags:	miner
Indicators:
MIME:	application/x-sharedlib
File info:	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, no section header
MD5:	FB95FC8C3ED253DEC1B08722F1BBF18E
SHA1:	D48D6DC76323EFA8C0AE799D245A650B9D914C09
SHA256:	215293B8BDD0A57497D5CC62421E64BB29334E088578679CBF509D66C7B7DC7E
SSDEEP:	49152:QM4HMaoo1fdQLCS1ytoWW7b/7GN2PM6jm:94Hp11aChtoB7b/7GYEZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads /proc/mounts (likely used to find writable filesystems)
  - x86_64.o (PID: 9351)
  - x86_64.o (PID: 9435)
  - x86_64.o (PID: 9605)
  - x86_64.o (PID: 9526)
  - x86_64.o (PID: 9682)
- Executes commands using command-line interpreter
  - gnome-terminal-server (PID: 9296)
  - x86_64.o (PID: 9351)
  - cron (PID: 9433)
  - x86_64.o (PID: 9526)
  - cron (PID: 9603)
  - x86_64.o (PID: 9435)
  - cron (PID: 9524)
  - cron (PID: 9680)
  - x86_64.o (PID: 9682)
  - x86_64.o (PID: 9605)
- Checks DMI information (probably VM detection)
  - x86_64.o (PID: 9351)
  - x86_64.o (PID: 9435)
  - x86_64.o (PID: 9526)
  - x86_64.o (PID: 9605)
  - x86_64.o (PID: 9682)
- Checks the online status of NUMA nodes
  - x86_64.o (PID: 9351)
  - x86_64.o (PID: 9435)
  - x86_64.o (PID: 9526)
  - x86_64.o (PID: 9605)
  - x86_64.o (PID: 9682)
- Checks list of the CPUs
  - x86_64.o (PID: 9351)
  - x86_64.o (PID: 9435)
  - x86_64.o (PID: 9526)
  - x86_64.o (PID: 9605)
  - x86_64.o (PID: 9682)
- Checks active cgroups controllers (like CPU time, system memory, network bandwidth)
  - x86_64.o (PID: 9351)
  - x86_64.o (PID: 9435)
  - x86_64.o (PID: 9526)
  - x86_64.o (PID: 9605)
  - x86_64.o (PID: 9682)
- Modifies Cron jobs
  - sh (PID: 9403)
- Checks the user who created the process
  - cron (PID: 9433)
  - cron (PID: 9603)
  - cron (PID: 9524)
  - cron (PID: 9680)
- Executes the "rm" command to delete files or directories
  - sh (PID: 9403)
  - sh (PID: 9578)
  - sh (PID: 9734)
  - sh (PID: 9657)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	64 bit
CPUByteOrder:	Little endian
ObjectFileType:	Shared object file
CPUType:	AMD x86-64

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

614

Monitored processes

394

Malicious processes

1

Suspicious processes

5

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
9255	/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus \"/tmp/x86_64\.o\" "	/bin/sh	—	any-guest-agent
User: user Integrity Level: UNKNOWN
9256	sudo -iu user nautilus /tmp/x86_64.o	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN
9257	nautilus /tmp/x86_64.o	/usr/bin/nautilus	—	sudo
User: user Integrity Level: UNKNOWN
9258	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	nautilus
User: user Integrity Level: UNKNOWN Exit code: 0
9289	/usr/bin/python3 /usr/bin/gnome-terminal	/usr/bin/gnome-terminal	—	gnome-shell
User: user Integrity Level: UNKNOWN Exit code: 496
9291	/usr/bin/gnome-terminal.real	/usr/bin/gnome-terminal.real	—	gnome-terminal
User: user Integrity Level: UNKNOWN Exit code: 9271
9296	/usr/libexec/gnome-terminal-server	/usr/libexec/gnome-terminal-server	—	systemd
User: user Integrity Level: UNKNOWN
9314	bash	/bin/bash	—	gnome-terminal-server
User: user Integrity Level: UNKNOWN
9315	/bin/sh /usr/bin/lesspipe	/usr/bin/lesspipe	—	bash
User: user Integrity Level: UNKNOWN Exit code: 496
9316	basename /usr/bin/lesspipe	/usr/bin/basename	—	lesspipe
User: user Integrity Level: UNKNOWN Exit code: 496

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
9257	nautilus	/home/user/.local/share/nautilus/tags/meta.db-wal		—
		MD5:—	SHA256:—
9257	nautilus	/home/user/.local/share/nautilus/tags/meta.db-shm		—
		MD5:—	SHA256:—
9257	nautilus	/home/user/.local/share/nautilus/tags/.meta.isrunning		—
		MD5:—	SHA256:—
9408	grep	/tmp/.cron		—
		MD5:—	SHA256:—
9416	crontab	/var/spool/cron/crontabs/tmp.1Pgd6I		—
		MD5:—	SHA256:—
9351	x86_64.o	/tmp/.lock		—
		MD5:—	SHA256:—
9583	grep	/home/user/.cron		—
		MD5:—	SHA256:—
9662	grep	/home/user/.cron		—
		MD5:—	SHA256:—
9739	grep	/home/user/.cron		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

0

TCP/UDP connections

4

DNS requests

8

Threats

4

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.251:5353	—	—	—	unknown
—	—	164.92.162.124:80	xmr-rx0.pwndns.pw	DIGITALOCEAN-ASN	DE	unknown
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	unknown

DNS requests

Domain	IP	Reputation
79.100.168.192.in-addr.arpa	—	unknown
xmr-rx0.pwndns.pw	157.245.129.77 164.92.162.124 51.210.15.231	unknown
connectivity-check.ubuntu.com	2620:2d:4000:1::22 2620:2d:4000:1::96 2620:2d:4002:1::197 2620:2d:4000:1::2b 2001:67c:1562::24 2620:2d:4002:1::198 2620:2d:4000:1::98 2001:67c:1562::23 2620:2d:4000:1::97 2620:2d:4000:1::23 2620:2d:4000:1::2a 2620:2d:4002:1::196	unknown
api.snapcraft.io	185.125.188.58 185.125.188.59 185.125.188.54 185.125.188.55	unknown

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query to a *.pw domain - Likely Hostile
—	—	Potentially Bad Traffic	ET DNS Query to a *.pw domain - Likely Hostile
—	—	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin
—	—	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin

Add for printing

No debug info

General Info

x86_64

FB95FC8C3ED253DEC1B08722F1BBF18E

D48D6DC76323EFA8C0AE799D245A650B9D914C09

215293B8BDD0A57497D5CC62421E64BB29334E088578679CBF509D66C7B7DC7E

49152:QM4HMaoo1fdQLCS1ytoWW7b/7GN2PM6jm:94Hp11aChtoB7b/7GYEZ

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Reads /proc/mounts (likely used to find writable filesystems)

Executes commands using command-line interpreter

Checks DMI information (probably VM detection)

Checks the online status of NUMA nodes

Checks list of the CPUs

Checks active cgroups controllers (like CPU time, system memory, network bandwidth)

Modifies Cron jobs

Checks the user who created the process

Executes the "rm" command to delete files or directories

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings