File name:

virus.x86_64

Full analysis: https://app.any.run/tasks/6684badd-ae25-4e4b-81d5-d1b36377c273
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: August 08, 2024, 08:19:22
OS: Ubuntu 22.04.2
Tags:
miner
Indicators:
MIME: application/x-sharedlib
File info: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, no section header
MD5:

FB95FC8C3ED253DEC1B08722F1BBF18E

SHA1:

D48D6DC76323EFA8C0AE799D245A650B9D914C09

SHA256:

215293B8BDD0A57497D5CC62421E64BB29334E088578679CBF509D66C7B7DC7E

SSDEEP:

49152:QM4HMaoo1fdQLCS1ytoWW7b/7GN2PM6jm:94Hp11aChtoB7b/7GYEZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MINER has been detected (SURICATA)

      • virus.x86_64 (PID: 13050)

    • Connects to the CnC server

      • virus.x86_64 (PID: 13050)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • virus.x86_64 (PID: 12972)
      • cron (PID: 13056)

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 12951)
      • virus.x86_64 (PID: 12972)

    • Executes the "rm" command to delete files or directories

      • sh (PID: 13026)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • virus.x86_64 (PID: 12972)

    • Checks the user who created the process

      • cron (PID: 13056)

    • Modifies Cron jobs

      • sh (PID: 13026)

    • Potential Corporate Privacy Violation

      • virus.x86_64 (PID: 13050)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Shared object file
CPUType: AMD x86-64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
307
Monitored processes
95
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
sh no specs file no specs sh no specs sudo no specs nautilus no specs locale-check no specs systemd-hostnamed no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs nautilus no specs virus.x86_64 no specs sh no specs dash no specs dash no specs dash no specs dash no specs awk no specs cat no specs grep no specs head no specs awk no specs hostname no specs whoami no specs hostname no specs grep no specs dash no specs dash no specs grep no specs cut no specs sed no specs sed no specs dash no specs dash no specs awk no specs dash no specs dash no specs awk no specs dash no specs dash no specs awk no specs dash no specs dash no specs dash no specs awk no specs dash no specs awk no specs dash no specs awk no specs sh no specs ps no specs awk no specs dash no specs id no specs sh no specs id no specs ps no specs grep no specs grep no specs grep no specs awk no specs whoami no specs dash no specs sh no specs dash no specs rm no specs crontab no specs grep no specs grep no specs dash no specs crontab no specs grep no specs grep no specs sort no specs uniq no specs wc no specs crontab no specs rm no specs sh no specs id no specs whoami no specs dash no specs ps no specs grep no specs grep no specs awk no specs wc no specs systemd-resolved #MINER virus.x86_64 cron no specs sh no specs dash no specs

Process information

PID
CMD
Path
Indicators
Parent process
425/lib/systemd/systemd-resolved/usr/lib/systemd/systemd-resolved
systemd
User:
systemd-resolve
Integrity Level:
UNKNOWN
12931sh -c "file --mime-type /tmp/virus\.x86_64"/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12932file --mime-type /tmp/virus.x86_64/usr/bin/filesh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12933/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus /tmp/virus\.x86_64 "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
12934sudo -iu user nautilus /tmp/virus.x86_64/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
12935nautilus /tmp/virus.x86_64/usr/bin/nautilussudo
User:
user
Integrity Level:
UNKNOWN
12936/usr/bin/locale-check C.UTF-8/usr/bin/locale-checknautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12951/lib/systemd/systemd-hostnamed/lib/systemd/systemd-hostnamedsystemd
User:
root
Integrity Level:
UNKNOWN
Exit code:
485
12957systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
1195
12958systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
11
DNS requests
16
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
470
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
unknown
138.199.37.40:443
odrs.gnome.org
Datacamp Limited
DE
unknown
485
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
485
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
485
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
malicious
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
13050
virus.x86_64
51.210.15.231:80
xmr-rx0.pwndns.pw
OVH SAS
FR
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.48
  • 91.189.91.49
  • 185.125.190.18
  • 91.189.91.98
  • 185.125.190.17
  • 185.125.190.96
  • 91.189.91.48
  • 185.125.190.97
  • 91.189.91.97
  • 91.189.91.96
  • 185.125.190.49
  • 185.125.190.98
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::197
  • 2001:67c:1562::24
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::98
whitelisted
google.com
  • 216.58.212.142
  • 2a00:1450:4001:829::200e
whitelisted
odrs.gnome.org
  • 138.199.37.40
  • 156.146.33.15
  • 138.199.37.35
  • 195.181.170.19
  • 195.181.175.41
  • 138.199.37.37
  • 212.102.56.179
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.55
whitelisted
160.100.168.192.in-addr.arpa
unknown
xmr-rx0.pwndns.pw
  • 167.172.144.84
  • 51.210.15.231
  • 209.38.202.4
unknown

Threats

PID
Process
Class
Message
425
systemd-resolved
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
425
systemd-resolved
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
13050
virus.x86_64
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
13050
virus.x86_64
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
virus.x86_64