| File name: | perfcc.gz |
| Full analysis: | https://app.any.run/tasks/f86fb288-6fe1-4646-a958-6d5f0daa4d55 |
| Verdict: | Malicious activity |
| Analysis date: | May 07, 2024, 14:08:40 |
| OS: | Ubuntu 22.04.2 |
| Tags: | |
| Indicators: | |
| MIME: | application/x-executable |
| File info: | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header |
| MD5: | 656E22C65BF7C04D87B5AFBE52B8D800 |
| SHA1: | 0FD199053171FEC86BE186106EAC717C4EDAE2AD |
| SHA256: | 22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13 |
| SSDEEP: | 98304:gg3mjy+0PIdNhyyta7W6q/0bFEi4D8k8+76D32PIH4hZ7tdmTmiX5PmbyqzLca4z:his4i1 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executes commands using command-line interpreter
- bash (PID: 9268)
- perfcc.gz.o (PID: 9266)
- gnome-terminal-server (PID: 9601)
Gets information about currently running processes
- perfcc.gz.o (PID: 9266)
- perfcc.gz.o (PID: 9282)
- bash (PID: 9619)
Modifies file or directory owner
- sudo (PID: 9262)
Changes time attribute to hide new files or make changes to the existing one
- sh (PID: 9319)
- sh (PID: 9322)
- sh (PID: 9326)
- sh (PID: 9333)
- sh (PID: 9362)
Modifies Cron jobs
- sh (PID: 9335)
Reads information about logins, logouts, and login attempts
- sh (PID: 9562)
- who (PID: 9518)
- sh (PID: 9565)
- sh (PID: 9598)
- sh (PID: 9631)
- sh (PID: 9634)
- sh (PID: 9646)
- sh (PID: 9662)
- sh (PID: 9649)
- sh (PID: 9665)
- sh (PID: 9680)
- sh (PID: 9671)
- sh (PID: 9677)
- sh (PID: 9674)
- sh (PID: 9683)
- sh (PID: 9638)
- sh (PID: 9641)
- bash (PID: 9619)
- sh (PID: 9668)
- sh (PID: 9713)
- sh (PID: 9710)
- sh (PID: 9722)
- sh (PID: 9719)
- sh (PID: 9733)
- sh (PID: 9727)
- sh (PID: 9730)
- sh (PID: 9752)
- sh (PID: 9736)
- sh (PID: 9739)
- sh (PID: 9761)
- sh (PID: 9758)
- sh (PID: 9764)
- sh (PID: 9770)
- sh (PID: 9694)
- sh (PID: 9697)
- sh (PID: 9716)
- sh (PID: 9755)
- sh (PID: 9779)
- sh (PID: 9804)
- sh (PID: 9792)
- sh (PID: 9813)
- sh (PID: 9810)
- sh (PID: 9807)
- sh (PID: 9822)
- sh (PID: 9819)
- sh (PID: 9825)
- sh (PID: 9844)
- sh (PID: 9838)
- sh (PID: 9841)
- sh (PID: 9776)
- sh (PID: 9801)
Checks active cgroups controllers (like CPU time, system memory, network bandwidth)
- perfctl (PID: 9687)
Reads /proc/mounts (likely used to find writable filesystems)
- perfctl (PID: 9687)
Checks list of the CPUs
- perfctl (PID: 9687)
Checks the online status of NUMA nodes
- perfctl (PID: 9687)
Checks DMI information (probably VM detection)
- perfctl (PID: 9687)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .o | | | ELF Executable and Linkable format (generic) (100) |
|---|
EXIF
EXE
| CPUArchitecture: | 64 bit |
|---|---|
| CPUByteOrder: | Little endian |
| ObjectFileType: | Executable file |
| CPUType: | AMD x86-64 |
Total processes
607
Monitored processes
388
Malicious processes
0
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 9261 | /bin/sh -c "sudo chown user /tmp/perfcc\.gz\.o && chmod +x /tmp/perfcc\.gz\.o && DISPLAY=:0 sudo -i /tmp/perfcc\.gz\.o " | /bin/sh | — | any-guest-agent |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 9262 | sudo chown user /tmp/perfcc.gz.o | /usr/bin/sudo | — | sh |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 9263 | chown user /tmp/perfcc.gz.o | /usr/bin/chown | — | sudo |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 9264 | chmod +x /tmp/perfcc.gz.o | /usr/bin/chmod | — | sh |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 9265 | sudo -i /tmp/perfcc.gz.o | /usr/bin/sudo | — | sh |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 9266 | /tmp/perfcc.gz.o | /tmp/perfcc.gz.o | — | sudo |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 9267 | /usr/bin/locale-check C.UTF-8 | /usr/bin/locale-check | — | perfcc.gz.o |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 9268 | -bash --login -c \/tmp\/perfcc\.gz\.o | /usr/bin/bash | — | perfcc.gz.o |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 9269 | sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null" | /usr/bin/sh | — | bash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 9270 | tr \n " " | /usr/bin/tr | — | bash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 9266 | perfcc.gz.o | /tmp/.xdiag/elog | — | |
MD5:— | SHA256:— | |||
| 9337 | crontab | /var/spool/cron/crontabs/tmp.lLK9sf | — | |
MD5:— | SHA256:— | |||
| 9344 | netplan | /systemd/system/netplan-ovs-cleanup.service.319LN2 | — | |
MD5:— | SHA256:— | |||
| 9344 | netplan | /NetworkManager/conf.d/10-globally-managed-devices.conf.UZ9LN2 | — | |
MD5:— | SHA256:— | |||
| 9344 | netplan | /systemd/generator/netplan.stamp | — | |
MD5:— | SHA256:— | |||
| 9350 | systemd-fstab-generator | /systemd/generator/-.mount | — | |
MD5:— | SHA256:— | |||
| 9350 | systemd-fstab-generator | /systemd/generator/boot-efi.mount | — | |
MD5:— | SHA256:— | |||
| 9350 | systemd-fstab-generator | /systemd/generator/swapfile.swap | — | |
MD5:— | SHA256:— | |||
| 9360 | systemd-sysv-generator | /systemd/generator.late/apport.service | — | |
MD5:— | SHA256:— | |||
| 9360 | systemd-sysv-generator | /systemd/generator.late/speech-dispatcher.service | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
15
DNS requests
9
Threats
11
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 104.26.12.205:80 | http://api.ipify.org/ | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 91.189.91.48:80 | — | Canonical Group Limited | US | unknown |
— | — | 185.125.188.59:443 | api.snapcraft.io | Canonical Group Limited | GB | unknown |
— | — | 185.125.188.54:443 | api.snapcraft.io | Canonical Group Limited | GB | unknown |
— | — | 224.0.0.251:5353 | — | — | — | unknown |
— | — | 192.87.28.82:9001 | — | SURF B.V. | NL | unknown |
— | — | 135.135.199.41:443 | — | TDS-AS | US | unknown |
— | — | 142.132.157.35:8443 | — | Hetzner Online GmbH | DE | unknown |
— | — | 104.26.12.205:80 | api.ipify.org | CLOUDFLARENET | US | unknown |
— | — | 51.15.89.200:9001 | — | Online S.a.s. | NL | unknown |
— | — | 146.0.36.87:9007 | — | myLoc managed IT AG | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.snapcraft.io |
| unknown |
196.100.168.192.in-addr.arpa |
| unknown |
api.ipify.org |
| shared |
connectivity-check.ubuntu.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 283 |
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 174 |
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 154 |
— | — | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
— | — | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
— | — | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup api.ipify.org |
— | — | Device Retrieving External IP Address Detected | POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org) |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 649 |
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 184 |