Malware analysis Space.x86 Malicious activity | ANY.RUN

Add for printing

File name:	Space.x86
Full analysis:	https://app.any.run/tasks/c9c67012-605a-4e5f-9fb8-5407c56d0018
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	January 11, 2025, 01:42:12
OS:	Ubuntu 22.04.2 LTS
Tags:	mirai botnet
Indicators:
MIME:	application/x-executable
File info:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
MD5:	C554CB8996668257429E6D593DB407A6
SHA1:	1BB9FC08953B41EE6DE78B6A556333194BAAFDB0
SHA256:	36CD33C6AD1DB73AFEDA54EFBA7E2C17E21C0AFEF5B9BADBE8E38A23045CB4EA
SSDEEP:	768:O2gQ+5Vnk7aSgWDjrvo56Aca3JBozBGmmoSEUCRoND6ZCi6axcW+b31H:DwwayLFQmVSEUdyCZax3+b3l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - Space.x86.elf (PID: 38748)
  - Space.x86.elf (PID: 38750)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 38740)
- Connects to unusual port
  - Space.x86.elf (PID: 38750)
  - Space.x86.elf (PID: 38748)
- Contacting a server suspected of hosting an CnC
  - Space.x86.elf (PID: 38748)
  - Space.x86.elf (PID: 38750)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	32 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	i386

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

220

Monitored processes

12

Malicious processes

6

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
38739	/bin/sh -c "sudo chown user /tmp/Space\.x86\.elf && chmod +x /tmp/Space\.x86\.elf && DISPLAY=:0 sudo -iu user /tmp/Space\.x86\.elf "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
38740	sudo chown user /tmp/Space.x86.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38741	chown user /tmp/Space.x86.elf	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38742	chmod +x /tmp/Space.x86.elf	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38743	sudo -iu user /tmp/Space.x86.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38744	/tmp/Space.x86.elf	/tmp/Space.x86.elf	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
38745	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	Space.x86.elf
User: user Integrity Level: UNKNOWN Exit code: 0
38746	/tmp/Space.x86.elf	/tmp/Space.x86.elf	—	Space.x86.elf
User: user Integrity Level: UNKNOWN Exit code: 0
38747	/tmp/Space.x86.elf	/tmp/Space.x86.elf	—	Space.x86.elf
User: user Integrity Level: UNKNOWN Exit code: 0
38748	/tmp/Space.x86.elf	/tmp/Space.x86.elf		Space.x86.elf
User: user Integrity Level: UNKNOWN

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

82

DNS requests

8

Threats

6

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
488	NetworkManager	GET	204	185.125.190.96:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	185.125.190.96:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
488	NetworkManager	185.125.190.96:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
38748	Space.x86.elf	89.213.158.208:3778	—	GCI Network Solutions Limited	GB	malicious
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
38750	Space.x86.elf	89.213.158.208:3778	—	GCI Network Solutions Limited	GB	malicious

DNS requests

Domain	IP	Reputation
google.com	142.250.185.110 2a00:1450:4001:80e::200e	whitelisted
connectivity-check.ubuntu.com	185.125.190.96 91.189.91.96 91.189.91.97 91.189.91.49 185.125.190.48 185.125.190.49 185.125.190.17 91.189.91.48 185.125.190.18 185.125.190.97 91.189.91.98 185.125.190.98 2620:2d:4000:1::98 2620:2d:4002:1::198 2620:2d:4000:1::2a 2620:2d:4000:1::2b 2620:2d:4000:1::22 2620:2d:4000:1::23 2620:2d:4002:1::196 2620:2d:4000:1::97 2001:67c:1562::24 2620:2d:4002:1::197 2620:2d:4000:1::96 2001:67c:1562::23	whitelisted
64.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)

Add for printing

No debug info

General Info

Space.x86

C554CB8996668257429E6D593DB407A6

1BB9FC08953B41EE6DE78B6A556333194BAAFDB0

36CD33C6AD1DB73AFEDA54EFBA7E2C17E21C0AFEF5B9BADBE8E38A23045CB4EA

768:O2gQ+5Vnk7aSgWDjrvo56Aca3JBozBGmmoSEUCRoND6ZCi6axcW+b31H:DwwayLFQmVSEUdyCZax3+b3l

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings