File name:

.diicot

Full analysis: https://app.any.run/tasks/70f5cbe0-9180-471f-8fad-ecf71b8b792f
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: March 21, 2024, 16:14:59
OS: Ubuntu 22.04.2
Tags:
miner
Indicators:
MIME: application/x-executable
File info: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header
MD5:

F0962F1BEA790116674333F1EC70FB20

SHA1:

B4534C33DED292B9D2E78927D415526663E111AF

SHA256:

402291E80A48CE927C059A3348FDF08EF7DB4FB461AB28BF16631D9E4C747C81

SSDEEP:

12288:CvT10wOXna46mIcHhtHDbGb0eWdOMWvE6rBZ:CL10wga46mIChtHub0eWdOMWvEEBZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 9266)
      • bash (PID: 9269)
      • bash (PID: 9267)
      • cron (PID: 9383)
      • cron (PID: 9380)

    • Modifies file or directory owner

      • sudo (PID: 9263)

    • Creates shell script file

      • awk (PID: 9283)

    • Gets information about currently running processes

      • bash (PID: 9267)
      • .b4nd1d0 (PID: 9329)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 9267)

    • Uses wget to download content

      • bash (PID: 9267)

    • Checks list of the CPUs

      • Opera (PID: 9292)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • Opera (PID: 9292)

    • Checks active cgroups controllers (like CPU time, system memory, network bandwidth)

      • Opera (PID: 9292)

    • Creates or rewrites file in the "bin" folder

      • bash (PID: 9267)

    • Checks DMI information (probably VM detection)

      • Opera (PID: 9292)

    • Checks the user who created the process

      • cron (PID: 9383)
      • cron (PID: 9380)

    • Removes file immutable attribute

      • bash (PID: 9267)

    • Modifies Cron jobs

      • bash (PID: 9267)

    • Checks the online status of NUMA nodes

      • Opera (PID: 9292)

    • Writes to Systemd service files (likely for persistence achievement)

      • sudo (PID: 9266)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: AMD x86-64
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
330
Monitored processes
111
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
9262/bin/sh -c "sudo chown user \"/tmp/70f5cbe0-9180-471f-8fad-ecf71b8b792f\.o\" && chmod +x \"/tmp/70f5cbe0-9180-471f-8fad-ecf71b8b792f\.o\" && DISPLAY=:0 sudo -i \"/tmp/70f5cbe0-9180-471f-8fad-ecf71b8b792f\.o\" "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
9354
9263sudo chown user /tmp/70f5cbe0-9180-471f-8fad-ecf71b8b792f.o/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9264chown user /tmp/70f5cbe0-9180-471f-8fad-ecf71b8b792f.o/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9265chmod +x /tmp/70f5cbe0-9180-471f-8fad-ecf71b8b792f.o/usr/bin/chmodsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9266sudo -i /tmp/70f5cbe0-9180-471f-8fad-ecf71b8b792f.o/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
9354
9267/tmp/70f5cbe0-9180-471f-8fad-ecf71b8b792f.o -c/bin/bashsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
9354
9268/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9269-bash --login -c \/tmp\/70f5cbe0-9180-471f-8fad-ecf71b8b792f\.o/usr/bin/bashbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9270sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null"/usr/bin/shbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9271tr \n " "/usr/bin/trbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9267bash/var/tmp/.ladyg0g0/.pr1nc35
MD5:
SHA256:
9267bash/usr/bin/.locatione
MD5:
SHA256:
9283awk/var/tmp/x.sh
MD5:
SHA256:
9287wget/var/tmp/Documents/Opera
MD5:
SHA256:
9267bash/var/tmp/Documents/config.json
MD5:
SHA256:
9267bash/root/.ssh/authorized_keys
MD5:
SHA256:
9267bash/var/tmp/Documents/.5p4rk3l5
MD5:
SHA256:
9323crontab/var/spool/cron/crontabs/tmp.mMwYmO
MD5:
SHA256:
9267bash/var/tmp/Documents/.b4nd1d0
MD5:
SHA256:
9267bash/usr/bin/sshd
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
7
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
94.156.68.141:80
http://94.156.68.141/.NzJjOTYw/Opera
BG
binary
7.66 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
224.0.0.251:5353
unknown
94.156.68.141:80
Terasyst Ltd
BG
unknown
91.92.251.113:7777
Natskovi & Sie Ltd.
BG
unknown

DNS requests

Domain
IP
Reputation
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.58
  • 185.125.188.55
  • 185.125.188.59
unknown
27.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2001:67c:1562::24
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::98
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
.diicot