Malware analysis rebirth.i686 Malicious activity | ANY.RUN

Add for printing

File name:	rebirth.i686
Full analysis:	https://app.any.run/tasks/5c2f3c3a-65eb-4f41-b0a3-53a472b8a180
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Gafgyt, also known as BASHLITE, is a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices, often by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks. Malware Trends Tracker >>>
Analysis date:	December 14, 2024, 10:52:47
OS:	Ubuntu 22.04.2 LTS
Tags:	ddos gafgyt botnet
Indicators:
MIME:	application/x-executable
File info:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
MD5:	28E18D356688C0FDF9E3AFAA4BAD0BFC
SHA1:	812439314484BAD7D93F2539E10BE1214EF208C9
SHA256:	434ABD280673159DF72C6A9EAAF0D2E8B260B079E11F728BFA5EBA3D6B44D934
SSDEEP:	3072:BZ9s7DLXEQUQSmeAkGEBC7svGR5YBuUzf/xXigEdxmwsN1VYLf0:BZ9s7DL0DRt07sQYHfBigEjmwsN1uLf0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - rebirth.i686.elf (PID: 38754)
- GAFGYT has been detected (SURICATA)
  - rebirth.i686.elf (PID: 38754)
- Connects to the CnC server
  - rebirth.i686.elf (PID: 38754)
SUSPICIOUS
- Connects to unusual port
  - rebirth.i686.elf (PID: 38754)
- Modifies file or directory owner
  - sudo (PID: 38746)
- Contacting a server suspected of hosting an CnC
  - rebirth.i686.elf (PID: 38754)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	32 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	i386

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

219

Monitored processes

12

Malicious processes

4

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
38745	/bin/sh -c "sudo chown user /tmp/rebirth\.i686\.elf && chmod +x /tmp/rebirth\.i686\.elf && DISPLAY=:0 sudo -iu user /tmp/rebirth\.i686\.elf "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
38746	sudo chown user /tmp/rebirth.i686.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38747	chown user /tmp/rebirth.i686.elf	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38748	chmod +x /tmp/rebirth.i686.elf	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38749	sudo -iu user /tmp/rebirth.i686.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38751	/tmp/rebirth.i686.elf	/tmp/rebirth.i686.elf	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
38752	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	rebirth.i686.elf
User: user Integrity Level: UNKNOWN Exit code: 0
38753	/tmp/rebirth.i686.elf	/tmp/rebirth.i686.elf	—	rebirth.i686.elf
User: user Integrity Level: UNKNOWN Exit code: 0
38754	/tmp/rebirth.i686.elf	/tmp/rebirth.i686.elf		rebirth.i686.elf
User: user Integrity Level: UNKNOWN
38755	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

2

TCP/UDP connections

9

DNS requests

10

Threats

7

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	204	91.189.91.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.48:80	—	Canonical Group Limited	US	unknown
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	195.181.175.41:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
38754	rebirth.i686.elf	93.123.85.5:666	—	Vivacom	BG	unknown
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	2620:2d:4000:1::22 2620:2d:4002:1::196 2620:2d:4002:1::198 2620:2d:4000:1::2b 2001:67c:1562::23 2620:2d:4000:1::97 2620:2d:4000:1::2a 2620:2d:4000:1::98 2001:67c:1562::24 2620:2d:4002:1::197 2620:2d:4000:1::23 2620:2d:4000:1::96	whitelisted
google.com	216.58.206.78 2a00:1450:4001:829::200e	whitelisted
odrs.gnome.org	195.181.175.41 37.19.194.80 195.181.170.18 212.102.56.179 207.211.211.26 169.150.255.180 169.150.255.184 2a02:6ea0:c700::19 2a02:6ea0:c700::11 2a02:6ea0:c700::112 2a02:6ea0:c700::107 2a02:6ea0:c700::18 2a02:6ea0:c700::101 2a02:6ea0:c700::21	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.59 185.125.188.55 185.125.188.58 2620:2d:4000:1010::2e6 2620:2d:4000:1010::6d 2620:2d:4000:1010::117 2620:2d:4000:1010::42	whitelisted
48.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Gafgyt.DDoS Check-In (Linux Gen.Mirai)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)

5 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

rebirth.i686

28E18D356688C0FDF9E3AFAA4BAD0BFC

812439314484BAD7D93F2539E10BE1214EF208C9

434ABD280673159DF72C6A9EAAF0D2E8B260B079E11F728BFA5EBA3D6B44D934

3072:BZ9s7DLXEQUQSmeAkGEBC7svGR5YBuUzf/xXigEdxmwsN1VYLf0:BZ9s7DL0DRt07sQYHfBigEjmwsN1uLf0

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

GAFGYT has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Connects to unusual port

Modifies file or directory owner

Contacting a server suspected of hosting an CnC

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings