File name:

giyto

Full analysis: https://app.any.run/tasks/6ab1c4e3-bb9f-42aa-9ba9-886526ccfd20
Verdict: Malicious activity
Analysis date: January 29, 2025, 11:36:58
OS: Ubuntu 22.04.2 LTS
Tags:
websocket
MIME: application/x-executable
File info: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
MD5:

237E700CB54FA7DEB44947E29CC97766

SHA1:

972F724522DFB6FF01C5A6C681EC5C627CD2EC7B

SHA256:

5D1F02CA3DF61CD034007549BA9231FA5C39CF67E826A78B2B290DADDE28B575

SSDEEP:

98304:IfE8u67Kdu1ISJkXiU1p/Cui8j/8Svqqmi+csYAcSBd3LEeyJ7OL1pNDdBvgwiTF:E/S/4+ZzE4m3JUuZp/prO2+/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 38759)

    • Modifies file or directory owner

      • sudo (PID: 38756)

    • Writes to Systemd service files (likely for persistence achievement)

      • sudo (PID: 38759)
      • systemd (PID: 38781)
      • systemd (PID: 38804)

    • Creates or rewrites file in the "bin" folder

      • giyto.elf (PID: 38762)
      • gu4te (PID: 38826)

    • Connects to unusual port

      • gu4te (PID: 38826)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: AMD x86-64
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
280
Monitored processes
69
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs systemctl no specs systemctl no specs giyto.elf no specs locale-check no specs bash no specs dash no specs tr no specs cat no specs mesg no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemd no specs snapd-env-generator no specs systemd no specs dash no specs generate no specs dash no specs cat no specs snapd-generator no specs systemd-bless-boot-generator no specs systemd-cryptsetup-generator no specs systemd-debug-generator no specs systemd-fstab-generator no specs mkdir no specs systemd-getty-generator no specs systemd-gpt-auto-generator no specs systemd-hibernate-resume-generator no specs systemd-rc-local-generator no specs systemd-run-generator no specs systemd-system-update-generator no specs systemd-sysv-generator no specs systemd-veritysetup-generator no specs ls no specs systemctl no specs systemd no specs systemd no specs snapd-env-generator no specs dash no specs generate no specs dash no specs snapd-generator no specs systemd-bless-boot-generator no specs systemd-cryptsetup-generator no specs systemd-debug-generator no specs systemd-fstab-generator no specs systemd-getty-generator no specs systemd-gpt-auto-generator no specs systemd-hibernate-resume-generator no specs systemd-rc-local-generator no specs systemd-run-generator no specs systemd-system-update-generator no specs systemd-sysv-generator no specs systemd-veritysetup-generator no specs mkdir no specs cat no specs ls no specs crontab no specs systemctl no specs gu4te systemctl no specs systemctl no specs systemctl no specs

Process information

PID
CMD
Path
Indicators
Parent process
38755/bin/sh -c "sudo chown user /tmp/giyto\.elf && chmod +x /tmp/giyto\.elf && DISPLAY=:0 sudo -i /tmp/giyto\.elf "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38756sudo chown user /tmp/giyto.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38757chown user /tmp/giyto.elf/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38758chmod +x /tmp/giyto.elf/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38759sudo -i /tmp/giyto.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38760systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38761systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38762/tmp/giyto.elf/tmp/giyto.elfsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38763/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkgiyto.elf
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38764-bash --login -c \/tmp\/giyto\.elf/usr/bin/bashgiyto.elf
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
38762giyto.elf/etc/systemd/system/system.journald.servicetext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
29
DNS requests
16
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
91.189.91.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
38826
gu4te
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38826
gu4te
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38826
gu4te
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38826
gu4te
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38826
gu4te
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38826
gu4te
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38826
gu4te
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.96:80
Canonical Group Limited
US
unknown
169.150.255.181:443
odrs.gnome.org
GB
whitelisted
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
38826
gu4te
8.8.4.4:443
dns.google
GOOGLE
US
whitelisted
38826
gu4te
77.88.8.1:443
common.dot.dns.yandex.net
YANDEX LLC
RU
whitelisted
38826
gu4te
104.16.249.249:443
cloudflare-dns.com
CLOUDFLARENET
whitelisted
38826
gu4te
45.87.246.5:0
Alex Group LLC
RU
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
  • 2a00:1450:4001:810::200e
whitelisted
odrs.gnome.org
  • 169.150.255.181
  • 195.181.170.18
  • 37.19.194.81
  • 212.102.56.178
  • 195.181.175.40
  • 169.150.255.184
  • 207.211.211.27
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::18
whitelisted
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.58
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::6d
whitelisted
dns.google
  • 2001:4860:4860::8888
  • 2001:4860:4860::8844
  • 8.8.4.4
  • 8.8.8.8
whitelisted
common.dot.dns.yandex.net
  • 2a02:6b8:0:1::feed:ff
  • 2a02:6b8::feed:ff
  • 77.88.8.1
  • 77.88.8.8
whitelisted
cloudflare-dns.com
  • 104.16.249.249
  • 104.16.248.249
  • 2606:4700::6810:f8f9
  • 2606:4700::6810:f9f9
whitelisted
156.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::197
whitelisted

Threats

PID
Process
Class
Message
38826
gu4te
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
38826
gu4te
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
38826
gu4te
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
38826
gu4te
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
38826
gu4te
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
38826
gu4te
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
38826
gu4te
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
38826
gu4te
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
38826
gu4te
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
38826
gu4te
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info