File name:

lino

Full analysis: https://app.any.run/tasks/be1a822a-48e8-45a1-be0c-ce3fc77c1c2c
Verdict: Malicious activity
Analysis date: April 10, 2024, 01:58:10
OS: Ubuntu 22.04.2
Tags:
remote
dinodas
MIME: application/x-executable
File info: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.9, stripped
MD5:

F1CF940F9E64EDBD21F30249926C7E03

SHA1:

8F6840D7B6B43D37293FC37C1636132B5934876B

SHA256:

6302ACDFCE30CEC5E9167FF7905800A6220C7DDA495C0AAE1F4594C7263A29B2

SSDEEP:

3072:oGPAKSoJIdU7EJqkLB97r6KFozsBjVuMjgTw5AIpxmdqPmm9DnSyoWE7lzre559K:oGPAKS7XVgTaAIekx9DnroWEV8B9e5d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 9260)

    • Executes commands using command-line interpreter

      • bash (PID: 9266)
      • gnome-terminal-server (PID: 9307)
      • lino.o (PID: 9281)
      • lino.o (PID: 9271)

    • Changes time attribute to hide new files or make changes to the existing one

      • sh (PID: 9282)
      • sh (PID: 9289)

    • Modify startup scripts of the system services

      • lino.o (PID: 9271)

    • Reads information about logins, logouts, and login attempts

      • bash (PID: 9325)

    • Gets information about currently running processes

      • sh (PID: 9293)

    • Checks the system hardware (BIOS, baseboard, CPU, etc.)

      • sh (PID: 9287)

    • Writes to Systemd service files (likely for persistence achievement)

      • lino.o (PID: 9264)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: AMD x86-64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
278
Monitored processes
58
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs lino.o no specs locale-check no specs bash no specs sh no specs tr no specs mesg no specs cat no specs lino.o no specs sh no specs sh no specs cat no specs cat no specs sh no specs ln no specs sh no specs chmod no specs sh no specs lino.o no specs sh no specs sh no specs touch no specs sh no specs ip no specs sh no specs dmidecode no specs sh no specs touch no specs sh no specs cat no specs sh no specs getconf no specs gnome-terminal no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs lesspipe no specs dircolors no specs basename no specs dash no specs dirname no specs ls no specs bash no specs bash no specs bash no specs bash no specs ls no specs find no specs sudo no specs sudo no specs find no specs bash no specs bash no specs ls no specs

Process information

PID
CMD
Path
Indicators
Parent process
9259/bin/sh -c "sudo chown user \"/home/user/Desktop/lino\.o\" && chmod +x \"/home/user/Desktop/lino\.o\" && DISPLAY=:0 sudo -i \"/home/user/Desktop/lino\.o\" "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9260sudo chown user /home/user/Desktop/lino.o/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9261chown user /home/user/Desktop/lino.o/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9262chmod +x /home/user/Desktop/lino.o/usr/bin/chmodsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9263sudo -i /home/user/Desktop/lino.o/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9264/home/user/Desktop/lino.o/home/user/Desktop/lino.osudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9265/usr/bin/locale-check C.UTF-8/usr/bin/locale-checklino.o
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9266-bash --login -c \/home\/user\/Desktop\/lino\.o/usr/bin/bashlino.o
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9267sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null"/usr/bin/shbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9268tr \n " "/usr/bin/trbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9271lino.o/usr/lib/systemd/system/rc.local.service
MD5:
SHA256:
9271lino.o/etc/rc.local
MD5:
SHA256:
9281lino.o/etc/.netsc.conf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
16
DNS requests
9
Threats
221

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
unknown
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
unknown
185.125.190.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
224.0.0.251:5353
unknown
91.195.240.94:443
update.microsoft-setting.com
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown

DNS requests

Domain
IP
Reputation
update.microsoft-setting.com
  • 91.195.240.94
unknown
97.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::198
  • 91.189.91.97
  • 91.189.91.98
  • 185.125.190.98
  • 91.189.91.48
  • 91.189.91.96
  • 185.125.190.96
  • 185.125.190.17
  • 91.189.91.49
  • 185.125.190.48
  • 185.125.190.18
  • 185.125.190.49
  • 185.125.190.97
unknown
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.59
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE DNS Query to Earth Krahang APT Domain (update .microsoft-setting .com)
A Network Trojan was detected
ET MALWARE Suspected DinodasRAT Related Activity (UDP)
A Network Trojan was detected
ET MALWARE Linux/Dinodas RAT CnC Checkin - UDP
A Network Trojan was detected
ET MALWARE Suspected DinodasRAT Related Activity (UDP)
A Network Trojan was detected
ET MALWARE Linux/Dinodas RAT CnC Checkin - UDP
A Network Trojan was detected
ET MALWARE Suspected DinodasRAT Related Activity (UDP)
A Network Trojan was detected
ET MALWARE Linux/Dinodas RAT CnC Checkin - UDP
A Network Trojan was detected
ET MALWARE Suspected DinodasRAT Related Activity (UDP)
A Network Trojan was detected
ET MALWARE Linux/Dinodas RAT CnC Checkin - UDP
A Network Trojan was detected
ET MALWARE Suspected DinodasRAT Related Activity (UDP)
No debug info