File name:

parm7

Full analysis: https://app.any.run/tasks/c7cc22e5-3836-4030-b1d1-c8e9159e8567
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: January 01, 2026, 07:18:55
OS: Debian 12.2
Tags:
mirai
botnet
Indicators:
MIME: application/x-executable
File info: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
MD5:

3002D0F2E87B47B0697E3999B3AEAEF8

SHA1:

7BFAE995B177F76F32476470961D65F598480A82

SHA256:

6357AA2D20C74CA213543F0A71B46480814AF0D8F93DEC87DFF9F400477A57C0

SSDEEP:

3072:+/CN0tIGE8z/NBaOpuM/qguSuDYJKtEct/S0fHM:+qG/NBaO4M/qguSuDY0Ectq0fHM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • parm7.elf (deleted) (PID: 1292)

  • SUSPICIOUS

    • Reads passwd file

      • crontab (PID: 1296)
      • crontab (PID: 1295)
      • crontab (PID: 1309)
      • crontab (PID: 1308)
      • crontab (PID: 1307)
      • crontab (PID: 1310)
      • crontab (PID: 1320)
      • crontab (PID: 1312)
      • crontab (PID: 1313)
      • crontab (PID: 1328)
      • crontab (PID: 1329)
      • crontab (PID: 1356)
      • crontab (PID: 1321)
      • crontab (PID: 1324)
      • crontab (PID: 1325)
      • crontab (PID: 1361)
      • crontab (PID: 1362)
      • crontab (PID: 1366)
      • crontab (PID: 1355)
      • crontab (PID: 1365)
      • crontab (PID: 1373)
      • crontab (PID: 1374)
      • crontab (PID: 1378)
      • crontab (PID: 1377)
      • crontab (PID: 1399)
      • crontab (PID: 1369)
      • crontab (PID: 1370)
      • crontab (PID: 1405)
      • crontab (PID: 1398)
      • crontab (PID: 1404)
      • crontab (PID: 1413)
      • crontab (PID: 1418)
      • crontab (PID: 1414)
      • crontab (PID: 1417)
      • crontab (PID: 1422)
      • crontab (PID: 1421)
      • crontab (PID: 1425)
      • crontab (PID: 1426)
      • crontab (PID: 1433)
      • crontab (PID: 1438)
      • crontab (PID: 1437)
      • crontab (PID: 1430)
      • crontab (PID: 1429)
      • crontab (PID: 1434)
      • crontab (PID: 1445)
      • crontab (PID: 1446)
      • crontab (PID: 1450)
      • crontab (PID: 1449)
      • crontab (PID: 1441)
      • crontab (PID: 1442)

    • Modifies file or directory owner

      • sudo (PID: 1279)

    • Starts itself from another location

      • parm7.elf (PID: 1288)

    • Modifies Cron jobs

      • parm7.elf (deleted) (PID: 1293)
      • parm7.elf (deleted) (PID: 1300)
      • parm7.elf (deleted) (PID: 1302)
      • parm7.elf (deleted) (PID: 1304)
      • parm7.elf (deleted) (PID: 1317)
      • parm7.elf (deleted) (PID: 1322)
      • parm7.elf (deleted) (PID: 1326)
      • parm7.elf (deleted) (PID: 1359)
      • parm7.elf (deleted) (PID: 1353)
      • parm7.elf (deleted) (PID: 1363)
      • parm7.elf (deleted) (PID: 1371)
      • parm7.elf (deleted) (PID: 1375)
      • parm7.elf (deleted) (PID: 1367)
      • parm7.elf (deleted) (PID: 1396)
      • parm7.elf (deleted) (PID: 1402)
      • parm7.elf (deleted) (PID: 1411)
      • parm7.elf (deleted) (PID: 1415)
      • parm7.elf (deleted) (PID: 1419)
      • parm7.elf (deleted) (PID: 1431)
      • parm7.elf (deleted) (PID: 1435)
      • parm7.elf (deleted) (PID: 1439)
      • parm7.elf (deleted) (PID: 1423)
      • parm7.elf (deleted) (PID: 1427)
      • parm7.elf (deleted) (PID: 1443)
      • parm7.elf (deleted) (PID: 1447)

    • Contacting a server suspected of hosting an CnC

      • parm7.elf (deleted) (PID: 1292)

    • Connects to unusual port

      • parm7.elf (deleted) (PID: 1292)

  • INFO

    • Checks timezone

      • crontab (PID: 1296)
      • crontab (PID: 1295)
      • crontab (PID: 1307)
      • crontab (PID: 1308)
      • crontab (PID: 1309)
      • crontab (PID: 1321)
      • crontab (PID: 1313)
      • crontab (PID: 1310)
      • crontab (PID: 1312)
      • crontab (PID: 1324)
      • crontab (PID: 1329)
      • crontab (PID: 1356)
      • crontab (PID: 1320)
      • crontab (PID: 1325)
      • crontab (PID: 1328)
      • crontab (PID: 1362)
      • crontab (PID: 1366)
      • crontab (PID: 1361)
      • crontab (PID: 1365)
      • crontab (PID: 1355)
      • crontab (PID: 1373)
      • crontab (PID: 1374)
      • crontab (PID: 1377)
      • crontab (PID: 1378)
      • crontab (PID: 1369)
      • crontab (PID: 1370)
      • crontab (PID: 1398)
      • crontab (PID: 1404)
      • crontab (PID: 1405)
      • crontab (PID: 1399)
      • crontab (PID: 1413)
      • crontab (PID: 1417)
      • crontab (PID: 1414)
      • crontab (PID: 1418)
      • crontab (PID: 1421)
      • crontab (PID: 1422)
      • crontab (PID: 1426)
      • crontab (PID: 1429)
      • crontab (PID: 1434)
      • crontab (PID: 1433)
      • crontab (PID: 1438)
      • crontab (PID: 1437)
      • crontab (PID: 1425)
      • crontab (PID: 1430)
      • crontab (PID: 1445)
      • crontab (PID: 1441)
      • crontab (PID: 1446)
      • crontab (PID: 1449)
      • crontab (PID: 1442)
      • crontab (PID: 1450)

    • Creates file in the temporary folder

      • dash (PID: 1316)
      • dash (PID: 1318)
      • dash (PID: 1350)
      • dash (PID: 1352)
      • dash (PID: 1357)
      • dash (PID: 1358)
      • dash (PID: 1351)
      • dash (PID: 1394)
      • dash (PID: 1392)
      • dash (PID: 1393)
      • dash (PID: 1395)
      • dash (PID: 1400)
      • dash (PID: 1401)
      • dash (PID: 1407)
      • dash (PID: 1406)
      • dash (PID: 1410)
      • dash (PID: 1408)
      • dash (PID: 1409)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture: 32 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: Arm (up to Armv7/AArch32)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
253
Monitored processes
136
Malicious processes
5
Suspicious processes
25

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1278/bin/sh -c "sudo chown user /tmp/parm7\.elf && chmod +x /tmp/parm7\.elf && DISPLAY=:0 sudo -iu user /tmp/parm7\.elf "/usr/bin/dasheOLRkkNCsAxcqyAk
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/aarch64-linux-gnu/libc.so.6
1279sudo chown user /tmp/parm7.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/aarch64-linux-gnu/libaudit.so.1.0.0
/usr/lib/aarch64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/aarch64-linux-gnu/libc.so.6
/usr/lib/aarch64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/aarch64-linux-gnu/libpcre2-8.so.0.11.2
/usr/lib/aarch64-linux-gnu/libnss_systemd.so.2
/usr/lib/aarch64-linux-gnu/libcap.so.2.66
/usr/lib/aarch64-linux-gnu/libm.so.6
/usr/libexec/sudo/sudoers.so
1283chown user /tmp/parm7.elf/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/aarch64-linux-gnu/libc.so.6
1284chmod +x /tmp/parm7.elf/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/aarch64-linux-gnu/libc.so.6
1285sudo -iu user /tmp/parm7.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/aarch64-linux-gnu/libaudit.so.1.0.0
/usr/lib/aarch64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/aarch64-linux-gnu/libc.so.6
/usr/lib/aarch64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/aarch64-linux-gnu/libpcre2-8.so.0.11.2
/usr/lib/aarch64-linux-gnu/security/pam_limits.so
/usr/lib/aarch64-linux-gnu/security/pam_unix.so
/usr/lib/aarch64-linux-gnu/libcrypt.so.1.1.0
/usr/lib/aarch64-linux-gnu/security/pam_deny.so
1288/tmp/parm7.elf/tmp/parm7.elfsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/aarch64-linux-gnu/libtinfo.so.6.4
/usr/lib/aarch64-linux-gnu/libc.so.6
1289id -u/usr/bin/idparm7.elf
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/aarch64-linux-gnu/libselinux.so.1
/usr/lib/aarch64-linux-gnu/libc.so.6
/usr/lib/aarch64-linux-gnu/libpcre2-8.so.0.11.2
12923uo480o4w2o4eg6/tmp/parm7.elf (deleted)
parm7.elf
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12933uo480o4w2o4eg6/tmp/parm7.elf (deleted)parm7.elf (deleted)
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/aarch64-linux-gnu/libc.so.6
1294/bin/sh -c "(crontab -l 2>/dev/null; echo \"* * * * * /tmp/parm7\.elf (deleted)\") | crontab -"/usr/bin/dashparm7.elf (deleted)
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
1295crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
1307crontab/var/spool/cron/crontabs/tmp.839AKrtext
MD5:
SHA256:
1309crontab/var/spool/cron/crontabs/tmp.dR5n7Ptext
MD5:
SHA256:
1312crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
1320crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
1324crontab/var/spool/cron/crontabs/tmp.yFd3BXtext
MD5:
SHA256:
1328crontab/var/spool/cron/crontabs/tmp.Y9kvYhtext
MD5:
SHA256:
1355crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
1361crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
1365crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
4
Threats
16

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
459
avahi-daemon
224.0.0.251:5353
whitelisted
129.70.132.36:123
2.debian.pool.ntp.org
DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
whitelisted
1292
parm7.elf (deleted)
158.94.208.27:18129
RAILNET
US
malicious
438
systemd-timesyncd
129.70.132.36:123
2.debian.pool.ntp.org
DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
whitelisted
1379
parm7.elf (deleted)
216.202.200.164:53
LEVEL3
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
  • 2a00:1450:4001:811::200e
whitelisted
2.debian.pool.ntp.org
  • 129.70.132.36
  • 78.46.87.46
  • 93.241.86.156
  • 85.215.189.120
  • 2a02:8108:4d82:e400:5054:ff:fe45:e603
  • 2001:a60:902f::bcae:fdbc
  • 2a01:239:0:be::1
  • 2001:7c0:3100:1::110
whitelisted

Threats

PID
Process
Class
Message
1292
parm7.elf (deleted)
Misc activity
INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
1292
parm7.elf (deleted)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Linux/Mirai.B Client Hello
1292
parm7.elf (deleted)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Linux/Mirai.B Client Hello
1292
parm7.elf (deleted)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Linux/Mirai.Gen heartbeat packet outbound
1292
parm7.elf (deleted)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Linux/Mirai.B Server Command inbound
1292
parm7.elf (deleted)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Linux/Mirai.Gen heartbeat packet outbound
1292
parm7.elf (deleted)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Linux/Mirai.B Server Command inbound
1292
parm7.elf (deleted)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Linux/Mirai.B Server Command inbound
1292
parm7.elf (deleted)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Linux/Mirai.B Server Command inbound
1292
parm7.elf (deleted)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Linux/Mirai.B Server Command inbound
No debug info