| File name: | arm7.uhavenobotsxd |
| Full analysis: | https://app.any.run/tasks/7bcc58cb-11ea-4507-9e30-5af4b6a8dad5 |
| Verdict: | Malicious activity |
| Threats: | A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. |
| Analysis date: | November 06, 2025, 05:54:28 |
| OS: | Debian 12.2 |
| Tags: | |
| Indicators: | |
| MIME: | application/x-executable |
| File info: | ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped |
| MD5: | C90067AFBA502E812999FBB5B018ACDF |
| SHA1: | AA2BBBFF17BF27E2400335CA519E4EDE1B83CA97 |
| SHA256: | 683B7FCB91A3D1482B707933F25D7902E318401958E04880D24803BEA2EAA524 |
| SSDEEP: | 3072:+65qStHKpKw51H3qWXw1N6tZe1AM/1hCV/:RHHo61N2Ze2M/Tk |
MALICIOUS
GAYFEMBOY has been detected
- arm7.uhavenobotsxd.elf (PID: 1318)
MIRAI has been detected (SURICATA)
- arm7.uhavenobotsxd.elf (PID: 1318)
SUSPICIOUS
Modifies file or directory owner
- sudo (PID: 1309)
Reads /proc/mounts (likely used to find writable filesystems)
- arm7.uhavenobotsxd.elf (PID: 1314)
- dbus-daemon (PID: 1572)
- dbus-daemon (PID: 1584)
- dbus-daemon (PID: 1688)
- gnome-shell (PID: 1612)
- gjs-console (PID: 1742)
- gjs-console (PID: 1713)
- gjs-console (PID: 1928)
Reads passwd file
- ps (PID: 1328)
- ps (PID: 1361)
- ps (PID: 1355)
- ps (PID: 1367)
- ps (PID: 1431)
- ps (PID: 1425)
- ps (PID: 1437)
- ps (PID: 1380)
- gsd-print-notifications (PID: 1390)
- ps (PID: 1402)
- ps (PID: 1419)
- ps (PID: 1529)
- wireplumber (PID: 1568)
- pipewire (PID: 1569)
- dbus-daemon (PID: 1572)
- ps (PID: 1617)
- dbus-daemon (PID: 1584)
- ps (PID: 1633)
- gdm-session-worker (PID: 1533)
- ps (PID: 1543)
- pipewire (PID: 1566)
- gnome-shell (PID: 1612)
- ibus-daemon (PID: 1757)
- gsd-print-notifications (PID: 1768)
- gsd-smartcard (PID: 1773)
- gsd-media-keys (PID: 1777)
- gvfs-udisks2-volume-monitor (PID: 1629)
- dbus-daemon (PID: 1688)
- ibus-daemon (PID: 1949)
- ps (PID: 2008)
- ps (PID: 2020)
- ps (PID: 2014)
- ps (PID: 2029)
- gsd-power (PID: 1796)
- realmd (PID: 1924)
- ps (PID: 1981)
- ps (PID: 2068)
- ps (PID: 2074)
- ps (PID: 2143)
- ps (PID: 2119)
- ps (PID: 2125)
- ps (PID: 2149)
- ps (PID: 2041)
- ps (PID: 2056)
- ps (PID: 2062)
- ps (PID: 2159)
- ps (PID: 2186)
- ps (PID: 2192)
- ps (PID: 2198)
- ps (PID: 2219)
- ps (PID: 2207)
- ps (PID: 2234)
- ps (PID: 2240)
- ps (PID: 2327)
- ps (PID: 2333)
- ps (PID: 2246)
- ps (PID: 2252)
- ps (PID: 2297)
- ps (PID: 2303)
- ps (PID: 2321)
- ps (PID: 2381)
- ps (PID: 2393)
- ps (PID: 2408)
- ps (PID: 2414)
- ps (PID: 2360)
- ps (PID: 2366)
- ps (PID: 2372)
- ps (PID: 2420)
- ps (PID: 2501)
- ps (PID: 2495)
- ps (PID: 2509)
- ps (PID: 2536)
- ps (PID: 2542)
- ps (PID: 2426)
- ps (PID: 2471)
- ps (PID: 2477)
- ps (PID: 2569)
- ps (PID: 2584)
- ps (PID: 2602)
- ps (PID: 2590)
- ps (PID: 2596)
- ps (PID: 2647)
- ps (PID: 2653)
- ps (PID: 2671)
- ps (PID: 2548)
- ps (PID: 2557)
- ps (PID: 2683)
- ps (PID: 2677)
- ps (PID: 2710)
- ps (PID: 2722)
- ps (PID: 2731)
- ps (PID: 2716)
Connects to unusual port
- arm7.uhavenobotsxd.elf (PID: 1318)
Checks DMI information (probably VM detection)
- pipewire (PID: 1566)
- pipewire (PID: 1569)
- gnome-shell (PID: 1612)
Contacting a server suspected of hosting an CnC
- arm7.uhavenobotsxd.elf (PID: 1318)
INFO
Creates file in the temporary folder
- arm7.uhavenobotsxd.elf (PID: 1318)
- gnome-shell (PID: 1612)
Checks timezone
- ps (PID: 1355)
- ps (PID: 1328)
- ps (PID: 1361)
- ps (PID: 1367)
- ps (PID: 1425)
- ps (PID: 1431)
- ps (PID: 1437)
- ps (PID: 1529)
- ps (PID: 1380)
- gsd-print-notifications (PID: 1390)
- ps (PID: 1402)
- ps (PID: 1419)
- ps (PID: 1617)
- dbus-daemon (PID: 1572)
- tracker-miner-fs-3 (PID: 1620)
- gdm-session-worker (PID: 1533)
- ps (PID: 1543)
- gnome-shell (PID: 1612)
- gsd-print-notifications (PID: 1768)
- ibus-extension-gtk3 (PID: 1819)
- ps (PID: 1633)
- ibus-extension-gtk3 (PID: 1956)
- ps (PID: 1981)
- ps (PID: 2014)
- ps (PID: 2020)
- ps (PID: 2029)
- ps (PID: 2008)
- ps (PID: 2068)
- ps (PID: 2074)
- ps (PID: 2143)
- ps (PID: 2125)
- ps (PID: 2041)
- ps (PID: 2056)
- ps (PID: 2062)
- ps (PID: 2119)
- ps (PID: 2186)
- ps (PID: 2149)
- ps (PID: 2159)
- ps (PID: 2192)
- ps (PID: 2198)
- ps (PID: 2219)
- ps (PID: 2207)
- ps (PID: 2234)
- ps (PID: 2240)
- ps (PID: 2321)
- ps (PID: 2327)
- ps (PID: 2246)
- ps (PID: 2252)
- ps (PID: 2297)
- ps (PID: 2303)
- ps (PID: 2372)
- ps (PID: 2381)
- ps (PID: 2393)
- ps (PID: 2414)
- ps (PID: 2333)
- ps (PID: 2360)
- ps (PID: 2366)
- ps (PID: 2408)
- ps (PID: 2471)
- ps (PID: 2477)
- ps (PID: 2495)
- ps (PID: 2501)
- ps (PID: 2536)
- ps (PID: 2542)
- ps (PID: 2420)
- ps (PID: 2426)
- ps (PID: 2509)
- ps (PID: 2557)
- ps (PID: 2584)
- ps (PID: 2590)
- ps (PID: 2596)
- ps (PID: 2602)
- ps (PID: 2647)
- ps (PID: 2653)
- ps (PID: 2548)
- ps (PID: 2569)
- ps (PID: 2677)
- ps (PID: 2683)
- ps (PID: 2671)
- ps (PID: 2716)
- ps (PID: 2731)
- ps (PID: 2722)
- ps (PID: 2710)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .o | | | ELF Executable and Linkable format (generic) (100) |
|---|
EXIF
EXE
| CPUArchitecture: | 32 bit |
|---|---|
| CPUByteOrder: | Little endian |
| ObjectFileType: | Executable file |
| CPUType: | Arm (up to Armv7/AArch32) |
Total processes
1 176
Monitored processes
1 073
Malicious processes
2
Suspicious processes
7
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1308 | /bin/sh -c "sudo chown user /tmp/arm7\.uhavenobotsxd\.elf && chmod +x /tmp/arm7\.uhavenobotsxd\.elf && DISPLAY=:0 sudo -iu user /tmp/arm7\.uhavenobotsxd\.elf " | /usr/bin/dash | — | O4np7NL7eDTfcokD | |||||||||||
User: root Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 1309 | sudo chown user /tmp/arm7.uhavenobotsxd.elf | /usr/bin/sudo | — | dash | |||||||||||
User: root Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 1310 | chown user /tmp/arm7.uhavenobotsxd.elf | /usr/bin/chown | — | sudo | |||||||||||
User: root Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 1311 | chmod +x /tmp/arm7.uhavenobotsxd.elf | /usr/bin/chmod | — | dash | |||||||||||
User: root Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 1312 | sudo -iu user /tmp/arm7.uhavenobotsxd.elf | /usr/bin/sudo | — | dash | |||||||||||
User: root Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 1314 | /tmp/arm7.uhavenobotsxd.elf | /tmp/arm7.uhavenobotsxd.elf | — | sudo | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 1316 | id -u | /usr/bin/id | — | arm7.uhavenobotsxd.elf | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 1318 | tmp/arm7.uhavenobotsxd.elf | /tmp/arm7.uhavenobotsxd.elf | arm7.uhavenobotsxd.elf | ||||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 | |||||||||||||||
| 1324 | tmp/arm7.uhavenobotsxd.elf | /tmp/arm7.uhavenobotsxd.elf | — | arm7.uhavenobotsxd.elf | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 | |||||||||||||||
| 1325 | tmp/arm7.uhavenobotsxd.elf | /tmp/arm7.uhavenobotsxd.elf | — | arm7.uhavenobotsxd.elf | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 | |||||||||||||||
Executable files
0
Suspicious files
15
Text files
12
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1612 | gnome-shell | /var/lib/gdm3/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc | binary | |
MD5:— | SHA256:— | |||
| 1318 | arm7.uhavenobotsxd.elf | /tmp/.taunt | text | |
MD5:— | SHA256:— | |||
| 1318 | arm7.uhavenobotsxd.elf | /tmp/.mock | text | |
MD5:— | SHA256:— | |||
| 1318 | arm7.uhavenobotsxd.elf | /tmp/.broken_shell | text | |
MD5:— | SHA256:— | |||
| 1568 | wireplumber | /var/lib/gdm3/.local/state/wireplumber/restore-stream.CZS6E3 | text | |
MD5:— | SHA256:— | |||
| 1612 | gnome-shell | /tmp/.X1024-lock | text | |
MD5:— | SHA256:— | |||
| 1612 | gnome-shell | /tmp/.X1025-lock | text | |
MD5:— | SHA256:— | |||
| 1620 | tracker-miner-fs-3 | /var/lib/gdm3/.cache/tracker3/files/http%3A%2F%2Ftracker.api.gnome.org%2Fontology%2Fv3%2Ftracker%23Pictures.db-wal | binary | |
MD5:— | SHA256:— | |||
| 1620 | tracker-miner-fs-3 | /var/lib/gdm3/.cache/tracker3/files/http%3A%2F%2Ftracker.api.gnome.org%2Fontology%2Fv3%2Ftracker%23Audio.db-wal | binary | |
MD5:— | SHA256:— | |||
| 1620 | tracker-miner-fs-3 | /var/lib/gdm3/.cache/tracker3/files/http%3A%2F%2Ftracker.api.gnome.org%2Fontology%2Fv3%2Ftracker%23Video.db-wal | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
16
DNS requests
2
Threats
3
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
467 | avahi-daemon | 224.0.0.251:5353 | — | — | — | whitelisted |
1318 | arm7.uhavenobotsxd.elf | 94.154.35.153:6969 | — | WINDSTREAM | US | malicious |
450 | systemd-timesyncd | 194.59.205.229:123 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1318 | arm7.uhavenobotsxd.elf | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 16 |
1318 | arm7.uhavenobotsxd.elf | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Possible Mirai.Gen (Linux) |
1318 | arm7.uhavenobotsxd.elf | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Possible Mirai.Gen (Linux) |