File name:

update

Full analysis: https://app.any.run/tasks/5c8c17b7-3db5-4e34-a080-a2acb3ec723c
Verdict: Malicious activity
Analysis date: May 12, 2024, 12:06:25
OS: Ubuntu 22.04.2
MIME: application/x-pie-executable
File info: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6ad54a84d534384669012fd611094afe33875556, for GNU/Linux 3.2.0, not stripped
MD5:

598853075B41491C7EFD1FD296828489

SHA1:

5566D91988752DBB69BAB6DB9FFB7F5D1B8E7865

SHA256:

6D6905675537F40AF525148FA5E7C10313E4E5CE0418A678DA95B36CC2A89B73

SSDEEP:

192:R6n08tzNFuEv7S9CsOHkJ6pnqN78fKsBJicPUVg5RX7FYbCDKviGm:SzNFjS1J6SYfJi/m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • bash (PID: 9270)

    • Modifies file or directory owner

      • sudo (PID: 9264)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Shared object file
CPUType: AMD x86-64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
238
Monitored processes
19
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs update.o no specs locale-check no specs bash no specs sh no specs tr no specs cat no specs mesg no specs dbus-daemon no specs deja-dup no specs polkit-agent-helper-1 no specs polkit-agent-helper-1 no specs polkit-agent-helper-1 no specs polkit-agent-helper-1 no specs polkit-agent-helper-1 no specs

Process information

PID
CMD
Path
Indicators
Parent process
9263/bin/sh -c "sudo chown user /home/user/update\.o && chmod +x /home/user/update\.o && DISPLAY=:0 sudo -i /home/user/update\.o "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
9306
9264sudo chown user /home/user/update.o/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9265chown user /home/user/update.o/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9266chmod +x /home/user/update.o/usr/bin/chmodsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9267sudo -i /home/user/update.o/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
9306
9268/home/user/update.o/home/user/update.osudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
9306
9269/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkupdate.o
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9270-bash --login -c \/home\/user\/update\.o/usr/bin/bashupdate.o
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9271sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null"/usr/bin/shbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9272tr \n " "/usr/bin/trbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9306deja-dup/dconf/user
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.48:80
http://connectivity-check.ubuntu.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.48:80
Canonical Group Limited
US
unknown
224.0.0.251:5353
unknown
3.231.112.124:443
rb.gy
AMAZON-AES
US
unknown
162.125.66.18:443
www.dropbox.com
DROPBOX
DE
unknown
162.125.66.15:443
uce087c5dd01950b4783039905f0.dl.dropboxusercontent.com
DROPBOX
DE
unknown

DNS requests

Domain
IP
Reputation
rb.gy
  • 3.231.112.124
  • 52.44.59.92
  • 52.5.33.162
whitelisted
www.dropbox.com
  • 162.125.66.18
  • 2620:100:6022:18::a27d:4212
shared
uce087c5dd01950b4783039905f0.dl.dropboxusercontent.com
  • 162.125.66.15
  • 2620:100:6022:15::a27d:420f
unknown
170.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2001:67c:1562::23
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::2b
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed URL Shortening Service SSL/TLS Cert (rb.gy)
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
update