| File name: | 7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf |
| Full analysis: | https://app.any.run/tasks/2863fc77-6123-4857-a970-9aa497695cd0 |
| Verdict: | Malicious activity |
| Analysis date: | August 04, 2024, 19:56:10 |
| OS: | Ubuntu 22.04.2 |
| Tags: | |
| MIME: | application/x-executable |
| File info: | ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped |
| MD5: | 49BE73BFECCD4829CF4E94058A45C5EE |
| SHA1: | 0B33CD2FE536FA65A4D1328ADD21816784B019F0 |
| SHA256: | 7E21CE7E069ED261CD985271BC49D9B606996B6781B11BDD8DFB429B5E028C9D |
| SSDEEP: | 3072:NNdRMGvWGYaUcCf+ox19nKlqab3A1qL5kt:NNdRMGvWGYXcCf+ox19nKlqaTKqLm |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads network configuration
- 7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o (PID: 12934)
Executes commands using command-line interpreter
- bash (PID: 12929)
- update-notifier (PID: 12956)
Modifies file or directory owner
- sudo (PID: 12923)
Gets active TCP connections
- 7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o (PID: 12934)
Intercepts program crashes
- apport (PID: 12939)
Reads /proc/mounts (likely used to find writable filesystems)
- check-new-release-gtk (PID: 12958)
Potential Corporate Privacy Violation
- 7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o (PID: 12936)
Connects to unusual port
- 7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o (PID: 12936)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .o | | | ELF Executable and Linkable format (generic) (49.8) |
|---|
EXIF
EXE
| CPUArchitecture: | 32 bit |
|---|---|
| CPUByteOrder: | Little endian |
| ObjectFileType: | Executable file |
| CPUType: | i386 |
Total processes
245
Monitored processes
32
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 12921 | /bin/sh -e /etc/NetworkManager/dispatcher.d/01-ifupdown connectivity-change | /etc/NetworkManager/dispatcher.d/01-ifupdown | — | nm-dispatcher |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 12922 | /bin/sh -c "sudo chown user /home/user/Desktop/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d\.elf\.o && chmod +x /home/user/Desktop/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d\.elf\.o && DISPLAY=:0 sudo -i /home/user/Desktop/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d\.elf\.o " | /bin/sh | — | any-guest-agent |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 12923 | sudo chown user /home/user/Desktop/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o | /usr/bin/sudo | — | sh |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 12924 | chown user /home/user/Desktop/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o | /usr/bin/chown | — | sudo |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 12925 | chmod +x /home/user/Desktop/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o | /usr/bin/chmod | — | sh |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 12926 | sudo -i /home/user/Desktop/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o | /usr/bin/sudo | — | sh |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 12927 | /home/user/Desktop/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o | /home/user/Desktop/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o | — | sudo |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 12928 | /usr/bin/locale-check C.UTF-8 | /usr/bin/locale-check | — | 7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 12929 | -bash --login -c \/home\/user\/Desktop\/7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d\.elf\.o | /usr/bin/bash | — | 7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 12930 | sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null" | /usr/bin/sh | — | bash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
Executable files
0
Suspicious files
0
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 12939 | apport | /var/log/apport.log | text | |
MD5:— | SHA256:— | |||
| 12958 | check-new-release-gtk | /tmp/#6029334 (deleted) | text | |
MD5:— | SHA256:— | |||
| 12958 | check-new-release-gtk | /tmp/#6029335 (deleted) | text | |
MD5:— | SHA256:— | |||
| 12958 | check-new-release-gtk | /tmp/#6029359 (deleted) | text | |
MD5:— | SHA256:— | |||
| 12958 | check-new-release-gtk | /tmp/#6029364 (deleted) | text | |
MD5:— | SHA256:— | |||
| 12958 | check-new-release-gtk | /tmp/#6029378 (deleted) | text | |
MD5:— | SHA256:— | |||
| 12958 | check-new-release-gtk | /tmp/#6029379 (deleted) | text | |
MD5:— | SHA256:— | |||
| 12958 | check-new-release-gtk | /tmp/#6029381 (deleted) | text | |
MD5:— | SHA256:— | |||
| 12958 | check-new-release-gtk | /tmp/#6029987 (deleted) | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
22 369
DNS requests
19
Threats
138
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 204 | 185.125.190.97:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | 204 | 91.189.91.48:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | — | 185.125.190.49:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | 200 | 195.181.175.40:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | text | 1.58 Mb | — |
— | — | GET | 200 | 195.181.175.40:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | text | 1.58 Mb | — |
— | — | POST | 200 | 185.125.188.58:443 | https://api.snapcraft.io/v2/snaps/refresh | unknown | binary | 43.2 Kb | — |
— | — | GET | 200 | 156.146.33.14:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | binary | 1.58 Mb | — |
— | — | GET | 200 | 195.181.170.18:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | binary | 1.58 Mb | — |
— | — | GET | 200 | 195.181.175.40:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | text | 1.58 Mb | — |
— | — | GET | 200 | 138.199.37.35:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | binary | 1.58 Mb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 185.125.190.49:80 | connectivity-check.ubuntu.com | Canonical Group Limited | GB | unknown |
470 | avahi-daemon | 224.0.0.251:5353 | — | — | — | unknown |
— | — | 91.189.91.48:80 | connectivity-check.ubuntu.com | Canonical Group Limited | US | unknown |
— | — | 185.125.190.97:80 | connectivity-check.ubuntu.com | Canonical Group Limited | GB | unknown |
— | — | 138.199.37.35:443 | odrs.gnome.org | Datacamp Limited | DE | unknown |
12934 | 7e21ce7e069ed261cd985271bc49d9b606996b6781b11bdd8dfb429b5e028c9d.elf.o | 65.222.202.53:80 | — | UUNET | US | unknown |
— | — | 68.105.125.132:2323 | — | ASN-CXA-ALL-CCI-22773-RDC | US | unknown |
— | — | 65.159.80.24:23 | — | CENTURYLINK-US-LEGACY-QWEST | US | unknown |
— | — | 61.222.250.135:23 | — | Data Communication Business Group | TW | unknown |
— | — | 117.95.92.235:23 | — | Chinanet | CN | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
connectivity-check.ubuntu.com |
| whitelisted |
odrs.gnome.org |
| whitelisted |
google.com |
| whitelisted |
api.snapcraft.io |
| whitelisted |
52.100.168.192.in-addr.arpa |
| unknown |
changelogs.ubuntu.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to SSH scan external network |
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 38 |
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 38 |
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 4 |
— | — | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to SSH scan external network |
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 22 |
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 29 |
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 22 |
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 3 |
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 29 |