Malware analysis main_x86 Malicious activity | ANY.RUN

Add for printing

File name:	main_x86
Full analysis:	https://app.any.run/tasks/e578e12f-0cf7-4cc4-8126-ae0dee7c359c
Verdict:	Malicious activity
Analysis date:	May 18, 2025, 20:11:49
OS:	Ubuntu 22.04.2
MIME:	application/x-executable
File info:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
MD5:	C20EEDE975EFF63B508743B20F94E8AD
SHA1:	5654B41864D3F7607545F01E76B366101EA4D31D
SHA256:	895CCC2CB6119979DD91990F23565CFC48623E852DC80E7BB994A8DCD7ED0D93
SSDEEP:	3072:dyxAuglmteAm1Teco5sJ7gzTwfICUoXhn3n9EjM:dyxAuglmteAm1Teco5+lf9DXhn3nujM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Starts itself from another location
  - main_x86.elf (PID: 41033)
- Executes commands using command-line interpreter
  - sudo (PID: 41031)
- Modifies file or directory owner
  - sudo (PID: 41027)
- Connects to SSH
  - main_x86.elf (deleted) (PID: 41035)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	32 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	i386

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

143

Monitored processes

11

Malicious processes

1

Suspicious processes

2

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

41026

/bin/sh -c "sudo chown user /tmp/main_x86\.elf && chmod +x /tmp/main_x86\.elf && DISPLAY=:0 sudo -iu user /tmp/main_x86\.elf "

/usr/bin/dash

—

IntiFjKCklFyPMJr

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41027

sudo chown user /tmp/main_x86.elf

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41028

systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service

/usr/bin/systemctl

—

snapd

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libcap.so.2.44
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5
/usr/lib/x86_64-linux-gnu/liblz4.so.1.9.3
/usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8
/usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0
/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1

41029

chown user /tmp/main_x86.elf

/usr/bin/chown

—

sudo

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41030

chmod +x /tmp/main_x86.elf

/usr/bin/chmod

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41031

sudo -iu user /tmp/main_x86.elf

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41032

systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service

/usr/bin/systemctl

—

snapd

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libcap.so.2.44
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5
/usr/lib/x86_64-linux-gnu/liblz4.so.1.9.3
/usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8
/usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0
/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1

41033

/tmp/main_x86.elf

—

sudo

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6

41034

/usr/bin/locale-check C.UTF-8

/usr/bin/locale-check

—

main_x86.elf

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41035

httpd ain_x86.elf

/tmp/main_x86.elf (deleted)

main_x86.elf

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

21

DNS requests

64

Threats

15

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
488	NetworkManager	GET	204	185.125.190.49:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.18:80	—	Canonical Group Limited	GB	unknown
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.48:80	—	Canonical Group Limited	US	unknown
—	—	212.102.56.179:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
488	NetworkManager	185.125.190.49:80	—	Canonical Group Limited	GB	unknown
512	snapd	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
41035	main_x86.elf (deleted)	115.11.111.11:22	—	Korea Telecom	KR	unknown

DNS requests

Domain	IP	Reputation
google.com	142.250.186.142 2a00:1450:4001:82a::200e	whitelisted
odrs.gnome.org	212.102.56.179 195.181.170.18 169.150.255.184 207.211.211.26 37.19.194.80 195.181.175.40 169.150.255.180 2a02:6ea0:c700::18 2a02:6ea0:c700::107 2a02:6ea0:c700::19 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c700::112 2a02:6ea0:c700::21	whitelisted
api.snapcraft.io	185.125.188.57 185.125.188.54 185.125.188.58 185.125.188.59 2620:2d:4000:1010::2e6 2620:2d:4000:1010::344 2620:2d:4000:1010::42 2620:2d:4000:1010::117	whitelisted
nig.ck.io.vn	—	unknown
10.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2620:2d:4000:1::2b 2620:2d:4000:1::22 2001:67c:1562::23 2620:2d:4002:1::198 2620:2d:4000:1::23 2620:2d:4000:1::97 2001:67c:1562::24 2620:2d:4000:1::98 2620:2d:4000:1::2a 2620:2d:4000:1::96 2620:2d:4002:1::196	whitelisted

Threats

PID	Process	Class	Message
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND
41035	main_x86.elf (deleted)	Attempted Information Leak	ET SCAN Potential SSH Scan OUTBOUND

Add for printing

No debug info

General Info

main_x86

C20EEDE975EFF63B508743B20F94E8AD

5654B41864D3F7607545F01E76B366101EA4D31D

895CCC2CB6119979DD91990F23565CFC48623E852DC80E7BB994A8DCD7ED0D93

3072:dyxAuglmteAm1Teco5sJ7gzTwfICUoXhn3n9EjM:dyxAuglmteAm1Teco5+lf9DXhn3nujM

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Starts itself from another location

Executes commands using command-line interpreter

Modifies file or directory owner

Connects to SSH

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings