Malware analysis neon.i686 Malicious activity | ANY.RUN

Add for printing

File name:	neon.i686
Full analysis:	https://app.any.run/tasks/1c90f00a-17f7-4c89-ad8a-f95bef6fe5b8
Verdict:	Malicious activity
Analysis date:	May 10, 2025, 05:55:30
OS:	Ubuntu 22.04.2
Indicators:
MIME:	application/x-executable
File info:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
MD5:	19C999F21644416595799993BC69450B
SHA1:	AA5D3366F9B18E923FEB0E1D50F068A5E122DF0E
SHA256:	952195D3E97C81DC47090E7E136CBD10E40608074336B3EF52CB0830DA2FDFDD
SSDEEP:	3072:tliXgTB8owwLCfUz6m8h5HuhYdNkrtxt4l9TnCHuwmDrYBXn+zDkzMK1G2:tliXgTB8owwLCfUz6mu5HuhYdNkrtxtl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - neon.i686.elf (PID: 40669)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 40660)
- Reads profile file
  - neon.i686.elf (PID: 40664)
- Executes commands using command-line interpreter
  - sudo (PID: 40663)
- Connects to unusual port
  - neon.i686.elf (PID: 40669)
- Reads passwd file
  - neon.i686.elf (PID: 40664)
- Contacting a server suspected of hosting an CnC
  - neon.i686.elf (PID: 40669)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	32 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	i386

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

239

Monitored processes

19

Malicious processes

2

Suspicious processes

2

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
40659	/bin/sh -c "sudo chown user /tmp/neon\.i686\.elf && chmod +x /tmp/neon\.i686\.elf && DISPLAY=:0 sudo -iu user /tmp/neon\.i686\.elf "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
40660	sudo chown user /tmp/neon.i686.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40661	chown user /tmp/neon.i686.elf	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
40662	chmod +x /tmp/neon.i686.elf	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40663	sudo -iu user /tmp/neon.i686.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40664	/tmp/neon.i686.elf	/tmp/neon.i686.elf	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
40665	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	neon.i686.elf
User: user Integrity Level: UNKNOWN Exit code: 0
40666	/tmp/neon.i686.elf	/tmp/neon.i686.elf	—	neon.i686.elf
User: user Integrity Level: UNKNOWN Exit code: 0
40667	/tmp/neon.i686.elf	/tmp/neon.i686.elf	—	neon.i686.elf
User: user Integrity Level: UNKNOWN
40668	/tmp/neon.i686.elf	/tmp/neon.i686.elf	—	neon.i686.elf
User: user Integrity Level: UNKNOWN

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

2

TCP/UDP connections

75

DNS requests

12

Threats

4

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	204	185.125.190.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.97:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	169.150.255.181:443	odrs.gnome.org	—	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
40669	neon.i686.elf	103.252.137.107:12121	traxanhc2.duckdns.org	—	—	malicious
40678	neon.i686.elf	8.8.8.8:53	—	—	—	whitelisted
40678	neon.i686.elf	65.222.202.53:80	—	UUNET	US	unknown

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	185.125.190.97 185.125.190.98 185.125.190.48 91.189.91.98 185.125.190.96 91.189.91.48 91.189.91.49 185.125.190.17 185.125.190.18 91.189.91.96 185.125.190.49 2001:67c:1562::23 2620:2d:4000:1::22 2620:2d:4002:1::198 2620:2d:4000:1::96 2620:2d:4000:1::2a 2620:2d:4000:1::2b 2620:2d:4000:1::23 2001:67c:1562::24 2620:2d:4000:1::97 2620:2d:4000:1::98 2620:2d:4002:1::196	whitelisted
google.com	142.250.181.238 2a00:1450:4001:82a::200e	whitelisted
odrs.gnome.org	169.150.255.181 195.181.170.18 212.102.56.179 169.150.255.183 195.181.175.40 207.211.211.27 37.19.194.81 2a02:6ea0:c700::11 2a02:6ea0:c700::18 2a02:6ea0:c700::101 2a02:6ea0:c700::112 2a02:6ea0:c700::19 2a02:6ea0:c700::107 2a02:6ea0:c700::21	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.58 185.125.188.57 185.125.188.59 2620:2d:4000:1010::2e6 2620:2d:4000:1010::42 2620:2d:4000:1010::117 2620:2d:4000:1010::344	whitelisted
traxanhc2.duckdns.org	103.252.137.107	unknown
13.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
40669	neon.i686.elf	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
40669	neon.i686.elf	Misc activity	ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
40669	neon.i686.elf	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
40669	neon.i686.elf	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)

Add for printing

No debug info

General Info

neon.i686

19C999F21644416595799993BC69450B

AA5D3366F9B18E923FEB0E1D50F068A5E122DF0E

952195D3E97C81DC47090E7E136CBD10E40608074336B3EF52CB0830DA2FDFDD

3072:tliXgTB8owwLCfUz6m8h5HuhYdNkrtxt4l9TnCHuwmDrYBXn+zDkzMK1G2:tliXgTB8owwLCfUz6mu5HuhYdNkrtxtl

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Reads profile file

Executes commands using command-line interpreter

Connects to unusual port

Reads passwd file

Contacting a server suspected of hosting an CnC

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings