File name:

96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf

Full analysis: https://app.any.run/tasks/d5b67f2a-797a-456d-ae88-465c0d26ee9a
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: May 26, 2024, 09:01:16
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
moobot
MIME: application/x-executable
File info: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
MD5:

2C6FEE1F637BF359615EBBCB180C2873

SHA1:

06201C4FFD8622234CC7686BC0B4875F7ADF0E50

SHA256:

96285E06A00B4E6269D0B38A4D1AE419FD5BFCA0DBB7E237408D4E509E2770DD

SSDEEP:

3072:YGgupEWErrypQNBPAhib4dtidN3G/OJrB0coKi547Rt8uSheXk7RUdNgVHEVtWGk:AupEWErupQNBPtdSheXkdKoM8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • busybox (PID: 6183)

    • Connects to the CnC server

      • busybox (PID: 6183)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • 96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.o (PID: 6176)

    • Executes the "rm" command to delete files or directories

      • sh (PID: 6178)

    • Contacting a server suspected of hosting an CnC

      • busybox (PID: 6183)

    • Modifies file or directory owner

      • sudo (PID: 6172)

    • Connects to unusual port

      • busybox (PID: 6183)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 32 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: i386
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
256
Monitored processes
43
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs 96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.o no specs locale-check no specs sh no specs rm no specs mkdir no specs mv no specs chmod no specs #MIRAI busybox busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs busybox no specs tracker-extract-3 no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs

Process information

PID
CMD
Path
Indicators
Parent process
6171/bin/sh -c "sudo chown user /tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd\.elf\.o && chmod +x /tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd\.elf\.o && DISPLAY=:0 sudo -iu user /tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd\.elf\.o "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
6172sudo chown user /tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
6173chown user /tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.o/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
6174chmod +x /tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.o/usr/bin/chmodsh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
6175sudo -iu user /tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
6176/tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.o/tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.osudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6177/usr/bin/locale-check C.UTF-8/usr/bin/locale-check96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.o
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6178/bin/sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd\.elf\.o bin/busybox; chmod 777 bin/busybox"/bin/sh96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf.o
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6179rm -rf bin/busybox/usr/bin/rmsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6180mkdir bin/usr/bin/mkdirsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6178sh/home/user/bin/busybox
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
11
DNS requests
13
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.98:80
http://connectivity-check.ubuntu.com/
GB
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.98:80
Canonical Group Limited
GB
unknown
91.189.91.98:80
Canonical Group Limited
US
unknown
91.189.91.48:80
Canonical Group Limited
US
unknown
1195
snap-store
212.102.56.182:443
Datacamp Limited
DE
unknown
1195
snap-store
212.102.56.178:443
Datacamp Limited
DE
unknown
6183
busybox
104.244.74.231:56999
woshishabi.zzy.rip
PONYNET
LU
unknown
485
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
485
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
malicious

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::98
  • 2001:67c:1562::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::96
  • 2001:67c:1562::24
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::197
unknown
1527653184.rsc.cdn77.org
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::10
  • 2a02:6ea0:c700::17
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::22
unknown
woshishabi.zzy.rip
  • 104.244.74.231
unknown
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.59
unknown
101.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
6183
busybox
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
6183
busybox
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
96285e06a00b4e6269d0b38a4d1ae419fd5bfca0dbb7e237408d4e509e2770dd.elf