File name:	586.elf
Full analysis:	https://app.any.run/tasks/f326feb9-adb1-480a-a1af-fbfb1c60c55a
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Gafgyt, also known as BASHLITE, is a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices, often by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks. Malware Trends Tracker >>>
Analysis date:	May 13, 2025, 20:09:20
OS:	Ubuntu 22.04.2
Tags:	ddos gafgyt botnet
Indicators:
MIME:	application/x-executable
File info:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
MD5:	BF4D598B03B0F903B4E37BFBE799DFAE
SHA1:	84CD49DB89CD41B5945E8422BF1AAEA74420BE53
SHA256:	9EBFAAD779077ADB8FD3842EA4BF07A817858D675CE3EA1F6DC7231265F90444
SSDEEP:	3072:zuegsPqs54yt34vciAhjEv0SaLZu3hlVedpym5qbyCYXmh:zuegsPqs54yd8ciAhjE3Gpym5qbyRXmh

CPUArchitecture:	32 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	i386

PID	CMD	Path	Indicators	Parent process
39495	/bin/sh -c "sudo chown user /home/user/Desktop/586\.elf && chmod +x /home/user/Desktop/586\.elf && DISPLAY=:0 sudo -i /home/user/Desktop/586\.elf "	/usr/bin/dash	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 0
39496	sudo chown user /home/user/Desktop/586.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39497	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
39498	chown user /home/user/Desktop/586.elf	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
39499	chmod +x /home/user/Desktop/586.elf	/usr/bin/chmod	—	dash
User: user Integrity Level: UNKNOWN Exit code: 0
39500	sudo -i /home/user/Desktop/586.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39501	/home/user/Desktop/586.elf	/home/user/Desktop/586.elf	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
39502	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	586.elf
User: root Integrity Level: UNKNOWN Exit code: 0
39504	-bash --login -c \/home\/user\/Desktop\/586\.elf	/usr/bin/bash	—	586.elf
User: root Integrity Level: UNKNOWN Exit code: 0
39505	sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null"	/usr/bin/dash	—	bash
User: root Integrity Level: UNKNOWN Exit code: 256

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	—	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	—	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	195.181.170.19:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
39511	586.elf	5.252.177.70:23	—	MivoCloud SRL	US	unknown

Domain	IP	Reputation
connectivity-check.ubuntu.com	91.189.91.98 185.125.190.48 91.189.91.96 185.125.190.17 185.125.190.97 185.125.190.98 185.125.190.49 185.125.190.96 185.125.190.18 91.189.91.48 91.189.91.49 2620:2d:4002:1::198 2001:67c:1562::23 2620:2d:4000:1::2a 2620:2d:4000:1::22 2620:2d:4000:1::96 2620:2d:4000:1::23 2001:67c:1562::24 2620:2d:4000:1::97 2620:2d:4002:1::196 2620:2d:4000:1::2b 2620:2d:4000:1::98	whitelisted
odrs.gnome.org	195.181.170.19 207.211.211.27 37.19.194.80 195.181.175.40 212.102.56.179 169.150.255.184 169.150.255.180 2a02:6ea0:c700::19 2a02:6ea0:c700::101 2a02:6ea0:c700::18 2a02:6ea0:c700::21 2a02:6ea0:c700::112 2a02:6ea0:c700::107 2a02:6ea0:c700::11	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.59 185.125.188.57 185.125.188.58 2620:2d:4000:1010::42 2620:2d:4000:1010::344 2620:2d:4000:1010::117 2620:2d:4000:1010::2e6	whitelisted
google.com	142.250.184.238 2a00:1450:4001:831::200e	whitelisted
13.100.168.192.in-addr.arpa	—	unknown

General Info

586.elf

BF4D598B03B0F903B4E37BFBE799DFAE

84CD49DB89CD41B5945E8422BF1AAEA74420BE53

9EBFAAD779077ADB8FD3842EA4BF07A817858D675CE3EA1F6DC7231265F90444

3072:zuegsPqs54yt34vciAhjEv0SaLZu3hlVedpym5qbyCYXmh:zuegsPqs54yd8ciAhjE3Gpym5qbyRXmh

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

GAFGYT has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Executes commands using command-line interpreter

Contacting a server suspected of hosting an CnC

Modifies file or directory owner

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings