File name:

a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf

Full analysis: https://app.any.run/tasks/c8f09f33-9988-4348-a01c-15f15d8b40d6
Verdict: Malicious activity
Analysis date: December 14, 2024, 12:25:09
OS: Ubuntu 22.04.2 LTS
Indicators:
MIME: application/x-executable
File info: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
MD5:

301CF3C8FC89EE44D7A40461BBF9BD00

SHA1:

6D49AE38398CA9B225C4D2E1A11C160A828313B4

SHA256:

A5A24F796C7204059A62E251C35D67F0E2CD7D591792B65F7B55921261AB163D

SSDEEP:

6144:0aNvnuPwyVwafnwII4DphaqKumBT38dAY4:0aNvnuPwyVPfnwIISphTNmBT38dAY4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf (PID: 38769)

  • SUSPICIOUS

    • Gets active network interfaces

      • sudo (PID: 38758)

    • Reads network configuration

      • sudo (PID: 38758)

    • Executes commands using command-line interpreter

      • sudo (PID: 38758)

    • Contacting a server suspected of hosting an CnC

      • a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf (PID: 38769)

    • Modifies file or directory owner

      • sudo (PID: 38751)

    • Connects to unusual port

      • a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf (PID: 38769)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUType: AMD x86-64
ObjectFileType: Executable file
CPUByteOrder: Little endian
CPUArchitecture: 64 bit
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
228
Monitored processes
19
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs dash no specs chown no specs chmod no specs sudo no specs a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf no specs locale-check no specs bash no specs dash no specs tr no specs cat no specs mesg no specs a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf no specs #MIRAI a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf systemctl no specs systemctl no specs systemctl no specs systemctl no specs

Process information

PID
CMD
Path
Indicators
Parent process
38750/bin/sh -c "sudo chown user /home/user/Desktop/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d\.elf && chmod +x /home/user/Desktop/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d\.elf && DISPLAY=:0 sudo -i /home/user/Desktop/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d\.elf "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38751sudo chown user /home/user/Desktop/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38752/bin/sh -e /etc/NetworkManager/dispatcher.d/01-ifupdown connectivity-change/usr/bin/dashnm-dispatcher
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38756chown user /home/user/Desktop/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38757chmod +x /home/user/Desktop/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38758sudo -i /home/user/Desktop/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38761/home/user/Desktop/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf/home/user/Desktop/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elfsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38762/usr/bin/locale-check C.UTF-8/usr/bin/locale-checka5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38763-bash --login -c \/home\/user\/Desktop\/a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d\.elf/usr/bin/basha5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38764sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null"/usr/bin/dashbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
256
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
10
DNS requests
12
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.17:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.48:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.17:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
200
37.19.194.81:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.62 Mb
whitelisted
GET
200
212.102.56.179:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.62 Mb
whitelisted
GET
200
37.19.194.81:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.62 Mb
whitelisted
GET
200
37.19.194.81:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.62 Mb
whitelisted
POST
200
185.125.188.54:443
https://api.snapcraft.io/api/v1/snaps/auth/nonces
unknown
binary
53 b
whitelisted
POST
200
185.125.188.55:443
https://api.snapcraft.io/api/v1/snaps/auth/nonces
unknown
binary
53 b
whitelisted
POST
200
185.125.188.55:443
https://api.snapcraft.io/api/v1/snaps/auth/sessions
unknown
binary
587 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
185.125.190.17:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
195.181.170.19:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
38769
a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf
37.44.238.73:8778
Harmony Hosting SARL
FR
malicious
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::24
  • 2620:2d:4002:1::198
  • 2620:2d:4002:1::196
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::98
  • 185.125.190.17
  • 91.189.91.96
  • 91.189.91.48
  • 185.125.190.98
  • 185.125.190.49
  • 91.189.91.98
  • 185.125.190.96
  • 185.125.190.48
  • 185.125.190.97
  • 185.125.190.18
  • 91.189.91.49
  • 91.189.91.97
whitelisted
odrs.gnome.org
  • 195.181.170.19
  • 169.150.255.184
  • 212.102.56.179
  • 195.181.175.40
  • 37.19.194.81
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::112
whitelisted
google.com
  • 142.250.186.174
  • 2a00:1450:4001:829::200e
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.54
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::42
whitelisted
72.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
a5a24f796c7204059a62e251c35d67f0e2cd7d591792b65f7b55921261ab163d.elf