File name:

skid.x86

Full analysis: https://app.any.run/tasks/86ae468b-5f9d-428e-90dc-4bb76bf42c40
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: April 10, 2024, 08:03:14
OS: Ubuntu 22.04.2
Tags:
botnet
mirai
MIME: application/x-executable
File info: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
MD5:

8E8A7759E596EFB31DA60C5CF5239520

SHA1:

0058625CEBBCEA271C5E8A12A7E96910FC4D9FAF

SHA256:

A939592B7C4B82EB07BF7AD619A3CE9606EBC119D3D7091B193B1A625684D77B

SSDEEP:

6144:mwjeKktQWsTSMSlL4rAzoiX5xXFVZI1fTpKPESTSWkLy0uJcEw+fKEv4dndEmUke:mwjeKktQWsTSMSlL4rCoiX5xXFVZI1f6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 9270)
      • gnome-terminal-server (PID: 9310)

    • Modifies file or directory owner

      • sudo (PID: 9267)

    • Reads network configuration

      • dvrHelper (PID: 9273)

    • Gets active TCP connections

      • dvrHelper (PID: 9273)

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 9296)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: AMD x86-64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
249
Monitored processes
29
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs skid.x86.o no specs locale-check no specs dvrhelper no specs dvrhelper no specs dvrhelper no specs tracker-extract-3 no specs gnome-session-ctl no specs gsd-media-keys no specs systemd-hostnamed no specs gnome-terminal no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dircolors no specs dirname no specs bash no specs command-not-found no specs snap no specs bash no specs command-not-found no specs snap no specs

Process information

PID
CMD
Path
Indicators
Parent process
9266/bin/sh -c "sudo chown user \"/tmp/skid\.x86\.o\" && chmod +x \"/tmp/skid\.x86\.o\" && DISPLAY=:0 sudo -iu user \"/tmp/skid\.x86\.o\" "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9267sudo chown user /tmp/skid.x86.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9268chown user /tmp/skid.x86.o/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9269chmod +x /tmp/skid.x86.o/usr/bin/chmodsh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9270sudo -iu user /tmp/skid.x86.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9271/tmp/skid.x86.o/tmp/skid.x86.osudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9272/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkskid.x86.o
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9273/home/user/dvrHelperskid.x86.o
User:
user
Integrity Level:
UNKNOWN
9274/home/user/dvrHelperdvrHelper
User:
user
Integrity Level:
UNKNOWN
9275/home/user/dvrHelperdvrHelper
User:
user
Integrity Level:
UNKNOWN
Exit code:
9288
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.97:80
Canonical Group Limited
US
unknown
91.189.91.96:80
Canonical Group Limited
US
unknown
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
224.0.0.251:5353
unknown
94.154.33.25:9981
hsjupldf2z.pirate
WINDSTREAM
US
unknown

DNS requests

Domain
IP
Reputation
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.59
unknown
hsjupldf2z.pirate
  • 85.195.79.166
  • 85.239.34.72
  • 94.154.33.25
unknown
138.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::197
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::196
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.pirate)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Mirai.Gen Check-In (Linux DDoS)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
skid.x86