Malware analysis skid.x86 Malicious activity | ANY.RUN

Add for printing

File name:	skid.x86
Full analysis:	https://app.any.run/tasks/86ae468b-5f9d-428e-90dc-4bb76bf42c40
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	April 10, 2024, 08:03:14
OS:	Ubuntu 22.04.2
Tags:	botnet mirai
MIME:	application/x-executable
File info:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
MD5:	8E8A7759E596EFB31DA60C5CF5239520
SHA1:	0058625CEBBCEA271C5E8A12A7E96910FC4D9FAF
SHA256:	A939592B7C4B82EB07BF7AD619A3CE9606EBC119D3D7091B193B1A625684D77B
SSDEEP:	6144:mwjeKktQWsTSMSlL4rAzoiX5xXFVZI1fTpKPESTSWkLy0uJcEw+fKEv4dndEmUke:mwjeKktQWsTSMSlL4rCoiX5xXFVZI1f6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads network configuration
  - dvrHelper (PID: 9273)
- Checks DMI information (probably VM detection)
  - systemd-hostnamed (PID: 9296)
- Executes commands using command-line interpreter
  - gnome-terminal-server (PID: 9310)
  - sudo (PID: 9270)
- Gets active TCP connections
  - dvrHelper (PID: 9273)
- Modifies file or directory owner
  - sudo (PID: 9267)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture:	64 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	AMD x86-64

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

249

Monitored processes

29

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
9266	/bin/sh -c "sudo chown user \"/tmp/skid\.x86\.o\" && chmod +x \"/tmp/skid\.x86\.o\" && DISPLAY=:0 sudo -iu user \"/tmp/skid\.x86\.o\" "	/bin/sh	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
9267	sudo chown user /tmp/skid.x86.o	/usr/bin/sudo	—	sh
User: root Integrity Level: UNKNOWN Exit code: 0
9268	chown user /tmp/skid.x86.o	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
9269	chmod +x /tmp/skid.x86.o	/usr/bin/chmod	—	sh
User: root Integrity Level: UNKNOWN Exit code: 0
9270	sudo -iu user /tmp/skid.x86.o	/usr/bin/sudo	—	sh
User: root Integrity Level: UNKNOWN Exit code: 0
9271	/tmp/skid.x86.o	/tmp/skid.x86.o	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
9272	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	skid.x86.o
User: user Integrity Level: UNKNOWN Exit code: 0
9273		/home/user/dvrHelper	—	skid.x86.o
User: user Integrity Level: UNKNOWN
9274		/home/user/dvrHelper	—	dvrHelper
User: user Integrity Level: UNKNOWN
9275		/home/user/dvrHelper	—	dvrHelper
User: user Integrity Level: UNKNOWN Exit code: 9288

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

9

DNS requests

9

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.97:80	—	Canonical Group Limited	US	unknown
—	—	91.189.91.96:80	—	Canonical Group Limited	US	unknown
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	224.0.0.251:5353	—	—	—	unknown
—	—	94.154.33.25:9981	hsjupldf2z.pirate	WINDSTREAM	US	unknown

DNS requests

Domain	IP	Reputation
api.snapcraft.io	185.125.188.58 185.125.188.54 185.125.188.55 185.125.188.59	unknown
hsjupldf2z.pirate	85.195.79.166 85.239.34.72 94.154.33.25	unknown
138.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2620:2d:4000:1::98 2620:2d:4000:1::23 2620:2d:4002:1::197 2001:67c:1562::23 2620:2d:4000:1::2a 2620:2d:4002:1::198 2001:67c:1562::24 2620:2d:4000:1::22 2620:2d:4000:1::96 2620:2d:4000:1::2b 2620:2d:4000:1::97 2620:2d:4002:1::196	unknown

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.pirate)
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Mirai.Gen Check-In (Linux DDoS)

Add for printing

No debug info

General Info

skid.x86

8E8A7759E596EFB31DA60C5CF5239520

0058625CEBBCEA271C5E8A12A7E96910FC4D9FAF

A939592B7C4B82EB07BF7AD619A3CE9606EBC119D3D7091B193B1A625684D77B

6144:mwjeKktQWsTSMSlL4rAzoiX5xXFVZI1fTpKPESTSWkLy0uJcEw+fKEv4dndEmUke:mwjeKktQWsTSMSlL4rCoiX5xXFVZI1f6

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Reads network configuration

Checks DMI information (probably VM detection)

Executes commands using command-line interpreter

Gets active TCP connections

Modifies file or directory owner

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings