analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf

Full analysis: https://app.any.run/tasks/758820fb-9a9d-45e6-b415-d9d300786b96
Verdict: Malicious activity
Analysis date: May 02, 2024, 10:08:52
OS: Ubuntu 22.04.2
MIME: application/x-executable
File info: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
MD5:

3023EAF453A136A0B72DE7D45EC57ABF

SHA1:

5B482B248863FCB84CCC6FA6EFC5E4A0807D36E3

SHA256:

B316E3EE6D724D6515E4D9D85928A0A4ECDB4259EEB3F1278E89D3E8E4697DB4

SSDEEP:

1536:3UoikAzQl+3uAmkoUWtTbT4rYzXkXDfffCxN6Dvc8FH6S:EoikAzQl+3uAmkoUpYzufXCCQ3S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • pipewire (PID: 9279)
      • udevadm (PID: 9300)
      • udevadm (PID: 9299)
      • pipewire (PID: 9319)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • fusermount3 (PID: 9298)
      • fusermount3 (PID: 9296)
      • fusermount3 (PID: 9295)

    • Modifies file or directory owner

      • sudo (PID: 9266)

    • Checks the user who created the process

      • systemd (PID: 9312)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUType: i386
ObjectFileType: Executable file
CPUByteOrder: Little endian
CPUArchitecture: 32 bit
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
286
Monitored processes
66
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o no specs locale-check no specs b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o no specs b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o no specs gnome-session-ctl no specs pipewire no specs systemd no specs fusermount3 no specs fusermount3 no specs gnome-session-failed no specs fusermount3 no specs udevadm no specs udevadm no specs default no specs gdm-session-worker no specs default no specs default no specs systemd-user-runtime-dir no specs systemd no specs systemd no specs systemd no specs 30-systemd-environment-d-generator no specs systemd no specs systemd-xdg-autostart-generator no specs systemctl no specs pipewire no specs systemd no specs systemd no specs gdm-session-worker no specs snap-seccomp no specs gst-plugin-scanner no specs gsettings no specs ubuntu-settings-migrate-to-defaults.18.10.1.py no specs yaru-theme-gtk-abandon-yaru-light.sh no specs gsettings no specs gsettings no specs xwayland no specs gvfs-mtp-volume-monitor no specs dbus-daemon no specs xdg-permission-store no specs systemd no specs dbus-daemon no specs gjs no specs dbus-daemon no specs at-spi2-registryd no specs sh no specs gnome-shell no specs gnome-session-binary no specs gsd-print-notifications no specs xwayland no specs ibus-daemon no specs ibus-engine-unikey no specs ibus-engine-m17n no specs gnome-session-binary no specs ibus-dconf no specs dbus-daemon no specs ibus-portal no specs ibus-engine-unikey no specs ibus-engine-simple no specs tracker-extract-3 no specs gvfsd-metadata no specs

Process information

PID
CMD
Path
Indicators
Parent process
9265/bin/sh -c "sudo chown user /tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4\.elf\.o && chmod +x /tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4\.elf\.o && DISPLAY=:0 sudo -iu user /tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4\.elf\.o "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9266sudo chown user /tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9267chown user /tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9268chmod +x /tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o/usr/bin/chmodsh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9269sudo -iu user /tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9270/tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o/tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.osudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9271/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkb316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9272httpd 316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o/tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.ob316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o
User:
user
Integrity Level:
UNKNOWN
9273httpd 316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o/tmp/b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.ob316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf.o
User:
user
Integrity Level:
UNKNOWN
9274/usr/libexec/gnome-session-ctl --exec-stop-check/usr/libexec/gnome-session-ctlsystemd
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9312systemd/systemd/inaccessible/reg
MD5:
SHA256:
9317systemd-xdg-autostart-generator/systemd/generator.late/app-nm\[email protected]
MD5:
SHA256:
9317systemd-xdg-autostart-generator/systemd/generator.late/app-im\[email protected]
MD5:
SHA256:
9317systemd-xdg-autostart-generator/systemd/generator.late/[email protected]
MD5:
SHA256:
9317systemd-xdg-autostart-generator/systemd/generator.late/app-ubuntu\x2dadvantage\[email protected]
MD5:
SHA256:
9317systemd-xdg-autostart-generator/systemd/generator.late/app-user\x2ddirs\x2dupdate\[email protected]
MD5:
SHA256:
9317systemd-xdg-autostart-generator/systemd/generator.late/app-snap\x2duserd\[email protected]
MD5:
SHA256:
9317systemd-xdg-autostart-generator/systemd/generator.late/app-ubuntu\x2dreport\x2don\[email protected]
MD5:
SHA256:
9317systemd-xdg-autostart-generator/systemd/generator.late/app-print\[email protected]
MD5:
SHA256:
9317systemd-xdg-autostart-generator/systemd/generator.late/app-ibus\x2dmozc\x2dgnome\x2dinitial\[email protected]
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
45
DNS requests
10
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
224.0.0.251:5353
unknown
89.190.156.145:7733
Alsycon B.V.
NL
unknown
94.156.79.215:33966
cnc.voidnet.space
Vivacom
BG
unknown

DNS requests

Domain
IP
Reputation
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.59
  • 185.125.188.54
  • 185.125.188.55
unknown
cnc.voidnet.space
  • 94.156.79.215
unknown
22.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
  • 2001:67c:1562::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::96
  • 2001:67c:1562::24
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::197
unknown

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 15
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b316e3ee6d724d6515e4d9d85928a0a4ecdb4259eeb3f1278e89d3e8e4697db4.elf