File name:

giydo

Full analysis: https://app.any.run/tasks/f571d1c7-da36-43dd-b484-bbff0fe608f4
Verdict: Malicious activity
Analysis date: January 29, 2025, 09:59:33
OS: Ubuntu 22.04.2 LTS
Tags:
websocket
MIME: application/x-executable
File info: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
MD5:

C313083B5751D094D3189AEA07AA587C

SHA1:

27F78A45474BB07E6440AA25E260FAC46344EA24

SHA256:

C4FA9E0F1C3708395EF3FE8CAF8605119D9CFB4CE73BF92E0737FB043E2394BF

SSDEEP:

98304:xie/cPCvhrFwPC4CeqZiGj7fbKWtAkD88sQSzI72o7hfUud5pmrz37fIPrmq2nlP:0CZuzJdG4Ex/jmbGrRy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates or rewrites file in the "bin" folder

      • giydo.elf (PID: 38768)
      • he2ta (PID: 38831)

    • Writes to Systemd service files (likely for persistence achievement)

      • sudo (PID: 38766)
      • systemd (PID: 38809)
      • systemd (PID: 38786)

    • Modifies file or directory owner

      • sudo (PID: 38763)

    • Connects to unusual port

      • he2ta (PID: 38831)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: AMD x86-64
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
279
Monitored processes
67
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs giydo.elf no specs locale-check no specs bash no specs dash no specs tr no specs mesg no specs cat no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemd no specs systemd no specs snapd-env-generator no specs dash no specs generate no specs dash no specs snapd-generator no specs systemd-bless-boot-generator no specs cat no specs mkdir no specs systemd-cryptsetup-generator no specs systemd-debug-generator no specs systemd-fstab-generator no specs ls no specs systemd-getty-generator no specs systemd-gpt-auto-generator no specs systemd-hibernate-resume-generator no specs systemd-rc-local-generator no specs systemd-run-generator no specs systemd-system-update-generator no specs systemd-sysv-generator no specs systemd-veritysetup-generator no specs systemctl no specs systemd no specs systemd no specs snapd-env-generator no specs dash no specs generate no specs dash no specs snapd-generator no specs systemd-bless-boot-generator no specs systemd-cryptsetup-generator no specs systemd-debug-generator no specs systemd-fstab-generator no specs systemd-getty-generator no specs systemd-gpt-auto-generator no specs cat no specs mkdir no specs systemd-hibernate-resume-generator no specs systemd-rc-local-generator no specs systemd-run-generator no specs systemd-system-update-generator no specs systemd-sysv-generator no specs systemd-veritysetup-generator no specs ls no specs crontab no specs systemctl no specs he2ta systemctl no specs systemctl no specs systemctl no specs

Process information

PID
CMD
Path
Indicators
Parent process
38762/bin/sh -c "sudo chown user /home/user/giydo\.elf && chmod +x /home/user/giydo\.elf && DISPLAY=:0 sudo -i /home/user/giydo\.elf "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38763sudo chown user /home/user/giydo.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38764chown user /home/user/giydo.elf/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38765chmod +x /home/user/giydo.elf/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38766sudo -i /home/user/giydo.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38768/home/user/giydo.elf/home/user/giydo.elfsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38769/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkgiydo.elf
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38770-bash --login -c \/home\/user\/giydo\.elf/usr/bin/bashgiydo.elf
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38771sh -c "cat /usr/etc/debuginfod/*\.urls 2>/dev/null"/usr/bin/dashbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
256
38772tr \n " "/usr/bin/trbash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
38831he2ta/etc/shadowtext
MD5:
SHA256:
38768giydo.elf/etc/systemd/system/system.udevd.servicetext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
17
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.48:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
38831
he2ta
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38831
he2ta
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38831
he2ta
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38831
he2ta
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38831
he2ta
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
38831
he2ta
GET
101
176.124.193.99:8082
http://176.124.193.99:8082/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
91.189.91.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
207.211.211.27:443
odrs.gnome.org
US
whitelisted
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
38831
he2ta
77.88.8.8:443
common.dot.dns.yandex.net
YANDEX LLC
RU
whitelisted
38831
he2ta
8.8.8.8:443
dns.google
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::96
  • 2001:67c:1562::24
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::98
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::2b
  • 91.189.91.48
  • 185.125.190.17
  • 185.125.190.49
  • 91.189.91.98
  • 185.125.190.97
  • 185.125.190.18
  • 91.189.91.96
  • 91.189.91.49
  • 185.125.190.96
  • 91.189.91.97
  • 185.125.190.48
  • 185.125.190.98
whitelisted
google.com
  • 142.250.181.238
  • 2a00:1450:4001:810::200e
whitelisted
odrs.gnome.org
  • 207.211.211.27
  • 37.19.194.80
  • 195.181.175.41
  • 169.150.255.181
  • 169.150.255.184
  • 212.102.56.179
  • 195.181.170.18
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::18
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.59
  • 185.125.188.58
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::117
whitelisted
dns.google
  • 2001:4860:4860::8844
  • 2001:4860:4860::8888
  • 8.8.8.8
  • 8.8.4.4
whitelisted
common.dot.dns.yandex.net
  • 2a02:6b8::feed:ff
  • 2a02:6b8:0:1::feed:ff
  • 77.88.8.8
  • 77.88.8.1
whitelisted
cloudflare-dns.com
  • 2606:4700::6810:f9f9
  • 2606:4700::6810:f8f9
  • 104.16.248.249
  • 104.16.249.249
whitelisted
144.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
38831
he2ta
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
38831
he2ta
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
38831
he2ta
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
38831
he2ta
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
38831
he2ta
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
38831
he2ta
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
38831
he2ta
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
38831
he2ta
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
38831
he2ta
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
38831
he2ta
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info