Malware analysis cloud Malicious activity | ANY.RUN

Add for printing

File name:	cloud
Full analysis:	https://app.any.run/tasks/1321b16b-ea90-471b-8140-f2cbd4308ff1
Verdict:	Malicious activity
Analysis date:	October 25, 2024, 11:32:29
OS:	Ubuntu 22.04.2 LTS
MIME:	application/x-executable
File info:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
MD5:	2674724C99960521031E36DE3F8FEEEC
SHA1:	B167D83A5D79EC2572F695370E5BDBA3B7983FAB
SHA256:	C8B524CA90ADEA19D920BEB5CC6BD86DD03B23B0B2C61675CEF9D6C0446AEA84
SSDEEP:	98304:clUmkNO/RZ/FUHijM0ug+P4GRM3p8g5tIrSPj9h0ebGT8rAacCvas94LFhOS7Fh5:6/LDQ8ezkv+N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 35787)
- Executes commands using command-line interpreter
  - gnome-terminal-server (PID: 35816)
  - procdump (PID: 35911)
  - bash (PID: 35918)
  - bash (PID: 36330)
  - procdump (PID: 36323)
- Creates or rewrites file in the "bin" folder
  - dpkg (PID: 35897)
- Reads network configuration
  - sudo (PID: 35910)
  - sudo (PID: 36322)
- Uses wget to download content
  - bash (PID: 35834)
- Executes the "rm" command to delete files or directories
  - dpkg (PID: 35897)
- Reads /proc/mounts (likely used to find writable filesystems)
  - python3.10 (PID: 35842)
- Checks DMI information (probably VM detection)
  - systemd-hostnamed (PID: 36949)
- Uses base64 (probably to encode stolen data or decode malicious payload)
  - bash (PID: 35834)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture:	64 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	AMD x86-64

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

484

Monitored processes

267

Malicious processes

0

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
445	/lib/systemd/systemd-resolved	/usr/lib/systemd/systemd-resolved		systemd
User: systemd-resolve Integrity Level: UNKNOWN
35785	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
35786	/bin/sh -c "sudo chown user /home/user/Downloads/cloud\.o && chmod +x /home/user/Downloads/cloud\.o && DISPLAY=:0 sudo -i /home/user/Downloads/cloud\.o "	/usr/bin/dash	—	any-guest-agent
User: user Integrity Level: UNKNOWN
35787	sudo chown user /home/user/Downloads/cloud.o	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
35788	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
35789	chown user /home/user/Downloads/cloud.o	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
35790	chmod +x /home/user/Downloads/cloud.o	/usr/bin/chmod	—	dash
User: user Integrity Level: UNKNOWN Exit code: 0
35791	sudo -i /home/user/Downloads/cloud.o	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN
35792	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
35793	/home/user/Downloads/cloud.o	/home/user/Downloads/cloud.o		sudo
User: root Integrity Level: UNKNOWN

Add for printing

Executable files

0

Suspicious files

265

Text files

18

Unknown types

4

Dropped files

PID	Process	Filename		Type
35942	chrome	/home/user/.config/google-chrome/ShaderCache/data_3		binary
		MD5:—	SHA256:—
35942	chrome	/home/user/.config/google-chrome/ShaderCache/data_2		binary
		MD5:—	SHA256:—
35942	chrome	/home/user/.config/google-chrome/ShaderCache/data_0		binary
		MD5:—	SHA256:—
35942	chrome	/home/user/.config/google-chrome/Default/GPUCache/data_3		vxd
		MD5:—	SHA256:—
35942	chrome	/home/user/.config/google-chrome/Default/GPUCache/data_2		vxd
		MD5:—	SHA256:—
35942	chrome	/home/user/.config/google-chrome/Default/GPUCache/data_0		vxd
		MD5:—	SHA256:—
35942	chrome	/home/user/.config/google-chrome/Default/DawnCache/data_3		vxd
		MD5:—	SHA256:—
35942	chrome	/home/user/.config/google-chrome/Default/DawnCache/data_2		vxd
		MD5:—	SHA256:—
35942	chrome	/home/user/.config/google-chrome/Default/DawnCache/data_0		vxd
		MD5:—	SHA256:—
35942	chrome	/home/user/.config/google-chrome/Default/History		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

17

TCP/UDP connections

295

DNS requests

454

Threats

4

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
35988	chrome	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgyNjAtN2FlY2ZjMDg0NmNj/1.0.0.17_llkgjffcdpffmhiakmfcdcblohccpfmo.crx	unknown	—	—	whitelisted
35988	chrome	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pjnu5jyln4kujhcmwstuyyvyyu_4.10.2830.0/oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_linux_ace35m3jiw32bj5wzzow5nia7yta.crx3	unknown	—	—	whitelisted
35988	chrome	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/gcmjkmgdlgnkkcocmoeiminaijmmjnii/1.b48b30af5ce18c96128bfff9d2755c7932a1f32adc66f68322f7dd505db9626f/1.cd1978742a4afdbaaa15bf712d5c90bef4144caa99024df98f6a9ad58043ae85/e37724369d5fcfa19bd2ac306e20a9a48dc3fe425aeaacd2bf30802908e3be66	unknown	—	—	whitelisted
35988	chrome	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adng7vqdoitx2e27efi7jcjaoipq_2024.10.23.0/niikhdgajlphfehepabhhblakbdgeefj_2024.10.23.00_all_ad744qa7yafkbbjy7mmxdtbjzb5a.crx3	unknown	—	—	whitelisted
35988	chrome	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acofbi7777qhrtz7ekzvmyyuvgna_20241012.687478780.14/obedbbhbpmojnkanicioggnmelmoomoc_20241012.687478780.14_all_ENGB500000_hiy3535rf4v7o5ixjpmlbo4rha.crx3	unknown	—	—	whitelisted
35988	chrome	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/khaoiebndkojlmppeemjhbpbandiljpe/1.05399c5840405f4af2454470ceccaa3d097f07e271705cf37c1e5559ce793eeb/1.1471c6c104c7e11f08fd446f83dcdb396b1fef335f4e3c744007c2272064f538/44367e7bc13464ae48fa3a83edb9a1fc3258aa32540abba470d2ff291e5eaf0e	unknown	—	—	whitelisted
35988	chrome	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acvcezctohahwlwwavdmtin6wczq_1108/efniojlnjndmcbiieegkicadnoecjjef_1108_all_adqr5c5uoeoztyknt6urycpuhgea.crx3	unknown	—	—	whitelisted
35988	chrome	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabjdbkjdpjbpigfodbdjmbglcoo_2024.10.11.01_all_jzb2rltf4ebriiaz3nap6gmbai.crx3	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	195.181.175.40:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	91.189.91.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
35793	cloud.o	179.60.149.75:443	—	HOSTKEY-USA	NI	malicious
35842	python3.10	185.125.190.18:443	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
35872	wget	140.82.121.3:443	github.com	GITHUB	US	shared
35872	wget	185.199.111.133:443	objects.githubusercontent.com	FASTLY	US	shared

DNS requests

Domain	IP	Reputation
odrs.gnome.org	195.181.175.40 195.181.170.19 212.102.56.179 207.211.211.27 169.150.255.180 37.19.194.81 169.150.255.183 2a02:6ea0:c700::112 2a02:6ea0:c700::21 2a02:6ea0:c700::101 2a02:6ea0:c700::19 2a02:6ea0:c700::107 2a02:6ea0:c700::11 2a02:6ea0:c700::18	whitelisted
google.com	142.250.185.238 2a00:1450:4001:811::200e	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.59 185.125.188.55 185.125.188.58 2620:2d:4000:1010::42 2620:2d:4000:1010::117 2620:2d:4000:1010::2e6 2620:2d:4000:1010::6d	whitelisted
166.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2001:67c:1562::24 2620:2d:4000:1::23 2620:2d:4000:1::2a 2620:2d:4000:1::98 2620:2d:4002:1::196 2620:2d:4000:1::97 2001:67c:1562::23 2620:2d:4002:1::197 2620:2d:4000:1::96 2620:2d:4002:1::198 2620:2d:4000:1::22 2620:2d:4000:1::2b 185.125.190.49 185.125.190.18 185.125.190.96 91.189.91.48 91.189.91.49 185.125.190.98 185.125.190.17 185.125.190.48 91.189.91.97 185.125.190.97 91.189.91.98 91.189.91.96	whitelisted
changelogs.ubuntu.com	185.125.190.18 91.189.91.49 185.125.190.17 91.189.91.48 2620:2d:4000:1::2b 2620:2d:4000:1::2a	whitelisted
github.com	140.82.121.3	shared
objects.githubusercontent.com	185.199.111.133 185.199.108.133 185.199.109.133 185.199.110.133	shared
clientservices.googleapis.com	142.250.185.67	whitelisted
accounts.google.com	74.125.71.84	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query for .to TLD
445	systemd-resolved	Potentially Bad Traffic	ET DNS Query for .to TLD
445	systemd-resolved	Potentially Bad Traffic	ET DNS Query for .to TLD
445	systemd-resolved	Potentially Bad Traffic	ET DNS Query for .to TLD

Add for printing

No debug info

General Info

cloud

2674724C99960521031E36DE3F8FEEEC

B167D83A5D79EC2572F695370E5BDBA3B7983FAB

C8B524CA90ADEA19D920BEB5CC6BD86DD03B23B0B2C61675CEF9D6C0446AEA84

98304:clUmkNO/RZ/FUHijM0ug+P4GRM3p8g5tIrSPj9h0ebGT8rAacCvas94LFhOS7Fh5:6/LDQ8ezkv+N

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Modifies file or directory owner

Executes commands using command-line interpreter

Creates or rewrites file in the "bin" folder

Reads network configuration

Uses wget to download content

Executes the "rm" command to delete files or directories

Reads /proc/mounts (likely used to find writable filesystems)

Checks DMI information (probably VM detection)

Uses base64 (probably to encode stolen data or decode malicious payload)

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings