Malware analysis na No threats detected | ANY.RUN

Add for printing

File name:	na
Full analysis:	https://app.any.run/tasks/6a2827e6-8dc0-42ef-afd0-30c08bd30246
Verdict:	No threats detected
Analysis date:	April 23, 2025, 18:03:01
OS:	Ubuntu 22.04.2
Indicators:
MIME:	application/x-executable
File info:	ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
MD5:	F79CF8E6E330276B7B1E5AC6F53C4907
SHA1:	73D080D80520130C6B4B0FE1E039DB1EC1FAF481
SHA256:	E202CBDA21FCB830CAA22666875CDEBEF5A2CA404A99751DA60DBC1E243B7CCC
SSDEEP:	24576:9Y9NqOG7cC2sy9aSyx0X+JmJGkd4b50kawTaYiZd:gNqOG7cCJy9aSyxk+JmJPWb50kawTaYm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - snapd (PID: 512)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 40665)
- Executes commands using command-line interpreter
  - sudo (PID: 40668)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.o	\|	ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture:	32 bit
CPUByteOrder:	Big endian
ObjectFileType:	Executable file
CPUType:	MIPS R3000

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

232

Monitored processes

13

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
512	/usr/lib/snapd/snapd	/snap/snapd/20290/usr/lib/snapd/snapd		systemd
User: root Integrity Level: UNKNOWN
40664	/bin/sh -c "sudo chown user /tmp/na\.elf && chmod +x /tmp/na\.elf && DISPLAY=:0 sudo -iu user /tmp/na\.elf "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 32256
40665	sudo chown user /tmp/na.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40666	chown user /tmp/na.elf	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
40667	chmod +x /tmp/na.elf	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40668	sudo -iu user /tmp/na.elf	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 32256
40669	-bash --login -c \/tmp\/na\.elf	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 32256
40670	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
40672	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
40674	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

2

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
512	snapd	/var/lib/snapd/state.json		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

10

DNS requests

11

Threats

6

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.96:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.96:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	37.19.194.81:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.78 2a00:1450:4001:828::200e	whitelisted
connectivity-check.ubuntu.com	185.125.190.96 185.125.190.98 91.189.91.98 91.189.91.96 185.125.190.48 185.125.190.17 185.125.190.97 185.125.190.18 185.125.190.49 91.189.91.48 91.189.91.97 91.189.91.49 2620:2d:4000:1::96 2001:67c:1562::24 2620:2d:4002:1::196 2620:2d:4000:1::22 2620:2d:4000:1::97 2620:2d:4000:1::2b 2620:2d:4000:1::23 2001:67c:1562::23 2620:2d:4000:1::2a 2620:2d:4002:1::197 2620:2d:4002:1::198 2620:2d:4000:1::98	whitelisted
odrs.gnome.org	37.19.194.81 169.150.255.183 207.211.211.26 212.102.56.178 169.150.255.181 195.181.170.19 195.181.175.40 2a02:6ea0:c700::112 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c700::18 2a02:6ea0:c700::19 2a02:6ea0:c700::21 2a02:6ea0:c700::107	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.59 185.125.188.58 185.125.188.55 2620:2d:4000:1010::6d 2620:2d:4000:1010::117 2620:2d:4000:1010::344 2620:2d:4000:1010::42	whitelisted
7.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Tycoon Server Activity
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Tycoon Server Activity
512	snapd	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Tycoon Server Activity
512	snapd	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Tycoon Server Activity
512	snapd	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Tycoon Server Activity
512	snapd	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Tycoon Server Activity

Add for printing

No debug info

General Info

na

F79CF8E6E330276B7B1E5AC6F53C4907

73D080D80520130C6B4B0FE1E039DB1EC1FAF481

E202CBDA21FCB830CAA22666875CDEBEF5A2CA404A99751DA60DBC1E243B7CCC

24576:9Y9NqOG7cC2sy9aSyx0X+JmJGkd4b50kawTaYiZd:gNqOG7cCJy9aSyxk+JmJPWb50kawTaYm

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Executes commands using command-line interpreter

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings