File name:

mallox-linux.zip

Full analysis: https://app.any.run/tasks/3c2df7e0-fa69-478a-a2c8-2baee8cb3455
Verdict: Malicious activity
Analysis date: June 17, 2024, 15:06:01
OS: Ubuntu 22.04.2
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

9F41AB9D1E98C63872CB681C31FE1953

SHA1:

AA56EE683F841614959930C711BB38E342D77061

SHA256:

E98B35F3D400BA5A8042C3C24EC8B048A4F39E663C2E1A3FB58CC301DA6E87CB

SSDEEP:

49152:n06CkRSLPrBg7k1C+Bkf3ndbTSkpSUz5SdjrwtH3hyxgm+TdRszha+j19I7K2cSp:ukQzKA1RBQ3tpPgVWIxoTdC1d1z2gJn2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • mallox.elf (PID: 13098)

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 12980)

    • Modifies bash configuration script

      • mallox.elf (PID: 13098)

    • Executes commands using command-line interpreter

      • gnome-terminal-server (PID: 13039)

  • INFO

    • Dropped object may contain TOR URL's

      • 7z (PID: 13010)
      • mallox.elf (PID: 13098)

    • The dropped object may contain a URL to Tor Browser

      • 7z (PID: 13010)
      • mallox.elf (PID: 13098)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0x144fe78c
ZipCompressedSize: 869349
ZipUncompressedSize: 1991784
ZipFileName: 8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
265
Monitored processes
48
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
sh no specs file no specs sh no specs sudo no specs file-roller no specs locale-check no specs 7z no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemd-hostnamed no specs gvfsd-network no specs gvfsd-smb-browse gvfsd-dnssd no specs systemctl no specs systemctl no specs 7z no specs tracker-extract-3 no specs dbus-daemon no specs nautilus no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dirname no specs dircolors no specs bash no specs bash no specs bash no specs bash no specs mv no specs tracker-extract-3 no specs bash no specs bash no specs bash no specs bash no specs chmod no specs bash no specs bash no specs sudo no specs sudo no specs mallox.elf tracker-extract-3 no specs dpkg no specs

Process information

PID
CMD
Path
Indicators
Parent process
12944sh -c "file --mime-type /home/user/Desktop/mallox-linux\.zip"/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12945file --mime-type /home/user/Desktop/mallox-linux.zip/usr/bin/filesh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12946/bin/sh -c "DISPLAY=:0 sudo -iu user file-roller /home/user/Desktop/mallox-linux\.zip "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
12947sudo -iu user file-roller /home/user/Desktop/mallox-linux.zip/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
12948file-roller /home/user/Desktop/mallox-linux.zip/usr/bin/file-rollersudo
User:
user
Integrity Level:
UNKNOWN
12949/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkfile-roller
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12963/usr/lib/p7zip/7z l -slt -bd -y -- /home/user/Desktop/mallox-linux.zip/usr/lib/p7zip/7zfile-roller
User:
user
Integrity Level:
UNKNOWN
Exit code:
482
12964systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
12965systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
12966systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
Executable files
0
Suspicious files
188
Text files
308
Unknown types
2

Dropped files

PID
Process
Filename
Type
12948file-roller/home/user/.local/share/recently-used.xbelxml
MD5:
SHA256:
130107z/home/user/Desktop/8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699fbinary
MD5:
SHA256:
13098mallox.elf/home/user/Desktop/TargetInfo.txttext
MD5:
SHA256:
13098mallox.elf/home/user/test_files/HOW TO DECRYPT.txttext
MD5:
SHA256:
13098mallox.elf/home/user/.pki/nssdb/HOW TO DECRYPT.txttext
MD5:
SHA256:
13098mallox.elf/home/user/.cache/ubuntu-report/HOW TO DECRYPT.txttext
MD5:
SHA256:
13098mallox.elf/home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0/HOW TO DECRYPT.txttext
MD5:
SHA256:
13098mallox.elf/home/user/.cache/gnome-software/screenshots/624x351/HOW TO DECRYPT.txttext
MD5:
SHA256:
13098mallox.elf/home/user/.cache/gnome-software/icons/HOW TO DECRYPT.txttext
MD5:
SHA256:
13098mallox.elf/home/user/.cache/gnome-software/odrs/HOW TO DECRYPT.txttext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
13098
mallox.elf
GET
200
104.26.12.205:80
http://api.ipify.org/
unknown
unknown
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
unknown
13098
mallox.elf
GET
200
104.26.13.205:80
http://api.ipify.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.98:80
Canonical Group Limited
US
unknown
91.189.91.96:80
Canonical Group Limited
US
unknown
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
485
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
485
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
12988
gvfsd-smb-browse
192.168.100.255:137
whitelisted
13098
mallox.elf
104.26.12.205:80
api.ipify.org
CLOUDFLARENET
US
unknown
13098
mallox.elf
104.26.13.205:80
api.ipify.org
CLOUDFLARENET
US
unknown
91.215.85.142:80
RU
unknown

DNS requests

Domain
IP
Reputation
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.59
unknown
238.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::24
  • 2001:67c:1562::23
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
unknown
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
changelogs.ubuntu.com
  • 91.189.91.48
  • 185.125.190.18
  • 185.125.190.17
  • 91.189.91.49
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mallox-linux.zip