File name:	07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb.sh
Full analysis:	https://app.any.run/tasks/8c54c7e5-4dea-445d-8380-07a77ee65515
Verdict:	Malicious activity
Analysis date:	December 14, 2024, 02:12:07
OS:	Ubuntu 22.04.2 LTS
MIME:	text/plain
File info:	ASCII text
MD5:	FB6F7E9AB4E7E62930ADC962E61A5297
SHA1:	F70AFA06233A6C59C00A13AEF3458BFE8B99C8DD
SHA256:	07B5CE4165B5A92914A6A903CAC400E53D3909EC73CE171B7F6E5FB34EA1E5CB
SSDEEP:	96:1xxwELCgcsdXV514QzKEgshXat1XfHkTFv:ZXXV514QzKfshXavXfHkTFv

PID	CMD	Path	Indicators	Parent process
38747	/bin/sh -c "sudo chown user /home/user/Desktop/07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb\.sh && chmod +x /home/user/Desktop/07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb\.sh "	/usr/bin/dash	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 32512
38748	sudo chown user /home/user/Desktop/07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38749	/bin/sh -e /etc/NetworkManager/dispatcher.d/01-ifupdown connectivity-change	/usr/bin/dash	—	nm-dispatcher
User: root Integrity Level: UNKNOWN Exit code: 0
38751	chown user /home/user/Desktop/07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38752	chmod +x /home/user/Desktop/07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb.sh	/usr/bin/chmod	—	dash
User: user Integrity Level: UNKNOWN Exit code: 0
38753	sudo -iu user /home/user/Desktop/07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 32512
38754	-bash --login -c \/home\/user\/Desktop\/07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 32512
38755	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38756	killall -9 mips	/usr/bin/killall	—	bash
User: user Integrity Level: UNKNOWN Exit code: 256
38757	killall -9 mips.s	/usr/bin/killall	—	bash
User: user Integrity Level: UNKNOWN Exit code: 256

PID	Process	Filename		Type
38821	busybox	/tmp/arm4		o
		MD5:—	SHA256:—
38825	busybox	/tmp/arm5		o
		MD5:—	SHA256:—
38829	busybox	/tmp/arm5		o
		MD5:—	SHA256:—
38832	busybox	/tmp/arm7		o
		MD5:—	SHA256:—
38844	wget	/tmp/mpsl.1		o
		MD5:—	SHA256:—
38860	wget	/tmp/arm4.1		o
		MD5:—	SHA256:—
38866	wget	/tmp/arm5.1		o
		MD5:—	SHA256:—
38884	wget	/tmp/arm7.1		o
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	—	185.125.190.18:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	—	185.125.190.17:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
38959	curl	GET	200	141.98.11.129:80	http://141.98.11.129/x86	unknown	—	—	—
38844	wget	GET	200	141.98.11.129:80	http://141.98.11.129/mpsl	unknown	—	—	—
38792	wget	GET	200	141.98.11.129:80	http://141.98.11.129/arm6	unknown	—	—	—
38798	wget	GET	200	141.98.11.129:80	http://141.98.11.129/arm7	unknown	—	—	—
38770	wget	GET	200	141.98.11.129:80	http://141.98.11.129/x86	unknown	—	—	—
38850	wget	GET	200	141.98.11.129:80	http://141.98.11.129/x86	unknown	—	—	—
38758	wget	GET	200	141.98.11.129:80	http://141.98.11.129/mips	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.18:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	185.125.190.17:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	185.125.190.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
38758	wget	141.98.11.129:80	—	UAB Host Baltic	LT	unknown
38764	wget	141.98.11.129:80	—	UAB Host Baltic	LT	unknown
38770	wget	141.98.11.129:80	—	UAB Host Baltic	LT	unknown
38780	wget	141.98.11.129:80	—	UAB Host Baltic	LT	unknown
38786	wget	141.98.11.129:80	—	UAB Host Baltic	LT	unknown
38792	wget	141.98.11.129:80	—	UAB Host Baltic	LT	unknown

Domain	IP	Reputation
connectivity-check.ubuntu.com	2001:67c:1562::23 2620:2d:4000:1::98 2620:2d:4000:1::96 2620:2d:4002:1::198 2620:2d:4000:1::2b 2001:67c:1562::24 2620:2d:4000:1::23 2620:2d:4000:1::97 2620:2d:4000:1::22 2620:2d:4000:1::2a 2620:2d:4002:1::197 2620:2d:4002:1::196 185.125.190.98 185.125.190.18 91.189.91.49 185.125.190.17 91.189.91.96 91.189.91.97 185.125.190.48 185.125.190.96 91.189.91.48 185.125.190.97 185.125.190.49 91.189.91.98	whitelisted
google.com	142.250.186.110 2a00:1450:4001:828::200e	whitelisted
kingstonwikkerink.dyn	—	unknown
180.100.168.192.in-addr.arpa	—	unknown

PID	Process	Class	Message
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 23
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potentially Bad Traffic	ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.dyn)
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP

General Info

07b5ce4165b5a92914a6a903cac400e53d3909ec73ce171b7f6e5fb34ea1e5cb.sh

FB6F7E9AB4E7E62930ADC962E61A5297

F70AFA06233A6C59C00A13AEF3458BFE8B99C8DD

07B5CE4165B5A92914A6A903CAC400E53D3909EC73CE171B7F6E5FB34EA1E5CB

96:1xxwELCgcsdXV514QzKEgshXat1XfHkTFv:ZXXV514QzKfshXavXfHkTFv

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Modifies file or directory owner

Executes the "rm" command to delete files or directories

Potential Corporate Privacy Violation

Executes commands using command-line interpreter

Modifies Cron jobs

Uses wget to download content

Connects to unusual port

Reads network configuration

Gets active TCP connections

Connects to the server without a host name

Reads /proc/mounts (likely used to find writable filesystems)

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings