File name:

linpeas.sh

Full analysis: https://app.any.run/tasks/41c3dd5a-10bd-4b02-b0fc-51d38120622a
Verdict: Malicious activity
Analysis date: March 30, 2024, 13:23:21
OS: Ubuntu 22.04.2
MIME: text/x-shellscript
File info: POSIX shell script, Unicode text, UTF-8 text executable, with very long lines (1779)
MD5:

C5B3E01142E4240AAFFC527097A9B81E

SHA1:

F048CB8505AE79255EE22C181240C309345D3F03

SHA256:

0CD64ABC97B0107A3A6CA2BC911D63A408CADFB10175B9AF4348AC086423F80B

SSDEEP:

6144:AGtG23KlUK0LZqV8FxkZ5zPulEdHqZ7rhhVbGdQ3CPlHMpsgdce2Nkba/Jp5IsTN:CiOn3i+gD/Dbyw3/eqEPd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • gnome-terminal-server (PID: 9387)

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 9320)

    • Reads information about logins, logouts, and login attempts

      • bash (PID: 9405)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ovpn | OpenVPN profile (with rem) (37.9)
.mml | Music Macro Language (24.1)
.sh | Linux/UNIX shell script (24.1)
.pl | Perl script (13.7)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
239
Monitored processes
17
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs nautilus no specs locale-check no specs systemd-hostnamed no specs dbus-daemon no specs gnome-text-editor no specs gnome-terminal-server no specs bash no specs lesspipe no specs dircolors no specs basename no specs dash no specs dirname no specs sudo no specs sudo no specs openvpn no specs

Process information

PID
CMD
Path
Indicators
Parent process
9300/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus \"/tmp/linpeas\.sh\.ovpn\" "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
9301sudo -iu user nautilus /tmp/linpeas.sh.ovpn/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
9302nautilus /tmp/linpeas.sh.ovpn/usr/bin/nautilussudo
User:
user
Integrity Level:
UNKNOWN
9303/usr/bin/locale-check C.UTF-8/usr/bin/locale-checknautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9320/lib/systemd/systemd-hostnamed/lib/systemd/systemd-hostnamedsystemd
User:
root
Integrity Level:
UNKNOWN
Exit code:
9320
9329/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only/usr/bin/dbus-daemondbus-daemon
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9330/usr/bin/gnome-text-editor --gapplication-service/usr/bin/gnome-text-editordbus-daemon
User:
user
Integrity Level:
UNKNOWN
Exit code:
9320
9387/usr/libexec/gnome-terminal-server/usr/libexec/gnome-terminal-serversystemd
User:
user
Integrity Level:
UNKNOWN
9405bash/bin/bashgnome-terminal-server
User:
user
Integrity Level:
UNKNOWN
9406/bin/sh /usr/bin/lesspipe/usr/bin/lesspipebash
User:
user
Integrity Level:
UNKNOWN
Exit code:
9330
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9302nautilus/home/user/.local/share/nautilus/tags/meta.db-wal
MD5:
SHA256:
9302nautilus/home/user/.local/share/nautilus/tags/meta.db-shm
MD5:
SHA256:
9302nautilus/home/user/.local/share/nautilus/tags/.meta.isrunning
MD5:
SHA256:
9330gnome-text-editor/home/user/.local/share/org.gnome.TextEditor/recently-used.xbel.MPLIL2
MD5:
SHA256:
9330gnome-text-editor/home/user/.config/enchant/en_IE.dic
MD5:
SHA256:
9330gnome-text-editor/home/user/.config/enchant/en_IE.exc
MD5:
SHA256:
9302nautilus/home/user/.local/share/recently-used.xbel.9INJL2
MD5:
SHA256:
9330gnome-text-editor/home/user/.cache/mesa_shader_cache/bc/42e08f7002fdc6e1d467570cdbf1468ff1b628.tmp
MD5:
SHA256:
9330gnome-text-editor/home/user/.cache/mesa_shader_cache/2b/614a0f3c7fb73a9936c95e88466e635fc5f43b.tmp
MD5:
SHA256:
9330gnome-text-editor/home/user/.cache/mesa_shader_cache/39/f73ae7cc41bcad2026c47fc283d17c76640575.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.97:80
Canonical Group Limited
US
unknown
185.125.190.18:80
Canonical Group Limited
GB
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.59
  • 185.125.188.54
unknown
92.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::98
  • 2001:67c:1562::23
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::2b
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
linpeas.sh