File name:

Kz2wzUsHsjty.sh

Full analysis: https://app.any.run/tasks/bde77d1b-f167-4482-938f-d8e4c29019a0
Verdict: Malicious activity
Analysis date: July 20, 2025, 06:57:35
OS: Ubuntu 22.04.2
Tags:
exploit
scan
telnet
telnetscan
Indicators:
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable
MD5:

86F860AE7134DA966388F0ABAE137CF8

SHA1:

FE33E47BFADD4F273FFFE622D11B58F201326B3F

SHA256:

1DA82A88970074012C31B34B3EDB119DDCA96723D80C68F8EF5D034DB56150BE

SSDEEP:

48:btyDrD8A8J8AyVkkwvf984jRpJq2XH76hwHlDRliQW12jzD3md/hEoU7VYK1J8P:btBfWEb98ijQ8b6eJ/LWsjIxK+P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EXPLOIT has been detected (SURICATA)

      • 6mpw83zcb3ag (PID: 41424)

    • Attempting to scan the network

      • 6mpw83zcb3ag (PID: 41424)

    • TELNETSCAN has been detected (SURICATA)

      • 6mpw83zcb3ag (PID: 41424)

  • SUSPICIOUS

    • Checks type of computer hardware (uname)

      • bash (PID: 41392)

    • Gets information about currently running processes

      • bash (PID: 41392)

    • Modifies file or directory owner

      • sudo (PID: 41388)

    • Executes commands using command-line interpreter

      • sudo (PID: 41391)

    • Executes the "rm" command to delete files or directories

      • find (PID: 41404)
      • bash (PID: 41392)

    • Reads passwd file

      • crontab (PID: 41408)
      • crontab (PID: 41406)
      • crontab (PID: 41411)
      • crontab (PID: 41409)
      • crontab (PID: 41421)
      • crontab (PID: 41420)

    • Modifies Cron jobs

      • bash (PID: 41392)

    • Uses wget to download content

      • bash (PID: 41392)

    • Potential Corporate Privacy Violation

      • wget (PID: 41412)
      • 6mpw83zcb3ag (PID: 41424)

    • Connects to SSH

      • 6mpw83zcb3ag (PID: 41424)

  • INFO

    • Checks timezone

      • crontab (PID: 41406)
      • crontab (PID: 41408)
      • crontab (PID: 41411)
      • crontab (PID: 41409)
      • wget (PID: 41412)
      • crontab (PID: 41420)
      • crontab (PID: 41421)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
40
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs bash no specs head no specs tr no specs head no specs touch no specs uname no specs pgrep no specs pgrep no specs find no specs find no specs find no specs rm no specs crontab no specs grep no specs crontab no specs crontab no specs grep no specs crontab no specs wget systemctl no specs systemctl no specs systemctl no specs chmod no specs 6mpw83zcb3ag no specs bash no specs crontab no specs rm no specs find no specs crontab no specs 6mpw83zcb3ag no specs 6mpw83zcb3ag no specs #EXPLOIT 6mpw83zcb3ag rm no specs

Process information

PID
CMD
Path
Indicators
Parent process
41387/bin/sh -c "sudo chown user /tmp/Kz2wzUsHsjty\.sh && chmod +x /tmp/Kz2wzUsHsjty\.sh && DISPLAY=:0 sudo -iu user /tmp/Kz2wzUsHsjty\.sh "/usr/bin/dashUbvyYXL4x2mYa65Q
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41388sudo chown user /tmp/Kz2wzUsHsjty.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41389chown user /tmp/Kz2wzUsHsjty.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41390chmod +x /tmp/Kz2wzUsHsjty.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41391sudo -iu user /tmp/Kz2wzUsHsjty.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41392/bin/bash /tmp/Kz2wzUsHsjty.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41393/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41394/bin/bash /tmp/Kz2wzUsHsjty.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
41395head /dev/urandom/usr/bin/headbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41396tr -dc a-z0-9/usr/bin/trbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
Executable files
0
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
41408crontab/var/spool/cron/crontabs/user (deleted)text
MD5:
SHA256:
41411crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
41420crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3 560
DNS requests
15
Threats
4 394

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
41412
wget
GET
200
77.222.40.238:80
http://pring.cloud.swtest.ru/Vye32GsS2g38eKHmaKrLdDjgrnf2YBT4/FGx8SNCa4txePA.x86_64
RU
binary
29.2 Kb
unknown
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
1178
snap-store
169.150.255.184:443
odrs.gnome.org
GB
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41412
wget
77.222.40.238:80
pring.cloud.swtest.ru
SpaceWeb Ltd
RU
unknown
41424
6mpw83zcb3ag
109.122.198.34:22
GE
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 91.189.91.97
  • 185.125.190.48
  • 91.189.91.48
  • 185.125.190.17
  • 185.125.190.18
  • 91.189.91.49
  • 185.125.190.97
  • 91.189.91.98
  • 185.125.190.96
  • 185.125.190.49
  • 185.125.190.98
  • 91.189.91.96
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::23
  • 2001:67c:1562::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2a
whitelisted
google.com
  • 142.250.186.46
  • 2a00:1450:4001:802::200e
whitelisted
odrs.gnome.org
  • 169.150.255.184
  • 195.181.170.19
  • 212.102.56.179
  • 207.211.211.27
  • 195.181.175.40
  • 169.150.255.180
  • 37.19.194.80
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.54
  • 185.125.188.57
  • 185.125.188.58
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::344
whitelisted
pring.cloud.swtest.ru
  • 77.222.40.238
unknown
4.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
41412
wget
Potentially Bad Traffic
ET HUNTING Possible ELF executable sent when remote host claims to send a Text File
41412
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41424
6mpw83zcb3ag
Attempted Information Leak
ET SCAN Potential SSH Scan OUTBOUND
41424
6mpw83zcb3ag
Large Scale Information Leak
ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
41424
6mpw83zcb3ag
Large Scale Information Leak
ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
41424
6mpw83zcb3ag
Large Scale Information Leak
ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
41424
6mpw83zcb3ag
Large Scale Information Leak
ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
41424
6mpw83zcb3ag
Large Scale Information Leak
ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
41424
6mpw83zcb3ag
Large Scale Information Leak
ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
41424
6mpw83zcb3ag
Large Scale Information Leak
ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Kz2wzUsHsjty.sh