File name:

xmr.sh

Full analysis: https://app.any.run/tasks/304a84a9-365e-4149-9ec9-069a523cd82a
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 20:43:21
OS: Ubuntu 22.04.2
Tags:
winring0x64-sys
vuln-driver
xmrig
miner
arch-scr
arch-doc
Indicators:
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable, with very long lines (496)
MD5:

29F6F1FD52459F0F1C0CCD2AF19A96C2

SHA1:

B7F03A896360BC04A3D8F71BCDC60622D59AC6A2

SHA256:

2EA999DCB12E952BF0BC739CDD4C1ACB9DA5A68AB3C3D29A4592E3744CCC4DE3

SSDEEP:

24:t0gxnQtymJEowc4/0wKYcTTjEBzAQoakonTjEBzLW91HTjEBzsBsHTjEBzC+:t0g3AegLW9+QC+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • git (PID: 41456)

    • XMRIG has been detected

      • git (PID: 41456)

  • SUSPICIOUS

    • Starts itself from another location

      • git (PID: 41456)

    • Check the Environment Variables Related to System Identification (os-release)

      • snap (PID: 41403)
      • snap (PID: 41429)
      • snap (PID: 41417)
      • snap (PID: 41444)

    • Modifies file or directory owner

      • sudo (PID: 41389)

    • Executes commands using command-line interpreter

      • sudo (PID: 41392)

    • Creates shell script file

      • git (PID: 41456)
      • tar (PID: 41481)

    • Reads passwd file

      • tar (PID: 41481)
      • apt (PID: 41399)
      • http (PID: 41442)
      • git (PID: 41456)
      • crontab (PID: 41537)
      • crontab (PID: 41536)

    • Drops a system driver (possible attempt to evade defenses)

      • git (PID: 41456)

    • Executable content was dropped or overwritten

      • git (PID: 41456)

    • Uses wget to download content

      • dash (PID: 41475)

    • Modifies Cron jobs

      • bash (PID: 41393)

    • Checks kernel name (uname)

      • dash (PID: 41483)

    • Gets information about currently running processes

      • bash (PID: 41393)

  • INFO

    • Checks timezone

      • apt (PID: 41399)
      • http (PID: 41442)
      • wget (PID: 41480)
      • git (PID: 41456)
      • git-remote-http (PID: 41461)
      • crontab (PID: 41537)
      • crontab (PID: 41536)

    • Creates file in the temporary folder

      • apt (PID: 41399)
      • dash (PID: 41548)
      • dash (PID: 41554)

    • The sample compiled with japanese language support

      • git (PID: 41456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
239
Monitored processes
107
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs apt-get no specs dpkg no specs dpkg no specs sudo no specs apt no specs dpkg no specs dpkg no specs dash no specs snap no specs http no specs dash no specs snap no specs dash no specs snap no specs http dash no specs snap no specs THREAT git tracker-extract-3 no specs git no specs git-remote-http git no specs git no specs mkdir no specs dash no specs dash no specs mkdir no specs mkdir no specs mkdir no specs mkdir no specs wget tar no specs gzip no specs dash no specs dirname no specs uname no specs dash no specs perl no specs head no specs sed no specs dash no specs dash no specs head no specs sed no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs expr no specs expr no specs basename no specs basename no specs dash no specs dash no specs basename no specs expr no specs expr no specs dash no specs perl no specs head no specs sed no specs dash no specs dash no specs cut no specs dash no specs dash no specs cut no specs dash no specs dash no specs head no specs sed no specs dash no specs bash no specs nproc no specs make no specs nohup no specs bash no specs crontab no specs crontab no specs cron no specs dash no specs dash no specs dash no specs nohup no specs nohup no specs cron no specs dash no specs dash no specs dash no specs nohup no specs nohup no specs

Process information

PID
CMD
Path
Indicators
Parent process
41388/bin/sh -c "sudo chown user /tmp/xmr\.sh && chmod +x /tmp/xmr\.sh && DISPLAY=:0 sudo -iu user /tmp/xmr\.sh "/usr/bin/dashUbvyYXL4x2mYa65Q
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41389sudo chown user /tmp/xmr.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41390chown user /tmp/xmr.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41391chmod +x /tmp/xmr.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41392sudo -iu user /tmp/xmr.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41393/bin/bash /tmp/xmr.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41394/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41395apt-get update/usr/bin/apt-getbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
25600
Modules
Images
/usr/lib/x86_64-linux-gnu/libapt-private.so.0.0.0
/usr/lib/x86_64-linux-gnu/libapt-pkg.so.6.0.0
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
/usr/lib/x86_64-linux-gnu/libgcc_s.so.1
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libbz2.so.1.0.4
/usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5
/usr/lib/x86_64-linux-gnu/liblz4.so.1.9.3
/usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8
41396/usr/bin/dpkg --print-foreign-architectures/usr/bin/dpkgapt-get
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
41397/usr/bin/dpkg --print-foreign-architectures/usr/bin/dpkgapt-get
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
Executable files
1
Suspicious files
22
Text files
1 174
Unknown types
0

Dropped files

PID
Process
Filename
Type
41395apt-get/tmp/#6029333 (deleted)text
MD5:
SHA256:
41395apt-get/tmp/#6029335 (deleted)text
MD5:
SHA256:
41395apt-get/tmp/#6029338 (deleted)text
MD5:
SHA256:
41395apt-get/tmp/#6029339 (deleted)text
MD5:
SHA256:
41395apt-get/tmp/#6029358 (deleted)text
MD5:
SHA256:
41395apt-get/tmp/#6029359 (deleted)text
MD5:
SHA256:
41395apt-get/tmp/#6029364 (deleted)text
MD5:
SHA256:
41395apt-get/tmp/#6029378 (deleted)text
MD5:
SHA256:
41395apt-get/tmp/#6029379 (deleted)text
MD5:
SHA256:
41395apt-get/tmp/#6029381 (deleted)text
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
13
DNS requests
19
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
41442
http
GET
185.125.190.81:80
http://archive.ubuntu.com/ubuntu/pool/main/libj/libjsoncpp/libjsoncpp25_1.9.5-3_amd64.deb
unknown
whitelisted
41442
http
GET
404
185.125.190.81:80
http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl3_3.0.2-0ubuntu1.18_amd64.deb
unknown
whitelisted
41442
http
GET
185.125.190.81:80
http://archive.ubuntu.com/ubuntu/pool/main/c/cmake/cmake-data_3.22.1-1ubuntu1.22.04.2_all.deb
unknown
whitelisted
41442
http
GET
185.125.190.81:80
http://archive.ubuntu.com/ubuntu/pool/main/c/cmake/cmake_3.22.1-1ubuntu1.22.04.2_amd64.deb
unknown
whitelisted
41442
http
GET
185.125.190.81:80
http://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.34.1-1ubuntu1.11_amd64.deb
unknown
whitelisted
41442
http
GET
185.125.190.81:80
http://archive.ubuntu.com/ubuntu/pool/main/r/rhash/librhash0_1.4.2-1ubuntu1_amd64.deb
unknown
whitelisted
41442
http
GET
185.125.190.81:80
http://archive.ubuntu.com/ubuntu/pool/main/d/dh-elpa/dh-elpa-helper_2.0.9ubuntu1_all.deb
unknown
whitelisted
41442
http
GET
200
185.125.190.81:80
http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl3_3.0.2-0ubuntu1.18_amd64.deb
unknown
whitelisted
41442
http
GET
200
185.125.190.81:80
http://archive.ubuntu.com/ubuntu/pool/main/libt/libtool/libtool_2.4.6-15build2_all.deb
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
1178
snap-store
195.181.170.18:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41442
http
185.125.190.81:80
archive.ubuntu.com
Canonical Group Limited
GB
whitelisted
41461
git-remote-http
140.82.121.4:443
github.com
GITHUB
US
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::24
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::196
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::198
  • 2620:2d:4002:1::197
  • 185.125.190.49
  • 185.125.190.96
  • 185.125.190.48
  • 91.189.91.49
  • 91.189.91.48
  • 91.189.91.96
  • 185.125.190.98
  • 185.125.190.18
  • 91.189.91.97
  • 185.125.190.17
  • 91.189.91.98
  • 185.125.190.97
whitelisted
google.com
  • 142.250.185.110
  • 2a00:1450:4001:830::200e
whitelisted
odrs.gnome.org
  • 195.181.170.18
  • 195.181.175.41
  • 212.102.56.178
  • 37.19.194.81
  • 207.211.211.27
  • 169.150.255.181
  • 169.150.255.183
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.57
  • 185.125.188.59
  • 185.125.188.54
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::2e6
whitelisted
_http._tcp.archive.ubuntu.com
whitelisted
archive.ubuntu.com
  • 185.125.190.81
  • 91.189.91.82
  • 91.189.91.83
  • 185.125.190.83
  • 185.125.190.82
  • 91.189.91.81
  • 2620:2d:4002:1::103
  • 2620:2d:4002:1::102
  • 2620:2d:4002:1::101
  • 2620:2d:4000:1::101
  • 2620:2d:4000:1::102
  • 2620:2d:4000:1::103
whitelisted
github.com
  • 140.82.121.4
whitelisted
10.100.168.192.in-addr.arpa
unknown
dist.libuv.org
  • 185.199.108.153
  • 185.199.111.153
  • 185.199.110.153
  • 185.199.109.153
  • 2606:50c0:8000::153
  • 2606:50c0:8001::153
  • 2606:50c0:8002::153
  • 2606:50c0:8003::153
unknown

Threats

PID
Process
Class
Message
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
41442
http
Not Suspicious Traffic
ET INFO GNU/Linux APT User-Agent Outbound likely related to package management
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xmr.sh