| File name: | ce.sh |
| Full analysis: | https://app.any.run/tasks/0cd75402-bc55-4a8b-a451-2c69cc168006 |
| Verdict: | Malicious activity |
| Analysis date: | May 10, 2025, 04:21:56 |
| OS: | Ubuntu 22.04.2 |
| MIME: | text/x-shellscript |
| File info: | Bourne-Again shell script, Unicode text, UTF-8 text executable, with very long lines (513) |
| MD5: | 1BF1EFEADEDF52C0ED50941B10A2F468 |
| SHA1: | 029796DC6307EFD60D6F8E116781FEAD10CA05F4 |
| SHA256: | 3A67DF40721703C455C6364FF6FDA6AF4A6DF95D0B7BFF1A7CEBD45CC3F5D1F0 |
| SSDEEP: | 384:r5JLwlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJw6K:t17YJDj8OoJw6K |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executes commands using command-line interpreter
- sudo (PID: 40654)
- dash (PID: 42671)
- dash (PID: 42681)
- dash (PID: 42685)
Modifies file or directory owner
- sudo (PID: 40651)
Removes file immutable attribute
- bash (PID: 40655)
Reads passwd file
- ls (PID: 40670)
- ls (PID: 40680)
- ls (PID: 40665)
- ls (PID: 40675)
- ls (PID: 40690)
- ls (PID: 40685)
- ls (PID: 40695)
- ls (PID: 40700)
- ls (PID: 40710)
- ls (PID: 40720)
- ls (PID: 40740)
- ls (PID: 40715)
- ls (PID: 40725)
- ls (PID: 40735)
- ls (PID: 40705)
- ls (PID: 40730)
- ls (PID: 40755)
- ls (PID: 40765)
- ls (PID: 40760)
- ls (PID: 40770)
- ls (PID: 40780)
- ls (PID: 40775)
- ls (PID: 40745)
- ls (PID: 40750)
- ls (PID: 40800)
- ls (PID: 40805)
- ls (PID: 40810)
- ls (PID: 40820)
- ls (PID: 40815)
- ls (PID: 40825)
- ls (PID: 40785)
- ls (PID: 40790)
- ls (PID: 40795)
- ls (PID: 40835)
- ls (PID: 40860)
- ls (PID: 40840)
- ls (PID: 40845)
- ls (PID: 40850)
- ls (PID: 40855)
- ls (PID: 40830)
- ls (PID: 40880)
- ls (PID: 40875)
- ls (PID: 40885)
- ls (PID: 40895)
- ls (PID: 40905)
- ls (PID: 40865)
- ls (PID: 40870)
- ls (PID: 40890)
- ls (PID: 40900)
- ls (PID: 40915)
- ls (PID: 40910)
- ls (PID: 40920)
- ls (PID: 40925)
- ls (PID: 40930)
- ls (PID: 40960)
- ls (PID: 40935)
- ls (PID: 40945)
- ls (PID: 40940)
- ls (PID: 40950)
- ls (PID: 40980)
- ls (PID: 41000)
- ls (PID: 40995)
- ls (PID: 40990)
- ls (PID: 40965)
- ls (PID: 40975)
- ls (PID: 40955)
- ls (PID: 40970)
- ls (PID: 40985)
- ls (PID: 41020)
- ls (PID: 41030)
- ls (PID: 41025)
- ls (PID: 41035)
- ls (PID: 41045)
- ls (PID: 41005)
- ls (PID: 41015)
- ls (PID: 41010)
- ls (PID: 41060)
- ls (PID: 41055)
- ls (PID: 41065)
- ls (PID: 41075)
- ls (PID: 41050)
- ls (PID: 41040)
- ls (PID: 41080)
- ls (PID: 41085)
- ls (PID: 41110)
- ls (PID: 41100)
- ls (PID: 41105)
- ls (PID: 41125)
- ls (PID: 41090)
- ls (PID: 41070)
- ls (PID: 41095)
- ls (PID: 41135)
- ls (PID: 41145)
- ls (PID: 41140)
- ls (PID: 41155)
- ls (PID: 41115)
- ls (PID: 41120)
- ls (PID: 41130)
- ls (PID: 41150)
- ls (PID: 41165)
- ls (PID: 41180)
- ls (PID: 41175)
- ls (PID: 41190)
- ls (PID: 41160)
- ls (PID: 41170)
- ls (PID: 41185)
- ls (PID: 41220)
- ls (PID: 41225)
- ls (PID: 41230)
- ls (PID: 41195)
- ls (PID: 41200)
- ls (PID: 41205)
- ls (PID: 41210)
- ls (PID: 41215)
- ls (PID: 41250)
- ls (PID: 41255)
- ls (PID: 41260)
- ls (PID: 41270)
- ls (PID: 41275)
- ls (PID: 41240)
- ls (PID: 41235)
- ls (PID: 41245)
- ls (PID: 41265)
- ls (PID: 41300)
- ls (PID: 41290)
- ls (PID: 41295)
- ls (PID: 41310)
- ls (PID: 41305)
- ls (PID: 41280)
- ls (PID: 41285)
- ls (PID: 41315)
- ls (PID: 41335)
- ls (PID: 41340)
- ls (PID: 41345)
- ls (PID: 41360)
- ls (PID: 41320)
- ls (PID: 41330)
- ls (PID: 41325)
- ls (PID: 41350)
- ls (PID: 41380)
- ls (PID: 41385)
- ls (PID: 41375)
- ls (PID: 41370)
- ls (PID: 41390)
- ls (PID: 41355)
- ls (PID: 41365)
- ls (PID: 41405)
- ls (PID: 41410)
- ls (PID: 41420)
- ls (PID: 41450)
- ls (PID: 41430)
- ls (PID: 41440)
- ls (PID: 41425)
- ls (PID: 41435)
- ls (PID: 41400)
- ls (PID: 41395)
- ls (PID: 41415)
- ls (PID: 41480)
- ls (PID: 41455)
- ls (PID: 41465)
- ls (PID: 41470)
- ls (PID: 41475)
- ls (PID: 41445)
- ls (PID: 41460)
- ls (PID: 41510)
- ls (PID: 41495)
- ls (PID: 41505)
- ls (PID: 41515)
- ls (PID: 41520)
- ls (PID: 41485)
- ls (PID: 41490)
- ls (PID: 41500)
- ls (PID: 41535)
- ls (PID: 41540)
- ls (PID: 41550)
- ls (PID: 41565)
- ls (PID: 41560)
- ls (PID: 41525)
- ls (PID: 41530)
- ls (PID: 41545)
- ls (PID: 41555)
- ls (PID: 41580)
- ls (PID: 41585)
- ls (PID: 41590)
- ls (PID: 41595)
- ls (PID: 41600)
- ls (PID: 41570)
- ls (PID: 41575)
- ls (PID: 41620)
- ls (PID: 41625)
- ls (PID: 41630)
- ls (PID: 41635)
- ls (PID: 41610)
- ls (PID: 41605)
- ls (PID: 41615)
- ls (PID: 41640)
- ls (PID: 41660)
- ls (PID: 41655)
- ls (PID: 41675)
- ls (PID: 41670)
- ls (PID: 41680)
- ls (PID: 41645)
- ls (PID: 41650)
- ls (PID: 41665)
- ls (PID: 41710)
- ls (PID: 41705)
- ls (PID: 41720)
- ls (PID: 41690)
- ls (PID: 41685)
- ls (PID: 41695)
- ls (PID: 41700)
- ls (PID: 41715)
- ls (PID: 41755)
- ls (PID: 41750)
- ls (PID: 41765)
- ls (PID: 41760)
- ls (PID: 41725)
- ls (PID: 41730)
- ls (PID: 41735)
- ls (PID: 41745)
- ls (PID: 41740)
- ls (PID: 41795)
- ls (PID: 41785)
- ls (PID: 41780)
- ls (PID: 41790)
- ls (PID: 41800)
- ls (PID: 41775)
- ls (PID: 41770)
- ls (PID: 41805)
- ls (PID: 41820)
- ls (PID: 41825)
- ls (PID: 41840)
- ls (PID: 41835)
- ls (PID: 41830)
- ls (PID: 41850)
- ls (PID: 41810)
- ls (PID: 41815)
- ls (PID: 41860)
- ls (PID: 41855)
- ls (PID: 41880)
- ls (PID: 41870)
- ls (PID: 41865)
- ls (PID: 41885)
- ls (PID: 41890)
- ls (PID: 41845)
- ls (PID: 41875)
- ls (PID: 41910)
- ls (PID: 41915)
- ls (PID: 41925)
- ls (PID: 41930)
- ls (PID: 41935)
- ls (PID: 41905)
- ls (PID: 41900)
- ls (PID: 41895)
- ls (PID: 41920)
- ls (PID: 41950)
- ls (PID: 41945)
- ls (PID: 41965)
- ls (PID: 41960)
- ls (PID: 41970)
- ls (PID: 41940)
- ls (PID: 41955)
- ls (PID: 42000)
- ls (PID: 41995)
- ls (PID: 41990)
- ls (PID: 42010)
- ls (PID: 41985)
- ls (PID: 42005)
- ls (PID: 41980)
- ls (PID: 41975)
- ls (PID: 42055)
- ls (PID: 42030)
- ls (PID: 42035)
- ls (PID: 42040)
- ls (PID: 42045)
- ls (PID: 42050)
- ls (PID: 42015)
- ls (PID: 42020)
- ls (PID: 42025)
- ls (PID: 42080)
- ls (PID: 42070)
- ls (PID: 42075)
- ls (PID: 42085)
- ls (PID: 42093)
- ls (PID: 42060)
- ls (PID: 42065)
- ps (PID: 42146)
- ps (PID: 42141)
- ps (PID: 42151)
- ps (PID: 42158)
- ps (PID: 42163)
- ps (PID: 42126)
- ps (PID: 42131)
- ps (PID: 42136)
- curl (PID: 42329)
- ps (PID: 42318)
- dumpe2fs (PID: 42361)
- dumpe2fs (PID: 42353)
- ps (PID: 42226)
- ps (PID: 42274)
- ps (PID: 42279)
- curl (PID: 42406)
- crontab (PID: 42471)
- curl (PID: 42372)
- curl (PID: 42437)
- crontab (PID: 42476)
- crontab (PID: 42482)
- crontab (PID: 42488)
- crontab (PID: 42486)
- crontab (PID: 42479)
- crontab (PID: 42485)
- crontab (PID: 42473)
- crontab (PID: 42474)
- crontab (PID: 42477)
- crontab (PID: 42494)
- crontab (PID: 42500)
- crontab (PID: 42506)
- crontab (PID: 42495)
- crontab (PID: 42503)
- crontab (PID: 42480)
- crontab (PID: 42483)
- crontab (PID: 42491)
- crontab (PID: 42489)
- crontab (PID: 42492)
- crontab (PID: 42498)
- crontab (PID: 42497)
- crontab (PID: 42509)
- crontab (PID: 42504)
- crontab (PID: 42507)
- crontab (PID: 42501)
- crontab (PID: 42519)
- crontab (PID: 42521)
- crontab (PID: 42515)
- crontab (PID: 42513)
- crontab (PID: 42512)
- crontab (PID: 42510)
- crontab (PID: 42518)
- crontab (PID: 42516)
- crontab (PID: 42531)
- crontab (PID: 42527)
- crontab (PID: 42533)
- crontab (PID: 42525)
- crontab (PID: 42524)
- crontab (PID: 42522)
- crontab (PID: 42534)
- crontab (PID: 42537)
- crontab (PID: 42539)
- crontab (PID: 42540)
- crontab (PID: 42542)
- crontab (PID: 42545)
- crontab (PID: 42543)
- crontab (PID: 42528)
- crontab (PID: 42536)
- crontab (PID: 42546)
- crontab (PID: 42554)
- crontab (PID: 42555)
- crontab (PID: 42549)
- crontab (PID: 42552)
- crontab (PID: 42548)
- crontab (PID: 42530)
- crontab (PID: 42551)
- crontab (PID: 42566)
- crontab (PID: 42558)
- crontab (PID: 42564)
- crontab (PID: 42570)
- crontab (PID: 42560)
- crontab (PID: 42561)
- crontab (PID: 42563)
- crontab (PID: 42557)
- crontab (PID: 42578)
- crontab (PID: 42572)
- crontab (PID: 42576)
- crontab (PID: 42575)
- crontab (PID: 42567)
- crontab (PID: 42569)
- crontab (PID: 42573)
- crontab (PID: 42582)
- crontab (PID: 42585)
- crontab (PID: 42590)
- crontab (PID: 42579)
- crontab (PID: 42584)
- crontab (PID: 42581)
- crontab (PID: 42593)
- crontab (PID: 42588)
- crontab (PID: 42597)
- crontab (PID: 42594)
- crontab (PID: 42602)
- crontab (PID: 42609)
- crontab (PID: 42587)
- crontab (PID: 42591)
- crontab (PID: 42596)
- crontab (PID: 42599)
- crontab (PID: 42600)
- crontab (PID: 42606)
- crontab (PID: 42605)
- crontab (PID: 42603)
- crontab (PID: 42611)
- crontab (PID: 42621)
- crontab (PID: 42615)
- crontab (PID: 42612)
- crontab (PID: 42608)
- crontab (PID: 42618)
- crontab (PID: 42614)
- crontab (PID: 42623)
- crontab (PID: 42626)
- crontab (PID: 42620)
- crontab (PID: 42617)
- crontab (PID: 42624)
- crontab (PID: 42627)
- crontab (PID: 42633)
- crontab (PID: 42645)
- crontab (PID: 42647)
- crontab (PID: 42638)
- crontab (PID: 42629)
- crontab (PID: 42630)
- crontab (PID: 42632)
- crontab (PID: 42635)
- crontab (PID: 42636)
- crontab (PID: 42651)
- crontab (PID: 42656)
- crontab (PID: 42648)
- crontab (PID: 42642)
- crontab (PID: 42650)
- crontab (PID: 42663)
- crontab (PID: 42657)
- crontab (PID: 42662)
- crontab (PID: 42653)
- crontab (PID: 42667)
- crontab (PID: 42668)
- crontab (PID: 42639)
- crontab (PID: 42641)
- crontab (PID: 42659)
- crontab (PID: 42660)
- crontab (PID: 42644)
- crontab (PID: 42654)
Executes the "rm" command to delete files or directories
- bash (PID: 40655)
Checks hardware platform type (uname)
- bash (PID: 40655)
Gets information about currently running processes
- bash (PID: 40655)
Check the Environment Variables Related to System Identification (os-release)
- curl (PID: 42329)
- curl (PID: 42372)
- curl (PID: 42437)
- curl (PID: 42406)
Reads /proc/mounts (likely used to find writable filesystems)
- curl (PID: 42329)
- curl (PID: 42406)
- curl (PID: 42437)
- curl (PID: 42372)
Modifies Cron jobs
- bash (PID: 40655)
Clears command history
- bash (PID: 40655)
Uses wget to download content
- dash (PID: 42671)
- dash (PID: 42681)
- dash (PID: 42685)
Potential Corporate Privacy Violation
- curl (PID: 42329)
- curl (PID: 42372)
- curl (PID: 42406)
- curl (PID: 42437)
INFO
Checks timezone
- python3.10 (PID: 40661)
- ls (PID: 40680)
- ls (PID: 40670)
- ls (PID: 40675)
- ls (PID: 40665)
- ls (PID: 40690)
- ls (PID: 40685)
- ls (PID: 40695)
- ls (PID: 40700)
- ls (PID: 40705)
- ls (PID: 40715)
- ls (PID: 40720)
- ls (PID: 40730)
- ls (PID: 40725)
- ls (PID: 40735)
- ls (PID: 40710)
- ls (PID: 40745)
- ls (PID: 40760)
- ls (PID: 40755)
- ls (PID: 40770)
- ls (PID: 40765)
- ls (PID: 40780)
- ls (PID: 40740)
- ls (PID: 40750)
- ls (PID: 40775)
- ls (PID: 40795)
- ls (PID: 40800)
- ls (PID: 40805)
- ls (PID: 40810)
- ls (PID: 40820)
- ls (PID: 40815)
- ls (PID: 40785)
- ls (PID: 40790)
- ls (PID: 40845)
- ls (PID: 40850)
- ls (PID: 40860)
- ls (PID: 40855)
- ls (PID: 40870)
- ls (PID: 40825)
- ls (PID: 40830)
- ls (PID: 40835)
- ls (PID: 40840)
- ls (PID: 40875)
- ls (PID: 40900)
- ls (PID: 40890)
- ls (PID: 40865)
- ls (PID: 40880)
- ls (PID: 40885)
- ls (PID: 40905)
- ls (PID: 40895)
- ls (PID: 40915)
- ls (PID: 40920)
- ls (PID: 40910)
- ls (PID: 40965)
- ls (PID: 40955)
- ls (PID: 40930)
- ls (PID: 40925)
- ls (PID: 40935)
- ls (PID: 40940)
- ls (PID: 40945)
- ls (PID: 40950)
- ls (PID: 40960)
- ls (PID: 40980)
- ls (PID: 40985)
- ls (PID: 41000)
- ls (PID: 40990)
- ls (PID: 40995)
- ls (PID: 40970)
- ls (PID: 40975)
- ls (PID: 41020)
- ls (PID: 41015)
- ls (PID: 41030)
- ls (PID: 41025)
- ls (PID: 41035)
- ls (PID: 41045)
- ls (PID: 41005)
- ls (PID: 41010)
- ls (PID: 41065)
- ls (PID: 41080)
- ls (PID: 41075)
- ls (PID: 41070)
- ls (PID: 41040)
- ls (PID: 41050)
- ls (PID: 41055)
- ls (PID: 41060)
- ls (PID: 41100)
- ls (PID: 41105)
- ls (PID: 41125)
- ls (PID: 41115)
- ls (PID: 41110)
- ls (PID: 41085)
- ls (PID: 41090)
- ls (PID: 41095)
- ls (PID: 41130)
- ls (PID: 41140)
- ls (PID: 41145)
- ls (PID: 41155)
- ls (PID: 41150)
- ls (PID: 41120)
- ls (PID: 41135)
- ls (PID: 41180)
- ls (PID: 41175)
- ls (PID: 41195)
- ls (PID: 41165)
- ls (PID: 41170)
- ls (PID: 41160)
- ls (PID: 41185)
- ls (PID: 41200)
- ls (PID: 41205)
- ls (PID: 41215)
- ls (PID: 41210)
- ls (PID: 41220)
- ls (PID: 41230)
- ls (PID: 41225)
- ls (PID: 41190)
- ls (PID: 41240)
- ls (PID: 41260)
- ls (PID: 41255)
- ls (PID: 41270)
- ls (PID: 41265)
- ls (PID: 41245)
- ls (PID: 41235)
- ls (PID: 41250)
- ls (PID: 41290)
- ls (PID: 41300)
- ls (PID: 41295)
- ls (PID: 41310)
- ls (PID: 41305)
- ls (PID: 41275)
- ls (PID: 41280)
- ls (PID: 41285)
- ls (PID: 41335)
- ls (PID: 41320)
- ls (PID: 41340)
- ls (PID: 41345)
- ls (PID: 41350)
- ls (PID: 41315)
- ls (PID: 41325)
- ls (PID: 41330)
- ls (PID: 41355)
- ls (PID: 41370)
- ls (PID: 41375)
- ls (PID: 41385)
- ls (PID: 41390)
- ls (PID: 41380)
- ls (PID: 41395)
- ls (PID: 41360)
- ls (PID: 41365)
- ls (PID: 41435)
- ls (PID: 41410)
- ls (PID: 41430)
- ls (PID: 41425)
- ls (PID: 41440)
- ls (PID: 41400)
- ls (PID: 41405)
- ls (PID: 41415)
- ls (PID: 41420)
- ls (PID: 41445)
- ls (PID: 41465)
- ls (PID: 41455)
- ls (PID: 41460)
- ls (PID: 41470)
- ls (PID: 41480)
- ls (PID: 41475)
- ls (PID: 41450)
- ls (PID: 41485)
- ls (PID: 41505)
- ls (PID: 41510)
- ls (PID: 41530)
- ls (PID: 41490)
- ls (PID: 41500)
- ls (PID: 41495)
- ls (PID: 41515)
- ls (PID: 41545)
- ls (PID: 41540)
- ls (PID: 41550)
- ls (PID: 41555)
- ls (PID: 41520)
- ls (PID: 41525)
- ls (PID: 41535)
- ls (PID: 41590)
- ls (PID: 41580)
- ls (PID: 41585)
- ls (PID: 41595)
- ls (PID: 41600)
- ls (PID: 41560)
- ls (PID: 41565)
- ls (PID: 41575)
- ls (PID: 41570)
- ls (PID: 41615)
- ls (PID: 41620)
- ls (PID: 41630)
- ls (PID: 41640)
- ls (PID: 41605)
- ls (PID: 41610)
- ls (PID: 41625)
- ls (PID: 41635)
- ls (PID: 41655)
- ls (PID: 41675)
- ls (PID: 41665)
- ls (PID: 41670)
- ls (PID: 41680)
- ls (PID: 41645)
- ls (PID: 41650)
- ls (PID: 41660)
- ls (PID: 41715)
- ls (PID: 41700)
- ls (PID: 41705)
- ls (PID: 41720)
- ls (PID: 41685)
- ls (PID: 41690)
- ls (PID: 41695)
- ls (PID: 41710)
- ls (PID: 41735)
- ls (PID: 41740)
- ls (PID: 41745)
- ls (PID: 41750)
- ls (PID: 41760)
- ls (PID: 41730)
- ls (PID: 41725)
- ls (PID: 41780)
- ls (PID: 41790)
- ls (PID: 41795)
- ls (PID: 41800)
- ls (PID: 41755)
- ls (PID: 41770)
- ls (PID: 41775)
- ls (PID: 41765)
- ls (PID: 41785)
- ls (PID: 41815)
- ls (PID: 41850)
- ls (PID: 41835)
- ls (PID: 41830)
- ls (PID: 41845)
- ls (PID: 41855)
- ls (PID: 41810)
- ls (PID: 41805)
- ls (PID: 41820)
- ls (PID: 41825)
- ls (PID: 41840)
- ls (PID: 41875)
- ls (PID: 41865)
- ls (PID: 41860)
- ls (PID: 41870)
- ls (PID: 41890)
- ls (PID: 41880)
- ls (PID: 41885)
- ls (PID: 41900)
- ls (PID: 41915)
- ls (PID: 41905)
- ls (PID: 41895)
- ls (PID: 41920)
- ls (PID: 41910)
- ls (PID: 41935)
- ls (PID: 41945)
- ls (PID: 41960)
- ls (PID: 41955)
- ls (PID: 41965)
- ls (PID: 41975)
- ls (PID: 41980)
- ls (PID: 41940)
- ls (PID: 41925)
- ls (PID: 41930)
- ls (PID: 41950)
- ls (PID: 41990)
- ls (PID: 42000)
- ls (PID: 41985)
- ls (PID: 42010)
- ls (PID: 42005)
- ls (PID: 42015)
- ls (PID: 41970)
- ls (PID: 41995)
- ls (PID: 42035)
- ls (PID: 42045)
- ls (PID: 42040)
- ls (PID: 42055)
- ls (PID: 42050)
- ls (PID: 42025)
- ls (PID: 42030)
- ls (PID: 42020)
- ls (PID: 42080)
- ls (PID: 42075)
- ls (PID: 42070)
- ls (PID: 42085)
- ls (PID: 42093)
- ls (PID: 42065)
- ls (PID: 42060)
- ps (PID: 42141)
- ps (PID: 42146)
- ps (PID: 42151)
- ps (PID: 42158)
- ps (PID: 42163)
- ps (PID: 42126)
- ps (PID: 42131)
- ps (PID: 42136)
- ps (PID: 42279)
- dumpe2fs (PID: 42353)
- dumpe2fs (PID: 42361)
- ps (PID: 42226)
- ps (PID: 42274)
- ps (PID: 42318)
- crontab (PID: 42474)
- crontab (PID: 42473)
- crontab (PID: 42471)
- crontab (PID: 42479)
- crontab (PID: 42482)
- crontab (PID: 42483)
- crontab (PID: 42485)
- crontab (PID: 42480)
- crontab (PID: 42476)
- crontab (PID: 42477)
- crontab (PID: 42486)
- crontab (PID: 42492)
- crontab (PID: 42489)
- crontab (PID: 42488)
- crontab (PID: 42494)
- crontab (PID: 42498)
- crontab (PID: 42491)
- crontab (PID: 42501)
- crontab (PID: 42504)
- crontab (PID: 42506)
- crontab (PID: 42507)
- crontab (PID: 42497)
- crontab (PID: 42495)
- crontab (PID: 42503)
- crontab (PID: 42500)
- crontab (PID: 42509)
- crontab (PID: 42515)
- crontab (PID: 42524)
- crontab (PID: 42512)
- crontab (PID: 42521)
- crontab (PID: 42522)
- crontab (PID: 42519)
- crontab (PID: 42510)
- crontab (PID: 42513)
- crontab (PID: 42530)
- crontab (PID: 42534)
- crontab (PID: 42527)
- crontab (PID: 42516)
- crontab (PID: 42518)
- crontab (PID: 42528)
- crontab (PID: 42531)
- crontab (PID: 42540)
- crontab (PID: 42537)
- crontab (PID: 42543)
- crontab (PID: 42542)
- crontab (PID: 42533)
- crontab (PID: 42525)
- crontab (PID: 42536)
- crontab (PID: 42539)
- crontab (PID: 42549)
- crontab (PID: 42546)
- crontab (PID: 42548)
- crontab (PID: 42554)
- crontab (PID: 42555)
- crontab (PID: 42545)
- crontab (PID: 42551)
- crontab (PID: 42552)
- crontab (PID: 42564)
- crontab (PID: 42558)
- crontab (PID: 42563)
- crontab (PID: 42570)
- crontab (PID: 42560)
- crontab (PID: 42561)
- crontab (PID: 42557)
- crontab (PID: 42569)
- crontab (PID: 42576)
- crontab (PID: 42573)
- crontab (PID: 42566)
- crontab (PID: 42572)
- crontab (PID: 42584)
- crontab (PID: 42575)
- crontab (PID: 42567)
- crontab (PID: 42578)
- crontab (PID: 42581)
- crontab (PID: 42585)
- crontab (PID: 42590)
- crontab (PID: 42591)
- crontab (PID: 42587)
- crontab (PID: 42593)
- crontab (PID: 42582)
- crontab (PID: 42579)
- crontab (PID: 42594)
- crontab (PID: 42602)
- crontab (PID: 42597)
- crontab (PID: 42600)
- crontab (PID: 42599)
- crontab (PID: 42608)
- crontab (PID: 42609)
- crontab (PID: 42588)
- crontab (PID: 42596)
- crontab (PID: 42612)
- crontab (PID: 42605)
- crontab (PID: 42611)
- crontab (PID: 42617)
- crontab (PID: 42614)
- crontab (PID: 42618)
- crontab (PID: 42606)
- crontab (PID: 42603)
- crontab (PID: 42621)
- crontab (PID: 42623)
- crontab (PID: 42626)
- crontab (PID: 42629)
- crontab (PID: 42620)
- crontab (PID: 42615)
- crontab (PID: 42624)
- crontab (PID: 42635)
- crontab (PID: 42638)
- crontab (PID: 42641)
- crontab (PID: 42627)
- crontab (PID: 42632)
- crontab (PID: 42630)
- crontab (PID: 42633)
- crontab (PID: 42656)
- crontab (PID: 42651)
- crontab (PID: 42647)
- crontab (PID: 42653)
- crontab (PID: 42642)
- crontab (PID: 42662)
- crontab (PID: 42659)
- crontab (PID: 42648)
- crontab (PID: 42660)
- crontab (PID: 42668)
- crontab (PID: 42667)
- crontab (PID: 42650)
- crontab (PID: 42645)
- crontab (PID: 42657)
- crontab (PID: 42644)
- crontab (PID: 42654)
- wget (PID: 42682)
- crontab (PID: 42639)
- wget (PID: 42672)
- crontab (PID: 42636)
- crontab (PID: 42663)
- wget (PID: 42686)
Creates file in the temporary folder
- curl (PID: 42329)
- curl (PID: 42406)
- curl (PID: 42437)
- curl (PID: 42372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .sh | | | Linux/UNIX shell script (100) |
|---|
Total processes
2 159
Monitored processes
1 939
Malicious processes
3
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 40650 | /bin/sh -c "sudo chown user /tmp/ce\.sh && chmod +x /tmp/ce\.sh && DISPLAY=:0 sudo -iu user /tmp/ce\.sh " | /usr/bin/dash | — | any-guest-agent |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 40651 | sudo chown user /tmp/ce.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 40652 | chown user /tmp/ce.sh | /usr/bin/chown | — | sudo |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 40653 | chmod +x /tmp/ce.sh | /usr/bin/chmod | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 40654 | sudo -iu user /tmp/ce.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 40655 | /bin/bash /tmp/ce.sh | /usr/bin/bash | — | sudo |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 40656 | /usr/bin/locale-check C.UTF-8 | /usr/bin/locale-check | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 40657 | chattr -i /etc/ld.so.preload | /usr/bin/chattr | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 256 | ||||
| 40658 | rm -f /etc/ld.so.preload | /usr/bin/rm | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 40659 | chattr -R -ia /var/spool/cron | /usr/bin/chattr | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 256 | ||||
Executable files
0
Suspicious files
0
Text files
65
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 42473 | crontab | /var/spool/cron/crontabs/user | text | |
MD5:— | SHA256:— | |||
| 42476 | crontab | /var/spool/cron/crontabs/user | text | |
MD5:— | SHA256:— | |||
| 42479 | crontab | /var/spool/cron/crontabs/user (deleted) | text | |
MD5:— | SHA256:— | |||
| 42482 | crontab | /var/spool/cron/crontabs/user (deleted) | text | |
MD5:— | SHA256:— | |||
| 42485 | crontab | /var/spool/cron/crontabs/user (deleted) | text | |
MD5:— | SHA256:— | |||
| 42488 | crontab | /var/spool/cron/crontabs/user (deleted) | text | |
MD5:— | SHA256:— | |||
| 42491 | crontab | /var/spool/cron/crontabs/user (deleted) | text | |
MD5:— | SHA256:— | |||
| 42494 | crontab | /var/spool/cron/crontabs/user (deleted) | text | |
MD5:— | SHA256:— | |||
| 42497 | crontab | /var/spool/cron/crontabs/user (deleted) | text | |
MD5:— | SHA256:— | |||
| 42500 | crontab | /var/spool/cron/crontabs/user (deleted) | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
11
DNS requests
7
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 204 | 185.125.190.97:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
42329 | curl | GET | 200 | 78.153.140.66:80 | http://78.153.140.66/kinsing | unknown | — | — | unknown |
42372 | curl | GET | — | 78.153.140.66:80 | http://78.153.140.66/kinsing | unknown | — | — | unknown |
42406 | curl | GET | 200 | 78.153.140.66:80 | http://78.153.140.66/libsystem.so | unknown | — | — | unknown |
42437 | curl | GET | 200 | 78.153.140.66:80 | http://78.153.140.66/libsystem.so | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 185.125.190.97:80 | connectivity-check.ubuntu.com | Canonical Group Limited | GB | whitelisted |
484 | avahi-daemon | 224.0.0.251:5353 | — | — | — | unknown |
42329 | curl | 78.153.140.66:80 | — | LLC Melt-internet | RU | unknown |
42372 | curl | 78.153.140.66:80 | — | LLC Melt-internet | RU | unknown |
42406 | curl | 78.153.140.66:80 | — | LLC Melt-internet | RU | unknown |
42437 | curl | 78.153.140.66:80 | — | LLC Melt-internet | RU | unknown |
42672 | wget | 80.64.16.241:80 | — | Joint Stock Company Tagnet | RU | unknown |
42682 | wget | 80.64.16.241:80 | — | Joint Stock Company Tagnet | RU | unknown |
42686 | wget | 80.64.16.241:80 | — | Joint Stock Company Tagnet | RU | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
connectivity-check.ubuntu.com |
| whitelisted |
google.com |
| whitelisted |
10.100.168.192.in-addr.arpa |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
42329 | curl | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
42329 | curl | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
42372 | curl | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
42372 | curl | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
42406 | curl | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
42406 | curl | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
42437 | curl | Potential Corporate Privacy Violation | ET INFO Executable and linking format (ELF) file download Over HTTP |
42437 | curl | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |