File name:	sensi.sh
Full analysis:	https://app.any.run/tasks/5343c95f-d245-404b-beeb-405f1e7190cb
Verdict:	Malicious activity
Analysis date:	September 23, 2025, 09:34:35
OS:	Ubuntu 22.04.2
MIME:	text/x-shellscript
File info:	Bourne-Again shell script, ASCII text executable
MD5:	0F2A8EABC8D4B5E5642B02A73E10FA32
SHA1:	98EED384AF500F9073DB2556F6A5A5DBC31C6D67
SHA256:	50EE9F0474504560220D317DBE07A38B38A9E61535B945F2F3BC8BF9D64D3EE5
SSDEEP:	24:vWUoiUVViKWU1NRAUPtUTfcbUjbUDUWUFFn:vWUXUVAKWU1XAUVUkUvUDUWUHn

PID	Process	Filename		Type
1913	wget	/tmp/xd.x86		binary
		MD5:—	SHA256:—
1949	cat	/tmp/SSH		binary
		MD5:—	SHA256:—
1955	wget	/tmp/xd.mips		binary
		MD5:—	SHA256:—
1994	wget	/tmp/xd.mpsl		binary
		MD5:—	SHA256:—
2062	wget	/tmp/xd.arm5		binary
		MD5:—	SHA256:—
2096	wget	/tmp/xd.arm6		binary
		MD5:—	SHA256:—
2132	wget	/tmp/xd.arm7		binary
		MD5:—	SHA256:—
2175	wget	/tmp/xd.ppc		binary
		MD5:—	SHA256:—
2210	wget	/tmp/xd.m68k		binary
		MD5:—	SHA256:—
2242	wget	/tmp/xd.sh4		binary
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
1913	wget	GET	200	82.147.85.212:80	http://82.147.85.212/d/xd.x86	unknown	—	—	unknown
1916	curl	GET	200	82.147.85.212:80	http://82.147.85.212/d/xd.x86	unknown	—	—	unknown
1961	curl	GET	200	82.147.85.212:80	http://82.147.85.212/d/xd.mips	unknown	—	—	unknown
1955	wget	GET	200	82.147.85.212:80	http://82.147.85.212/d/xd.mips	unknown	—	—	unknown
1994	wget	GET	200	82.147.85.212:80	http://82.147.85.212/d/xd.mpsl	unknown	—	—	unknown
1998	curl	GET	200	82.147.85.212:80	http://82.147.85.212/d/xd.mpsl	unknown	—	—	unknown
2028	wget	GET	404	82.147.85.212:80	http://82.147.85.212/d/xd.arm4	unknown	—	—	unknown
2031	curl	GET	404	82.147.85.212:80	http://82.147.85.212/d/xd.arm4	unknown	—	—	unknown
2062	wget	GET	200	82.147.85.212:80	http://82.147.85.212/d/xd.arm5	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
477	avahi-daemon	224.0.0.251:5353	—	—	—	whitelisted
—	—	185.125.190.18:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	91.189.91.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	185.125.190.58:123	ntp.ubuntu.com	—	—	whitelisted
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
496	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
496	snapd	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted

Domain	IP	Reputation
connectivity-check.ubuntu.com	2620:2d:4000:1::23 2620:2d:4000:1::2b 2620:2d:4000:1::97 2620:2d:4002:1::196 2001:67c:1562::24 2620:2d:4002:1::197 2620:2d:4000:1::98 2620:2d:4000:1::22 2620:2d:4002:1::198 2620:2d:4000:1::96 2001:67c:1562::23 2620:2d:4000:1::2a 91.189.91.48 91.189.91.98 185.125.190.49 185.125.190.97 185.125.190.48 185.125.190.17 91.189.91.97 91.189.91.96 185.125.190.96 185.125.190.98 91.189.91.49 185.125.190.18	whitelisted
google.com	216.58.206.78 2a00:1450:4001:81d::200e	whitelisted
ntp.ubuntu.com	185.125.190.58 185.125.190.57 185.125.190.56 91.189.91.157 2620:2d:4000:1::3f 2620:2d:4000:1::41 2620:2d:4000:1::40	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.54 185.125.188.58 185.125.188.57 2620:2d:4000:1010::2cc 2620:2d:4000:1010::117 2620:2d:4000:1010::2d6 2620:2d:4000:1010::42	whitelisted
8.100.168.192.in-addr.arpa	—	whitelisted
appstream.ubuntu.com	185.125.188.36	unknown

PID	Process	Class	Message
1913	wget	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
1913	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
1913	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
1913	wget	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
1913	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
1913	wget	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
1955	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
1955	wget	Potentially Bad Traffic	ET INFO MIPS File Download Request from IP Address
1955	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
1955	wget	Potentially Bad Traffic	ET INFO MIPS File Download Request from IP Address

General Info

sensi.sh

0F2A8EABC8D4B5E5642B02A73E10FA32

98EED384AF500F9073DB2556F6A5A5DBC31C6D67

50EE9F0474504560220D317DBE07A38B38A9E61535B945F2F3BC8BF9D64D3EE5

24:vWUoiUVViKWU1NRAUPtUTfcbUjbUDUWUFFn:vWUXUVAKWU1XAUVUkUvUDUWUHn

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

SUSPICIOUS

Modifies file or directory owner

Executes commands using command-line interpreter

Check the Environment Variables Related to System Identification (os-release)

Reads passwd file

Potential Corporate Privacy Violation

Connects to unusual port

Uses curl to download content

Uses wget to download content

INFO

Creates file in the temporary folder

Checks timezone

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings