URL:

https://github.com/fabrimagic72/malware-samples/tree/master/Bitcoin%20miners

Full analysis: https://app.any.run/tasks/a7c55901-4bc0-4756-a639-b4e49cbdb5dd
Verdict: Malicious activity
Analysis date: January 26, 2024, 00:53:43
OS: Ubuntu 22.04.2
MD5:

5B6DB6B78E2EFA2F22A932CD784F1F05

SHA1:

529883D8D84492D0257A9F825FAD606BF783974E

SHA256:

829256E362396E8041523D3C92E1143A30B2B010A3B2622BE4929CD01684A1F3

SSDEEP:

3:N8tEdzmjX0AKI+jGKIzW:2ucjX0AKI+jGKI6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads passwd file

      • chrome (PID: 6839)
      • nautilus (PID: 7062)
      • bash (PID: 7189)

    • Check the Environment Variables Related to System Identification (os-release)

      • chrome (PID: 6839)

    • Creates files in the user directory

      • chrome (PID: 6839)
      • file-roller (PID: 7153)

    • Checks timezone

      • nautilus (PID: 7062)
      • chrome (PID: 6839)
      • 7z (PID: 7167)
      • file-roller (PID: 7153)

    • Executes commands using command-line interpreter

      • gnome-terminal-server (PID: 7169)
      • sudo (PID: 7204)

    • Changes file or directory permissions

      • bash (PID: 7189)

    • Reads information about logins, logouts, and login attempts

      • bash (PID: 7189)

  • INFO

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 7206)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
306
Monitored processes
85
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chrome no specs locale-check no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome no specs chrome no specs chrome_crashpad_handler no specs chrome no specs nacl_helper no specs nacl_helper no specs chrome no specs chrome no specs chrome no specs chrome no specs xdg-settings no specs dbus-send no specs which no specs dash no specs basename no specs dash no specs which no specs grep no specs cut no specs dash no specs readlink no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs dash no specs awk no specs cut no specs basename no specs dash no specs grep no specs cut no specs dash no specs chrome no specs which no specs readlink no specs chrome no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome no specs chrome no specs chrome no specs nautilus no specs ibus-engine-simple no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs nautilus no specs file-roller no specs 7z no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dircolors no specs dirname no specs ls no specs chmod no specs sudo no specs sudo no specs sh no specs modprobe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6837/bin/sh -c "DISPLAY=:0 sudo -iu user google-chrome \"https://github\.com/fabrimagic72/malware-samples/tree/master/Bitcoin%20miners\" " /bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
6838sudo -iu user google-chrome https://github.com/fabrimagic72/malware-samples/tree/master/Bitcoin%20miners /usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
6839/usr/bin/google-chrome https://github.com/fabrimagic72/malware-samples/tree/master/Bitcoin%20miners /opt/google/chrome/chromesudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6840/usr/bin/locale-check C.UTF-8 /usr/bin/locale-checkchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6841readlink -f /usr/bin/google-chrome /usr/bin/readlinkchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6842dirname /opt/google/chrome/google-chrome /usr/bin/dirnamechrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6843mkdir -p /home/user/.local/share/applications /usr/bin/mkdirchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6844cat /usr/bin/catchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6845cat /usr/bin/catchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
6846"/opt/google/chrome/chrome https://github\.com/fabrimagic72/malware-samples/tree/master/Bitcoin%20mine"/opt/google/chrome/chromechrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6839chrome/6839/fd/63
MD5:
SHA256:
6839chrome/home/user/.config/google-chrome/BrowserMetrics/BrowserMetrics-65B302A1-1AB7.pma
MD5:
SHA256:
6839chrome/.com.google.Chrome.UCyUL1
MD5:
SHA256:
6839chrome/.com.google.Chrome.63oL2X
MD5:
SHA256:
6839chrome/.com.google.Chrome.JVgIZL
MD5:
SHA256:
6839chrome/home/user/.config/google-chrome/Default/Site Characteristics Database/LOG
MD5:
SHA256:
6839chrome/home/user/.config/google-chrome/Default/commerce_subscription_db/LOG
MD5:
SHA256:
6839chrome/.com.google.Chrome.WRzasX
MD5:
SHA256:
6839chrome/.com.google.Chrome.sOAuhi
MD5:
SHA256:
6839chrome/home/user/.config/google-chrome/Default/Session Storage/LOG
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
71
DNS requests
67
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/bxsxfoovuyw4eyyjoshgwgad5u_2024.1.24.0/niikhdgajlphfehepabhhblakbdgeefj_2024.01.24.00_all_acssagqjupmbpecp3w63slfvx7qa.crx3
unknown
binary
5.48 Kb
unknown
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/jflhchccmppkfebkiaminageehmchikm/1.0ab4082a6c03f6150b423a6773f3f740e8098369aa616a68c04c2f0fecc94d2c/1.8a794d870fcd9f730f9ab279e2c72be078de8cf10243f7092181a7a412af6c7a/1bd4975a0b373f929ef3d512c571f7b45fc571a3ae480ddc24f355cb97db6900.puff
unknown
binary
8.55 Kb
unknown
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/hfnkpimlhhgieaddgfemjhofmfblmnib/1.d9a6a83725530083e464be150a6ba6d9ee1ba65e3317f7d4b338ad70c8c56780/1.70f09e0a653ea31af7453dc2a5ca85655e727beb924726f38d1703dba8e26eb5/3ce0f16bbbe9cc92dff251fd7c0ea0586b750d88834bfc7edcdc123d1b81a318.puff
unknown
binary
2.24 Kb
unknown
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/efniojlnjndmcbiieegkicadnoecjjef/1.c704c4804edba71e46592283238d0edf83ce69f38d63f3b0fa47bdc76084a63c/1.6fcc02a365d39485c49c9da8679a9fd979832315b2d47ff7f0ab395b10e303bd/45684b588524e44a98e130f8b5f5289ae6bb89ea165f6968d1dba18bfb3cce8a.puff
unknown
binary
2.89 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.251:5353
unknown
142.250.181.227:443
clientservices.googleapis.com
GOOGLE
US
unknown
74.125.133.84:443
accounts.google.com
unknown
239.255.255.250:1900
unknown
140.82.121.4:443
github.com
GITHUB
US
unknown
185.199.108.154:443
github.githubassets.com
FASTLY
US
unknown
142.250.181.234:443
safebrowsing.googleapis.com
GOOGLE
US
unknown
185.199.109.133:443
avatars.githubusercontent.com
FASTLY
US
unknown
140.82.112.22:443
collector.github.com
GITHUB
US
unknown
140.82.121.5:443
api.github.com
GITHUB
US
unknown

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 142.250.181.227
whitelisted
accounts.google.com
  • 74.125.133.84
shared
github.com
  • 140.82.121.4
shared
github.githubassets.com
  • 185.199.108.154
  • 185.199.109.154
  • 185.199.110.154
  • 185.199.111.154
whitelisted
safebrowsing.googleapis.com
  • 142.250.181.234
whitelisted
avatars.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
whitelisted
user-images.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
github-cloud.s3.amazonaws.com
  • 16.182.105.233
  • 52.217.204.233
  • 52.216.221.209
  • 52.216.61.9
  • 3.5.25.216
  • 52.217.202.81
  • 3.5.25.214
  • 52.216.206.75
shared
s3-w.us-east-1.amazonaws.com
unknown
content-autofill.googleapis.com
  • 142.250.181.234
  • 142.250.184.202
  • 142.250.184.234
  • 142.250.186.138
  • 142.250.186.170
  • 142.250.186.42
  • 172.217.18.10
  • 172.217.16.202
  • 216.58.206.42
  • 142.250.74.202
  • 172.217.18.106
  • 172.217.23.106
  • 216.58.212.138
  • 142.250.185.74
  • 142.250.185.106
  • 142.250.185.138
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/fabrimagic72/malware-samples/tree/master/Bitcoin%20miners