Malware analysis kworker Malicious activity | ANY.RUN

Add for printing

File name:	kworker
Full analysis:	https://app.any.run/tasks/f0bdb5d6-1082-4fd1-b815-0f9bc3e34892
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	April 11, 2026, 17:30:34
OS:	Ubuntu 22.04.2
Tags:	auto coinminer miner kinsing backdoor mrbot botnet
Indicators:
MIME:	text/x-shellscript
File info:	POSIX shell script, ASCII text executable, with very long lines (3964)
MD5:	FEA52AB0CC2717301B0E197BBFEC894F
SHA1:	A5E71A9889FD8EE32175B064238AC1731E310A8F
SHA256:	92A71778310BF37CF81C8F42A250EA7B9ED17042B577D90F5D179F90AC1C056A
SSDEEP:	768:vxlT2wDuWvWi7uDcFHcbSRlIniRULz/Ql/+9V:wHDEcbSciI19V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- Modifies or disables the system firewall
  - dash (PID: 1904)
- Removes log files
  - dash (PID: 1904)
- Apparmor service disabling
  - dash (PID: 1904)
- KINSING has been detected
  - rm (PID: 2609)
- COINMINER has been found (auto)
  - dash (PID: 1904)
- MRBOT has been detected
  - rm (PID: 2609)
- Appends a new rule to chain (Iptables)
  - dash (PID: 1904)
SUSPICIOUS
- System firewall impairment
  - dash (PID: 1904)
- Modifies file or directory owner
  - sudo (PID: 1900)
- Removes file immutable attribute
  - dash (PID: 1904)
- Reads passwd file
  - ps (PID: 1930)
  - ps (PID: 1932)
  - ps (PID: 1953)
  - ps (PID: 1958)
  - ps (PID: 1987)
  - ps (PID: 1995)
  - ps (PID: 1963)
  - ps (PID: 1971)
  - ps (PID: 1979)
  - ps (PID: 2020)
  - ps (PID: 2015)
  - ps (PID: 2025)
  - ps (PID: 2030)
  - ps (PID: 2040)
  - ps (PID: 2035)
  - ps (PID: 2000)
  - ps (PID: 2005)
  - ps (PID: 2010)
  - ps (PID: 2172)
  - ps (PID: 2152)
  - ps (PID: 2162)
  - ps (PID: 2167)
  - ps (PID: 2178)
  - ps (PID: 2147)
  - ps (PID: 2157)
  - ps (PID: 2193)
  - ps (PID: 2198)
  - ps (PID: 2203)
  - ps (PID: 2208)
  - ps (PID: 2223)
  - ps (PID: 2183)
  - ps (PID: 2188)
  - ps (PID: 2213)
  - ps (PID: 2218)
  - ps (PID: 2238)
  - ps (PID: 2243)
  - ps (PID: 2253)
  - ps (PID: 2258)
  - ps (PID: 2263)
  - ps (PID: 2228)
  - ps (PID: 2233)
  - ps (PID: 2248)
  - ps (PID: 2268)
  - ps (PID: 2273)
  - ps (PID: 2279)
  - ps (PID: 2286)
  - ps (PID: 2291)
  - ps (PID: 2296)
  - ps (PID: 2301)
  - ps (PID: 2306)
  - ps (PID: 2331)
  - ps (PID: 2346)
  - ps (PID: 2341)
  - ps (PID: 2311)
  - ps (PID: 2316)
  - ps (PID: 2321)
  - ps (PID: 2326)
  - ps (PID: 2336)
  - ps (PID: 2361)
  - ps (PID: 2366)
  - ps (PID: 2371)
  - ps (PID: 2376)
  - ps (PID: 2392)
  - ps (PID: 2387)
  - ps (PID: 2398)
  - ps (PID: 2351)
  - ps (PID: 2356)
  - ps (PID: 2382)
  - ps (PID: 2410)
  - ps (PID: 2435)
  - ps (PID: 2415)
  - ps (PID: 2420)
  - ps (PID: 2425)
  - ps (PID: 2430)
  - ps (PID: 2440)
  - ps (PID: 2445)
  - ps (PID: 2404)
  - ps (PID: 2456)
  - ps (PID: 2468)
  - ps (PID: 2480)
  - ps (PID: 2474)
  - ps (PID: 2486)
  - ps (PID: 2492)
  - ps (PID: 2450)
  - ps (PID: 2462)
  - ps (PID: 2509)
  - ps (PID: 2551)
  - ps (PID: 2545)
  - ps (PID: 2527)
  - ps (PID: 2539)
  - ps (PID: 2533)
  - ps (PID: 2498)
  - ps (PID: 2503)
  - ps (PID: 2515)
  - ps (PID: 2521)
  - ps (PID: 2557)
  - ps (PID: 2568)
  - ps (PID: 2573)
  - ps (PID: 2588)
  - ps (PID: 2583)
  - ps (PID: 2563)
  - ps (PID: 2578)
  - ls (PID: 2727)
  - ls (PID: 2729)
  - ls (PID: 2731)
  - ls (PID: 2733)
  - ls (PID: 2737)
  - ls (PID: 2735)
  - crontab (PID: 2718)
  - ls (PID: 2743)
  - ls (PID: 2739)
  - ls (PID: 2747)
  - ls (PID: 2745)
  - ls (PID: 2749)
  - ls (PID: 2751)
  - ls (PID: 2755)
  - ls (PID: 2741)
  - ls (PID: 2761)
  - ls (PID: 2765)
  - ls (PID: 2769)
  - ls (PID: 2767)
  - ls (PID: 2753)
  - ls (PID: 2757)
  - ls (PID: 2759)
  - ls (PID: 2763)
  - ls (PID: 2777)
  - ls (PID: 2783)
  - ls (PID: 2775)
  - ls (PID: 2781)
  - ls (PID: 2785)
  - ls (PID: 2771)
  - ls (PID: 2773)
  - ls (PID: 2779)
  - ls (PID: 2793)
  - ls (PID: 2799)
  - ls (PID: 2795)
  - ls (PID: 2801)
  - ls (PID: 2797)
  - ls (PID: 2789)
  - ls (PID: 2787)
  - ls (PID: 2791)
  - ls (PID: 2803)
  - ls (PID: 2809)
  - ls (PID: 2807)
  - ls (PID: 2811)
  - ls (PID: 2815)
  - ls (PID: 2813)
  - ls (PID: 2817)
  - ls (PID: 2821)
  - ls (PID: 2805)
  - ls (PID: 2823)
  - ls (PID: 2825)
  - ls (PID: 2827)
  - ls (PID: 2829)
  - ls (PID: 2831)
  - ls (PID: 2819)
  - ls (PID: 2839)
  - ls (PID: 2841)
  - ls (PID: 2847)
  - ls (PID: 2835)
  - ls (PID: 2837)
  - ls (PID: 2833)
  - ls (PID: 2843)
  - ls (PID: 2845)
  - ls (PID: 2853)
  - ls (PID: 2859)
  - ls (PID: 2865)
  - ls (PID: 2863)
  - ls (PID: 2851)
  - ls (PID: 2849)
  - ls (PID: 2857)
  - ls (PID: 2855)
  - ls (PID: 2867)
  - ls (PID: 2879)
  - ls (PID: 2877)
  - ls (PID: 2861)
  - ls (PID: 2869)
  - ls (PID: 2871)
  - ls (PID: 2873)
  - ls (PID: 2875)
  - ls (PID: 2885)
  - ls (PID: 2891)
  - ls (PID: 2889)
  - ls (PID: 2893)
  - ls (PID: 2881)
  - ls (PID: 2883)
  - ls (PID: 2887)
  - ls (PID: 2903)
  - ls (PID: 2905)
  - ls (PID: 2901)
  - ls (PID: 2913)
  - ls (PID: 2895)
  - ls (PID: 2899)
  - ls (PID: 2897)
  - ls (PID: 2907)
  - ls (PID: 2919)
  - ls (PID: 2921)
  - ls (PID: 2923)
  - ls (PID: 2925)
  - ls (PID: 2909)
  - ls (PID: 2915)
  - ls (PID: 2911)
  - ls (PID: 2917)
  - ls (PID: 2937)
  - ls (PID: 2933)
  - ls (PID: 2943)
  - ls (PID: 2935)
  - ls (PID: 2939)
  - ls (PID: 2927)
  - ls (PID: 2929)
  - ls (PID: 2931)
  - ls (PID: 2951)
  - ls (PID: 2945)
  - ls (PID: 2955)
  - ls (PID: 2953)
  - ls (PID: 2957)
  - ls (PID: 2941)
  - ls (PID: 2949)
  - ls (PID: 2947)
  - ls (PID: 2965)
  - ls (PID: 2963)
  - ls (PID: 2967)
  - ls (PID: 2977)
  - ls (PID: 2975)
  - ls (PID: 2961)
  - ls (PID: 2959)
  - ls (PID: 2969)
  - ls (PID: 2979)
  - ls (PID: 2981)
  - ls (PID: 2985)
  - ls (PID: 2989)
  - ls (PID: 2991)
  - ls (PID: 2987)
  - ls (PID: 2971)
  - ls (PID: 2973)
  - ls (PID: 2983)
  - ls (PID: 3005)
  - ls (PID: 3007)
  - ls (PID: 3001)
  - ls (PID: 3009)
  - ls (PID: 3003)
  - ls (PID: 2999)
  - ls (PID: 2997)
  - ls (PID: 2993)
  - ls (PID: 2995)
  - ls (PID: 3015)
  - ls (PID: 3011)
  - ls (PID: 3021)
  - ls (PID: 3017)
  - ls (PID: 3019)
  - ls (PID: 3013)
  - ls (PID: 3031)
  - ls (PID: 3027)
  - ls (PID: 3039)
  - ls (PID: 3033)
  - ls (PID: 3035)
  - ls (PID: 3037)
  - ls (PID: 3025)
  - ls (PID: 3023)
  - ls (PID: 3029)
  - ls (PID: 3059)
  - ls (PID: 3045)
  - ls (PID: 3047)
  - ls (PID: 3043)
  - ls (PID: 3051)
  - ls (PID: 3053)
  - ls (PID: 3057)
  - ls (PID: 3049)
  - ls (PID: 3041)
  - ls (PID: 3065)
  - ls (PID: 3067)
  - ls (PID: 3069)
  - ls (PID: 3063)
  - ls (PID: 3071)
  - ls (PID: 3055)
  - ls (PID: 3061)
  - ls (PID: 3077)
  - ls (PID: 3085)
  - ls (PID: 3079)
  - ls (PID: 3083)
  - ls (PID: 3075)
  - ls (PID: 3073)
  - ls (PID: 3081)
  - ls (PID: 3095)
  - ls (PID: 3097)
  - ls (PID: 3099)
  - ls (PID: 3089)
  - ls (PID: 3087)
  - ls (PID: 3091)
  - ls (PID: 3093)
  - ls (PID: 3101)
  - ls (PID: 3109)
  - ls (PID: 3113)
  - ls (PID: 3105)
  - ls (PID: 3103)
  - ls (PID: 3107)
  - ls (PID: 3111)
  - ls (PID: 3115)
  - ls (PID: 3129)
  - ls (PID: 3125)
  - ls (PID: 3133)
  - ls (PID: 3131)
  - ls (PID: 3137)
  - ls (PID: 3121)
  - ls (PID: 3119)
  - ls (PID: 3117)
  - ls (PID: 3123)
  - ls (PID: 3127)
  - ls (PID: 3139)
  - ls (PID: 3151)
  - ls (PID: 3149)
  - ls (PID: 3143)
  - ls (PID: 3145)
  - ls (PID: 3147)
  - ls (PID: 3135)
  - ls (PID: 3141)
  - ls (PID: 3167)
  - ls (PID: 3161)
  - ls (PID: 3159)
  - ls (PID: 3157)
  - ls (PID: 3163)
  - ls (PID: 3153)
  - ls (PID: 3155)
  - ls (PID: 3211)
  - curl (PID: 3215)
  - curl (PID: 3216)
  - curl (PID: 3218)
  - curl (PID: 3217)
  - crontab (PID: 3203)
  - crontab (PID: 3202)
  - ps (PID: 3219)
  - curl (PID: 3250)
- Executes the "rm" command to delete files or directories
  - dash (PID: 1904)
  - xargs (PID: 1976)
  - xargs (PID: 1992)
  - xargs (PID: 1984)
  - xargs (PID: 1968)
- File locking via ext attributes
  - dash (PID: 1904)
- Creates or rewrites file in the "bin" folder
  - dash (PID: 1904)
  - cp (PID: 3252)
  - cp (PID: 3257)
- Gets information about currently running processes
  - dash (PID: 1904)
- Modifies Cron jobs
  - sudo (PID: 1903)
  - dash (PID: 1904)
- Modify startup scripts of the system services
  - dash (PID: 1904)
- Uses curl to download content
  - dash (PID: 1904)
- SSH authorized_keys modification
  - dash (PID: 1904)
- Checks DMI information (probably VM detection)
  - javae (PID: 3224)
- Create hidden file
  - dash (PID: 1904)
INFO
- Checks timezone
  - python3.10 (PID: 1910)
  - ps (PID: 1930)
  - ps (PID: 1932)
  - ps (PID: 1953)
  - ps (PID: 1958)
  - ps (PID: 1971)
  - ps (PID: 1979)
  - ps (PID: 1987)
  - ps (PID: 1995)
  - ps (PID: 2000)
  - ps (PID: 1963)
  - ps (PID: 2020)
  - ps (PID: 2030)
  - ps (PID: 2025)
  - ps (PID: 2035)
  - ps (PID: 2040)
  - ps (PID: 2005)
  - ps (PID: 2010)
  - ps (PID: 2015)
  - ps (PID: 2152)
  - ps (PID: 2162)
  - ps (PID: 2167)
  - ps (PID: 2172)
  - ps (PID: 2178)
  - ps (PID: 2147)
  - ps (PID: 2157)
  - ps (PID: 2193)
  - ps (PID: 2198)
  - ps (PID: 2203)
  - ps (PID: 2208)
  - ps (PID: 2213)
  - ps (PID: 2223)
  - ps (PID: 2218)
  - ps (PID: 2183)
  - ps (PID: 2188)
  - ps (PID: 2233)
  - ps (PID: 2243)
  - ps (PID: 2248)
  - ps (PID: 2253)
  - ps (PID: 2258)
  - ps (PID: 2263)
  - ps (PID: 2228)
  - ps (PID: 2238)
  - ps (PID: 2268)
  - ps (PID: 2273)
  - ps (PID: 2286)
  - ps (PID: 2279)
  - ps (PID: 2291)
  - ps (PID: 2296)
  - ps (PID: 2301)
  - ps (PID: 2306)
  - ps (PID: 2311)
  - ps (PID: 2331)
  - ps (PID: 2336)
  - ps (PID: 2341)
  - ps (PID: 2346)
  - ps (PID: 2316)
  - ps (PID: 2321)
  - ps (PID: 2326)
  - ps (PID: 2351)
  - ps (PID: 2371)
  - ps (PID: 2376)
  - ps (PID: 2382)
  - ps (PID: 2387)
  - ps (PID: 2392)
  - ps (PID: 2398)
  - ps (PID: 2404)
  - ps (PID: 2356)
  - ps (PID: 2361)
  - ps (PID: 2366)
  - ps (PID: 2415)
  - ps (PID: 2410)
  - ps (PID: 2425)
  - ps (PID: 2430)
  - ps (PID: 2435)
  - ps (PID: 2440)
  - ps (PID: 2445)
  - ps (PID: 2420)
  - ps (PID: 2462)
  - ps (PID: 2474)
  - ps (PID: 2468)
  - ps (PID: 2480)
  - ps (PID: 2492)
  - ps (PID: 2486)
  - ps (PID: 2456)
  - ps (PID: 2450)
  - ps (PID: 2527)
  - ps (PID: 2515)
  - ps (PID: 2521)
  - ps (PID: 2533)
  - ps (PID: 2539)
  - ps (PID: 2545)
  - ps (PID: 2551)
  - ps (PID: 2498)
  - ps (PID: 2503)
  - ps (PID: 2509)
  - ps (PID: 2568)
  - ps (PID: 2563)
  - ps (PID: 2573)
  - ps (PID: 2578)
  - ps (PID: 2583)
  - ps (PID: 2588)
  - ps (PID: 2557)
  - ls (PID: 2727)
  - ls (PID: 2729)
  - ls (PID: 2731)
  - ls (PID: 2737)
  - ls (PID: 2733)
  - ls (PID: 2735)
  - ls (PID: 2743)
  - ls (PID: 2745)
  - ls (PID: 2749)
  - ls (PID: 2747)
  - ls (PID: 2751)
  - ls (PID: 2757)
  - ls (PID: 2739)
  - ls (PID: 2741)
  - ls (PID: 2759)
  - ls (PID: 2769)
  - ls (PID: 2765)
  - ls (PID: 2763)
  - ls (PID: 2767)
  - ls (PID: 2753)
  - ls (PID: 2755)
  - ls (PID: 2761)
  - ls (PID: 2781)
  - ls (PID: 2785)
  - ls (PID: 2779)
  - ls (PID: 2771)
  - ls (PID: 2773)
  - ls (PID: 2777)
  - ls (PID: 2775)
  - ls (PID: 2793)
  - ls (PID: 2801)
  - ls (PID: 2797)
  - ls (PID: 2783)
  - ls (PID: 2789)
  - ls (PID: 2787)
  - ls (PID: 2791)
  - ls (PID: 2807)
  - ls (PID: 2813)
  - ls (PID: 2815)
  - ls (PID: 2811)
  - ls (PID: 2819)
  - ls (PID: 2795)
  - ls (PID: 2799)
  - ls (PID: 2803)
  - ls (PID: 2805)
  - ls (PID: 2809)
  - ls (PID: 2821)
  - ls (PID: 2817)
  - ls (PID: 2823)
  - ls (PID: 2825)
  - ls (PID: 2827)
  - ls (PID: 2829)
  - ls (PID: 2831)
  - ls (PID: 2833)
  - ls (PID: 2837)
  - ls (PID: 2835)
  - ls (PID: 2847)
  - ls (PID: 2841)
  - ls (PID: 2849)
  - ls (PID: 2845)
  - ls (PID: 2851)
  - ls (PID: 2843)
  - ls (PID: 2839)
  - ls (PID: 2855)
  - ls (PID: 2857)
  - ls (PID: 2861)
  - ls (PID: 2865)
  - ls (PID: 2863)
  - ls (PID: 2853)
  - ls (PID: 2859)
  - ls (PID: 2867)
  - ls (PID: 2877)
  - ls (PID: 2871)
  - ls (PID: 2881)
  - ls (PID: 2873)
  - ls (PID: 2869)
  - ls (PID: 2875)
  - ls (PID: 2887)
  - ls (PID: 2889)
  - ls (PID: 2893)
  - ls (PID: 2897)
  - ls (PID: 2879)
  - ls (PID: 2883)
  - ls (PID: 2885)
  - ls (PID: 2891)
  - ls (PID: 2903)
  - ls (PID: 2907)
  - ls (PID: 2905)
  - ls (PID: 2911)
  - ls (PID: 2901)
  - ls (PID: 2909)
  - ls (PID: 2899)
  - ls (PID: 2895)
  - ls (PID: 2917)
  - ls (PID: 2919)
  - ls (PID: 2921)
  - ls (PID: 2925)
  - ls (PID: 2923)
  - ls (PID: 2915)
  - ls (PID: 2913)
  - ls (PID: 2933)
  - ls (PID: 2939)
  - ls (PID: 2927)
  - ls (PID: 2929)
  - ls (PID: 2931)
  - ls (PID: 2937)
  - ls (PID: 2935)
  - ls (PID: 2945)
  - ls (PID: 2951)
  - ls (PID: 2953)
  - ls (PID: 2943)
  - ls (PID: 2941)
  - ls (PID: 2949)
  - ls (PID: 2947)
  - ls (PID: 2955)
  - ls (PID: 2963)
  - ls (PID: 2967)
  - ls (PID: 2969)
  - ls (PID: 2965)
  - ls (PID: 2971)
  - ls (PID: 2977)
  - ls (PID: 2959)
  - ls (PID: 2961)
  - ls (PID: 2957)
  - ls (PID: 2973)
  - ls (PID: 2975)
  - ls (PID: 2979)
  - ls (PID: 2989)
  - ls (PID: 2985)
  - ls (PID: 2981)
  - ls (PID: 2983)
  - ls (PID: 2991)
  - ls (PID: 2987)
  - ls (PID: 2997)
  - ls (PID: 2999)
  - ls (PID: 3005)
  - ls (PID: 3003)
  - ls (PID: 2993)
  - ls (PID: 2995)
  - ls (PID: 3015)
  - ls (PID: 3019)
  - ls (PID: 3017)
  - ls (PID: 3021)
  - ls (PID: 3025)
  - ls (PID: 3007)
  - ls (PID: 3009)
  - ls (PID: 3001)
  - ls (PID: 3013)
  - ls (PID: 3011)
  - ls (PID: 3031)
  - ls (PID: 3029)
  - ls (PID: 3023)
  - ls (PID: 3033)
  - ls (PID: 3035)
  - ls (PID: 3027)
  - ls (PID: 3037)
  - ls (PID: 3047)
  - ls (PID: 3055)
  - ls (PID: 3039)
  - ls (PID: 3045)
  - ls (PID: 3041)
  - ls (PID: 3043)
  - ls (PID: 3049)
  - ls (PID: 3069)
  - ls (PID: 3065)
  - ls (PID: 3063)
  - ls (PID: 3059)
  - ls (PID: 3051)
  - ls (PID: 3053)
  - ls (PID: 3057)
  - ls (PID: 3067)
  - ls (PID: 3061)
  - ls (PID: 3071)
  - ls (PID: 3077)
  - ls (PID: 3081)
  - ls (PID: 3083)
  - ls (PID: 3079)
  - ls (PID: 3073)
  - ls (PID: 3075)
  - ls (PID: 3085)
  - ls (PID: 3091)
  - ls (PID: 3097)
  - ls (PID: 3101)
  - ls (PID: 3095)
  - ls (PID: 3087)
  - ls (PID: 3089)
  - ls (PID: 3099)
  - ls (PID: 3115)
  - ls (PID: 3107)
  - ls (PID: 3111)
  - ls (PID: 3113)
  - ls (PID: 3093)
  - ls (PID: 3105)
  - ls (PID: 3103)
  - ls (PID: 3109)
  - ls (PID: 3137)
  - ls (PID: 3125)
  - ls (PID: 3129)
  - ls (PID: 3123)
  - ls (PID: 3131)
  - ls (PID: 3133)
  - ls (PID: 3119)
  - ls (PID: 3121)
  - ls (PID: 3117)
  - ls (PID: 3127)
  - ls (PID: 3135)
  - ls (PID: 3143)
  - ls (PID: 3139)
  - ls (PID: 3145)
  - ls (PID: 3147)
  - ls (PID: 3149)
  - ls (PID: 3141)
  - ls (PID: 3163)
  - ls (PID: 3161)
  - ls (PID: 3151)
  - ls (PID: 3155)
  - ls (PID: 3153)
  - ls (PID: 3159)
  - ls (PID: 3157)
  - ls (PID: 3167)
  - ps (PID: 3219)
  - crontab (PID: 3203)
  - crontab (PID: 3202)
  - ls (PID: 3211)
- Creates file in the temporary folder
  - dash (PID: 1904)
  - curl (PID: 3216)
  - curl (PID: 3218)
- Get executable path from process ID
  - dash (PID: 2724)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.sh	\|	Linux/UNIX shell script (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

1 483

Monitored processes

1 362

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1899

/bin/sh -c "sudo chown user /tmp/kworker\.sh && chmod +x /tmp/kworker\.sh && DISPLAY=:0 sudo -iu user /tmp/kworker\.sh "

/usr/bin/dash

—

ClU101gqD6apx7CA

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

1900

sudo chown user /tmp/kworker.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

1901

chown user /tmp/kworker.sh

/usr/bin/chown

—

sudo

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

1902

chmod +x /tmp/kworker.sh

/usr/bin/chmod

—

dash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

1903

sudo -iu user /tmp/kworker.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

1904

/bin/sh /tmp/kworker.sh

/usr/bin/dash

sudo

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6

1905

/usr/bin/locale-check C.UTF-8

/usr/bin/locale-check

—

dash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

1906

chmod 777 /usr/bin/chattr /bin/chattr

/usr/bin/chmod

—

dash

User:

user

Integrity Level:

UNKNOWN

Exit code:

256

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

1907

chattr -iua /tmp/ /var/tmp/

/usr/bin/chattr

—

dash

User:

user

Integrity Level:

UNKNOWN

Exit code:

256

Modules

Images
/usr/lib/x86_64-linux-gnu/libe2p.so.2.3
/usr/lib/x86_64-linux-gnu/libcom_err.so.2.1
/usr/lib/x86_64-linux-gnu/libc.so.6

1908

iptables -F

/usr/sbin/xtables-nft-multi

—

dash

User:

user

Integrity Level:

UNKNOWN

Exit code:

1024

Modules

Images
/usr/lib/x86_64-linux-gnu/libmnl.so.0.2.0
/usr/lib/x86_64-linux-gnu/libnftnl.so.11.6.0
/usr/lib/x86_64-linux-gnu/libxtables.so.12.4.0
/usr/lib/x86_64-linux-gnu/libc.so.6

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1904	dash	/tmp/kdevtmpfsi		text
		MD5:—	SHA256:—
3202	crontab	/var/spool/cron/crontabs/user		text
		MD5:—	SHA256:—
1904	dash	/home/user/.ssh/authorized_keys		text
		MD5:—	SHA256:—
1904	dash	/tmp/javae (deleted)		text
		MD5:—	SHA256:—
1904	dash	/tmp/javae		binary
		MD5:—	SHA256:—
1904	dash	/tmp/kworker		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.101:80	http://connectivity-check.ubuntu.com/	GB	—	—	whitelisted
3215	curl	HEAD	200	34.70.205.211:80	http://34.70.205.211/plugins-dist/safehtml/lang/font/javae	US	—	—	unknown
3216	curl	GET	—	34.70.205.211:80	http://34.70.205.211/plugins-dist/safehtml/lang/font/javae	US	—	—	unknown
3217	curl	HEAD	200	34.70.205.211:80	http://34.70.205.211/plugins-dist/safehtml/lang/font/kworker	US	—	—	unknown
3218	curl	GET	200	34.70.205.211:80	http://34.70.205.211/plugins-dist/safehtml/lang/font/kworker	US	text	35.4 Kb	unknown
3250	curl	GET	200	34.70.205.211:80	http://34.70.205.211/plugins-dist/safehtml/lang/font/cb.txt	US	text	4.32 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
459	avahi-daemon	224.0.0.251:5353	—	—	—	whitelisted
1	systemd	37.19.194.81:443	odrs.gnome.org	CDN77 _	GB	whitelisted
—	—	185.125.190.101:80	connectivity-check.ubuntu.com	CANONICAL-AS	GB	whitelisted
—	—	195.181.170.18:443	odrs.gnome.org	CDN77 _	GB	whitelisted
—	—	185.125.188.57:443	api.snapcraft.io	CANONICAL-AS	GB	whitelisted
1391	snap-store	195.181.175.40:443	odrs.gnome.org	CDN77 _	GB	whitelisted
485	snapd	185.125.188.57:443	api.snapcraft.io	CANONICAL-AS	GB	whitelisted
3215	curl	34.70.205.211:80	—	GOOGLE-CLOUD-PLATFORM	US	unknown
3216	curl	34.70.205.211:80	—	GOOGLE-CLOUD-PLATFORM	US	unknown
3217	curl	34.70.205.211:80	—	GOOGLE-CLOUD-PLATFORM	US	unknown

DNS requests

Domain	IP	Reputation
odrs.gnome.org	37.19.194.81 195.181.175.40 212.102.56.178 79.127.216.204 195.181.170.18 79.127.211.90 2a02:6ea0:c700::19 2a02:6ea0:c77a::47 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c700::21 2a02:6ea0:c77a::48	whitelisted
google.com	142.251.110.113 142.251.110.102 142.251.110.139 142.251.110.138 142.251.110.101 142.251.110.100 2a00:1450:4001:c1f::66 2a00:1450:4001:c1f::71 2a00:1450:4001:c1f::8a 2a00:1450:4001:c1f::64	whitelisted
connectivity-check.ubuntu.com	185.125.190.101 185.125.190.100 91.189.91.98 91.189.91.97 91.189.91.96 185.125.190.99 2620:2d:4002:1::197 2620:2d:4002:1::198 2620:2d:4002:1::196 2620:2d:4000:1::1101 2620:2d:4000:1::1099 2620:2d:4000:1::1100	whitelisted
api.snapcraft.io	185.125.188.57 185.125.188.54 185.125.188.58 185.125.188.59 2620:2d:4000:1010::117 2620:2d:4000:1010::42 2620:2d:4000:1010::3da 2620:2d:4000:1010::2cc	whitelisted
11.100.168.192.in-addr.arpa	—	whitelisted

Threats

PID	Process	Class	Message
3215	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
3216	curl	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
3216	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
3217	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
3218	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
3250	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad

Add for printing

No debug info

General Info

kworker

FEA52AB0CC2717301B0E197BBFEC894F

A5E71A9889FD8EE32175B064238AC1731E310A8F

92A71778310BF37CF81C8F42A250EA7B9ED17042B577D90F5D179F90AC1C056A

768:vxlT2wDuWvWi7uDcFHcbSRlIniRULz/Ql/+9V:wHDEcbSciI19V

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Modifies or disables the system firewall

Removes log files

Apparmor service disabling

KINSING has been detected

COINMINER has been found (auto)

MRBOT has been detected

Appends a new rule to chain (Iptables)

SUSPICIOUS

System firewall impairment

Modifies file or directory owner

Removes file immutable attribute

Reads passwd file

Executes the "rm" command to delete files or directories

File locking via ext attributes

Creates or rewrites file in the "bin" folder

Gets information about currently running processes

Modifies Cron jobs

Modify startup scripts of the system services

Uses curl to download content

SSH authorized_keys modification

Checks DMI information (probably VM detection)

Create hidden file

INFO

Checks timezone

Creates file in the temporary folder

Get executable path from process ID

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings