URL:

http://89.185.85.102/c

Full analysis: https://app.any.run/tasks/f4c7328d-1f67-4370-81c8-cafeebd8b00e
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: August 18, 2024, 07:10:36
OS: Ubuntu 22.04.2
Tags:
miner
Indicators:
MD5:

1E609FB0BFF80E2F5AF51D46BE21F0BD

SHA1:

3A9C2D8E19C8ABE191CF2055466E17A8619C277C

SHA256:

986746DF72A4264573BDE2A13545419BA3C13325AB89198A2610E4A8D7E8CF87

SSDEEP:

3:N1K/ETgb:CsTI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads /proc/mounts (likely used to find writable filesystems)

      • curl (PID: 13398)
      • check-new-release-gtk (PID: 13476)
      • curl (PID: 13490)

    • Executes commands using command-line interpreter

      • gnome-terminal-server (PID: 13256)
      • su (PID: 13467)
      • update-notifier (PID: 13474)
      • cc16bf8d-830d-46cf-9527-bcbe65f7d573 (PID: 13518)

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 13210)

    • Executes the "rm" command to delete files or directories

      • c (PID: 13397)

    • Potential Corporate Privacy Violation

      • curl (PID: 13398)
      • wget (PID: 13515)
      • curl (PID: 13490)

    • Connects to the server without a host name

      • curl (PID: 13398)
      • wget (PID: 13515)

    • Uses wget to download content

      • c (PID: 13489)

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 13539)
      • modprobe (PID: 13538)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
405
Monitored processes
191
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
sh no specs sudo no specs chrome locale-check no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome no specs chrome no specs chrome no specs nacl_helper no specs nacl_helper no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs dash no specs awk no specs cut no specs dash no specs basename no specs dash no specs which no specs readlink no specs grep no specs cut no specs dash no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs awk no specs cut no specs dash no specs basename no specs dash no specs grep no specs cut no specs dash no specs which no specs readlink no specs chrome no specs chrome no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs systemd no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs chrome no specs chrome no specs tracker-extract-3 no specs chrome no specs chrome no specs chrome no specs chrome no specs dbus-daemon no specs nautilus no specs systemd-hostnamed no specs dbus-daemon no specs gedit no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dirname no specs dircolors no specs bash no specs bash no specs command-not-found no specs snap no specs bash no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs sudo no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chmod no specs c no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs sleep no specs rm no specs touch no specs find no specs bash no specs bash no specs grep no specs awk no specs find no specs uniq no specs bash no specs grep no specs awk no specs bash no specs bash no specs grep no specs grep no specs grep no specs uniq no specs bash no specs find no specs xargs no specs awk no specs uniq no specs find no specs find no specs bash no specs bash no specs tr no specs sort no specs bash no specs bash no specs grep no specs sort no specs bash no specs bash no specs sort no specs sudo no specs sudo no specs su no specs bash no specs lesspipe no specs dircolors no specs basename no specs dash no specs dirname no specs update-notifier no specs sh no specs check-new-release-gtk dpkg no specs dpkg no specs lsb_release no specs lsb_release no specs lsb_release no specs lsb_release no specs c no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs wget chmod no specs kekenukaxusn no specs cc16bf8d-830d-46cf-9527-bcbe65f7d573 no specs sleep no specs ps no specs iptables no specs pkill no specs ufw no specs iptables no specs iptables no specs pkill no specs pkill no specs bash no specs modprobe no specs modprobe no specs u8:4 no specs cc16bf8d-830d-46cf-9527-bcbe65f7d573 no specs

Process information

PID
CMD
Path
Indicators
Parent process
12943/bin/sh -c "DISPLAY=:0 sudo -iu user google-chrome http://89\.185\.85\.102/c "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
12944sudo -iu user google-chrome http://89.185.85.102/c/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
12945/usr/bin/google-chrome http://89.185.85.102/c/opt/google/chrome/chrome
sudo
User:
user
Integrity Level:
UNKNOWN
12946/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12947readlink -f /usr/bin/google-chrome/usr/bin/readlinkchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12948dirname /opt/google/chrome/google-chrome/usr/bin/dirnamechrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12949mkdir -p /home/user/.local/share/applications/usr/bin/mkdirchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12950cat/usr/bin/catchrome
User:
user
Integrity Level:
UNKNOWN
12951cat/usr/bin/catchrome
User:
user
Integrity Level:
UNKNOWN
12952/opt/google/chrome/chromechrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
8
Suspicious files
309
Text files
34
Unknown types
16

Dropped files

PID
Process
Filename
Type
12945chrome/home/user/.config/google-chrome/ShaderCache/data_3binary
MD5:
SHA256:
12945chrome/home/user/.config/google-chrome/ShaderCache/data_2binary
MD5:
SHA256:
12945chrome/home/user/.config/google-chrome/ShaderCache/data_0vxd
MD5:
SHA256:
12945chrome/home/user/.config/google-chrome/Default/GPUCache/data_3vxd
MD5:
SHA256:
12945chrome/home/user/.config/google-chrome/Default/GPUCache/data_2vxd
MD5:
SHA256:
12945chrome/home/user/.config/google-chrome/Default/GPUCache/data_0vxd
MD5:
SHA256:
12945chrome/home/user/.config/google-chrome/Default/DawnCache/data_3vxd
MD5:
SHA256:
12945chrome/home/user/.config/google-chrome/Default/DawnCache/data_2vxd
MD5:
SHA256:
12945chrome/home/user/.config/google-chrome/Default/DawnCache/data_0vxd
MD5:
SHA256:
13090chrome/home/user/.cache/mesa_shader_cache/indexkoa
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
56
DNS requests
57
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
200
89.185.85.102:80
http://89.185.85.102/c
unknown
unknown
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adb2wn5ymce66ygdjpzyyd4fcera_2024.8.16.0/niikhdgajlphfehepabhhblakbdgeefj_2024.08.16.00_all_ad65cfxgemitgzfdzieuocon7doq.crx3
unknown
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acjorihahlyu72rloqnbu7332qhq_461/lmelglejhemejginpboagddgdfbepgmp_461_all_ZZ_mav3a7b644cj7o7ytbibd6ujoq.crx3
unknown
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ewuqtoppbwjug6mhh4kpwg6m_9042/hfnkpimlhhgieaddgfemjhofmfblmnib_9042_all_adhodr6xypjex5ylifkvxxymuk6q.crx3
unknown
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acptyb4l2whiaqodbedm2lwht7ua_1049/efniojlnjndmcbiieegkicadnoecjjef_1049_all_acdw2kbreyakuvofupntzp4oh67a.crx3
unknown
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgyNjAtN2FlY2ZjMDg0NmNj/1.0.0.17_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
unknown
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/advisaov4e5ygwpflotgccocvtpq_2024.8.18.1/kiabhabjdbkjdpjbpigfodbdjmbglcoo_2024.08.18.01_all_acwufrt74pi46kzorf2ppo2jx55q.crx3
unknown
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/jflookgnkcckhobaglndicnbbgbonegd/1.1994e34393325afdff0c90ac370065028be66ba9f7c8991b0cf425a0ae494611/1.888ebbd183d017421d0f23a0a1ea9eaedffefd772878d86c67536c138ef62ada/2cd022aaefa46340fa30bfa48c6cdb4f6d5d0b3e8bd5e5d4c990531b9964bf32
unknown
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acsejfcfwtbvn4o6ncuewszxhiia_20240801.659754589.14/obedbbhbpmojnkanicioggnmelmoomoc_20240801.659754589.14_all_ENGB500000_isz7gempvnknr4yzr3be7rsw6y.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
12945
chrome
224.0.0.251:5353
unknown
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
169.150.255.184:443
odrs.gnome.org
GB
unknown
91.189.91.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
unknown
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
485
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
12945
chrome
239.255.255.250:1900
whitelisted
172.217.18.99:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
142.250.110.84:443
accounts.google.com
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.97
  • 185.125.190.98
  • 91.189.91.97
  • 91.189.91.98
  • 185.125.190.48
  • 91.189.91.96
  • 185.125.190.49
  • 91.189.91.49
  • 185.125.190.17
  • 91.189.91.48
  • 185.125.190.96
  • 185.125.190.18
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2b
whitelisted
odrs.gnome.org
  • 169.150.255.184
  • 195.181.170.19
  • 37.19.194.80
  • 207.211.211.27
  • 212.102.56.178
  • 169.150.255.180
  • 195.181.175.41
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::112
whitelisted
google.com
  • 142.250.184.238
  • 2a00:1450:4001:831::200e
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.59
whitelisted
accounts.google.com
  • 142.250.110.84
whitelisted
clientservices.googleapis.com
  • 172.217.18.99
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.186.42
  • 172.217.16.138
  • 142.250.181.234
  • 142.250.186.74
  • 172.217.18.10
  • 142.250.185.234
  • 142.250.185.106
  • 216.58.212.170
  • 142.250.185.202
  • 142.250.185.138
  • 216.58.212.138
  • 142.250.185.74
  • 142.250.186.170
  • 142.250.184.202
  • 142.250.185.170
  • 142.250.184.234
whitelisted
google-ohttp-relay-safebrowsing.fastly-edge.com
  • 151.101.193.91
  • 151.101.65.91
  • 151.101.1.91
  • 151.101.129.91
unknown
update.googleapis.com
  • 142.250.185.163
whitelisted
www.google.com
  • 142.250.185.228
whitelisted

Threats

PID
Process
Class
Message
13398
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
13398
curl
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
13490
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
13515
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://89.185.85.102/c