File name:

xmr-go.sh

Full analysis: https://app.any.run/tasks/14a46791-32ec-4dd2-a9b8-555fa3394ea5
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: January 11, 2025, 05:20:17
OS: Ubuntu 22.04.2 LTS
Tags:
github
evasion
miner
Indicators:
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable
MD5:

FC26B835A1A99DC335BCDBB2B35904D8

SHA1:

13A29189F034B6A4F1CE03192ED24A22B3504C13

SHA256:

9B12E445E40F04928D7836B9E94F134396B889271A3E50C17EFB2DA71C885952

SSDEEP:

12:TmHiKMHxlTcViocNPTUpHb2Hoyz+S6JRKlfU2wDthKl5lKl8KlYKYRKlX2wDthKA:Eix3TcVBcFTwso0+dJRcfgJhc5lc8cYs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Modifies hosts file

      • xmr_linux_amd64 (PID: 38791)

    • Connects to the CnC server

      • xmrig (PID: 38805)

    • MINER has been detected (SURICATA)

      • xmrig (PID: 38805)

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 38738)

    • Checks DMI information (probably VM detection)

      • xmrig (PID: 38805)

    • Executes commands using command-line interpreter

      • sudo (PID: 38741)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 38742)

    • Checks for external IP

      • xmr_linux_amd64 (PID: 38791)

    • Potential Corporate Privacy Violation

      • xmrig (PID: 38805)

    • Connects to unusual port

      • xmrig (PID: 38805)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • xmrig (PID: 38805)

    • Crypto Currency Mining Activity Detected

      • xmrig (PID: 38805)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
232
Monitored processes
25
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs uname no specs crontab no specs sudo no specs rm no specs snap no specs snap-seccomp no specs snap-confine no specs dumpe2fs no specs snap-update-ns no specs dumpe2fs no specs tracker-extract-3 no specs chmod no specs sudo no specs xmr_linux_amd64 sudo no specs true no specs sudo no specs #MINER xmrig

Process information

PID
CMD
Path
Indicators
Parent process
38737/bin/sh -c "sudo chown user /tmp/xmr-go\.sh && chmod +x /tmp/xmr-go\.sh && DISPLAY=:0 sudo -iu user /tmp/xmr-go\.sh "/usr/bin/dashany-guest-agent
User:
root
Integrity Level:
UNKNOWN
38738sudo chown user /tmp/xmr-go.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38739chown user /tmp/xmr-go.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38740chmod +x /tmp/xmr-go.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38741sudo -iu user /tmp/xmr-go.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
38742/bin/bash /tmp/xmr-go.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
38743/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38744uname -m/usr/bin/unamebash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38745crontab -r/usr/bin/crontabbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
38746sudo -n "crontab -r"/usr/bin/sudobash
User:
root
Integrity Level:
UNKNOWN
Exit code:
256
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
38791xmr_linux_amd64/etc/hoststext
MD5:
SHA256:
38791xmr_linux_amd64/config/.config/openbox/autostarttext
MD5:
SHA256:
38791xmr_linux_amd64/tmp/xmrig/xmrig-6.22.0/xmrigo
MD5:
SHA256:
38791xmr_linux_amd64/tmp/xmrig/xmrig-6.22.0/config.jsonbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
11
DNS requests
19
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
140.82.121.4:443
github.com
GITHUB
US
shared
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
shared
38791
xmr_linux_amd64
172.67.74.152:443
api.ipify.org
CLOUDFLARENET
US
shared
38791
xmr_linux_amd64
104.21.4.25:443
vmtracker.freechildporninthisserver.lol
CLOUDFLARENET
unknown
38791
xmr_linux_amd64
140.82.121.4:443
github.com
GITHUB
US
shared
38791
xmr_linux_amd64
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
shared
38805
xmrig
75.119.158.0:3222
Contabo GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.96
  • 91.189.91.96
  • 185.125.190.17
  • 185.125.190.97
  • 91.189.91.98
  • 185.125.190.18
  • 91.189.91.49
  • 91.189.91.97
  • 185.125.190.48
  • 185.125.190.98
  • 185.125.190.49
  • 91.189.91.48
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::97
  • 2001:67c:1562::24
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::198
whitelisted
google.com
  • 216.58.206.46
  • 2a00:1450:4001:831::200e
whitelisted
github.com
  • 140.82.121.4
shared
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
  • 2606:50c0:8003::154
  • 2606:50c0:8000::154
  • 2606:50c0:8002::154
  • 2606:50c0:8001::154
shared
api.ipify.org
  • 172.67.74.152
  • 104.26.13.205
  • 104.26.12.205
shared
vmtracker.freechildporninthisserver.lol
  • 2606:4700:3037::6815:419
  • 2606:4700:3033::ac43:8392
  • 104.21.4.25
  • 172.67.131.146
unknown
objects.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
shared
109.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
445
systemd-resolved
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
445
systemd-resolved
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
445
systemd-resolved
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
445
systemd-resolved
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
38791
xmr_linux_amd64
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
38805
xmrig
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
38805
xmrig
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xmr-go.sh