File name:

xmr-go.sh

Full analysis: https://app.any.run/tasks/fedd2321-8539-447c-8a01-de96b9e7c865
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Analysis date: January 10, 2025, 20:06:42
OS: Ubuntu 22.04.2 LTS
Tags:
github
evasion
miner
Indicators:
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable
MD5:

FC26B835A1A99DC335BCDBB2B35904D8

SHA1:

13A29189F034B6A4F1CE03192ED24A22B3504C13

SHA256:

9B12E445E40F04928D7836B9E94F134396B889271A3E50C17EFB2DA71C885952

SSDEEP:

12:TmHiKMHxlTcViocNPTUpHb2Hoyz+S6JRKlfU2wDthKl5lKl8KlYKYRKlX2wDthKA:Eix3TcVBcFTwso0+dJRcfgJhc5lc8cYs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to the CnC server

      • xmrig (PID: 38838)
    • Modifies hosts file

      • xmr_linux_amd64 (PID: 38819)
    • MINER has been detected (SURICATA)

      • xmrig (PID: 38838)
  • SUSPICIOUS

    • Checks for external IP

      • xmr_linux_amd64 (PID: 38819)
    • Reads /proc/mounts (likely used to find writable filesystems)

      • xmrig (PID: 38838)
    • Executes commands using command-line interpreter

      • sudo (PID: 38756)
    • Modifies file or directory owner

      • sudo (PID: 38753)
    • Executes the "rm" command to delete files or directories

      • bash (PID: 38758)
    • Checks DMI information (probably VM detection)

      • xmrig (PID: 38838)
    • Potential Corporate Privacy Violation

      • xmrig (PID: 38838)
    • Connects to unusual port

      • xmrig (PID: 38838)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
236
Monitored processes
28
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs uname no specs crontab no specs sudo no specs rm no specs snap no specs snap-seccomp no specs snap-confine no specs dumpe2fs no specs snap-update-ns no specs dumpe2fs no specs systemctl no specs dash no specs systemctl no specs chmod no specs sudo no specs tracker-extract-3 no specs xmr_linux_amd64 sudo no specs true no specs sudo no specs #MINER xmrig

Process information

PID
CMD
Path
Indicators
Parent process
38752/bin/sh -c "sudo chown user /home/user/Desktop/xmr-go\.sh && chmod +x /home/user/Desktop/xmr-go\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/xmr-go\.sh "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
38753sudo chown user /home/user/Desktop/xmr-go.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38754chown user /home/user/Desktop/xmr-go.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38755chmod +x /home/user/Desktop/xmr-go.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38756sudo -iu user /home/user/Desktop/xmr-go.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
38758/bin/bash /home/user/Desktop/xmr-go.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
38759/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38760uname -m/usr/bin/unamebash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38761crontab -r/usr/bin/crontabbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
38762sudo -n "crontab -r"/usr/bin/sudobash
User:
root
Integrity Level:
UNKNOWN
Exit code:
256
Executable files
0
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
38819xmr_linux_amd64/etc/hoststext
MD5:
SHA256:
38819xmr_linux_amd64/config/.config/openbox/autostarttext
MD5:
SHA256:
38819xmr_linux_amd64/tmp/xmrig/xmrig-6.22.0/xmrigbinary
MD5:
SHA256:
38819xmr_linux_amd64/tmp/xmrig/xmrig-6.22.0/config.jsontext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
18
DNS requests
25
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
37.19.194.80:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
GET
204
185.125.190.48:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
37.19.194.80:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
GET
185.125.190.48:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
185.125.190.48:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/spetterman66/verynicerepo/raw/main/xmr_linux_amd64
unknown
488
NetworkManager
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/GamerHun1238/xmrig/releases/download/v6.22.0/xmrig_linux_static_amd64
unknown
POST
200
185.125.188.54:443
https://api.snapcraft.io/api/v1/snaps/auth/nonces
unknown
binary
54 b
whitelisted
POST
200
185.125.188.59:443
https://api.snapcraft.io/api/v1/snaps/auth/sessions
unknown
binary
587 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
207.211.211.27:443
odrs.gnome.org
US
whitelisted
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
488
NetworkManager
91.189.91.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
140.82.121.4:443
github.com
GITHUB
US
shared
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
shared
38819
xmr_linux_amd64
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
shared
38819
xmr_linux_amd64
104.21.4.25:443
vmtracker.freechildporninthisserver.lol
CLOUDFLARENET
unknown
38819
xmr_linux_amd64
140.82.121.4:443
github.com
GITHUB
US
shared

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.48
  • 91.189.91.98
  • 185.125.190.97
  • 91.189.91.96
  • 91.189.91.49
  • 185.125.190.96
  • 185.125.190.18
  • 91.189.91.97
  • 185.125.190.98
  • 185.125.190.49
  • 91.189.91.48
  • 185.125.190.17
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2001:67c:1562::23
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::96
whitelisted
odrs.gnome.org
  • 207.211.211.27
  • 169.150.255.183
  • 212.102.56.179
  • 195.181.170.19
  • 169.150.255.180
  • 195.181.175.40
  • 37.19.194.81
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::11
whitelisted
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.55
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::2e6
whitelisted
google.com
  • 142.250.184.238
  • 2a00:1450:4001:81d::200e
whitelisted
github.com
  • 140.82.121.4
shared
47.100.168.192.in-addr.arpa
unknown
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.108.133
  • 2606:50c0:8002::154
  • 2606:50c0:8000::154
  • 2606:50c0:8003::154
  • 2606:50c0:8001::154
shared
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
vmtracker.freechildporninthisserver.lol
  • 104.21.4.25
  • 172.67.131.146
  • 2606:4700:3033::ac43:8392
  • 2606:4700:3037::6815:419
unknown
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
shared

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
No debug info