File name: | xmr-go.sh |
Full analysis: | https://app.any.run/tasks/fedd2321-8539-447c-8a01-de96b9e7c865 |
Verdict: | Malicious activity |
Threats: | Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. |
Analysis date: | January 10, 2025, 20:06:42 |
OS: | Ubuntu 22.04.2 LTS |
Tags: | |
Indicators: | |
MIME: | text/x-shellscript |
File info: | Bourne-Again shell script, ASCII text executable |
MD5: | FC26B835A1A99DC335BCDBB2B35904D8 |
SHA1: | 13A29189F034B6A4F1CE03192ED24A22B3504C13 |
SHA256: | 9B12E445E40F04928D7836B9E94F134396B889271A3E50C17EFB2DA71C885952 |
SSDEEP: | 12:TmHiKMHxlTcViocNPTUpHb2Hoyz+S6JRKlfU2wDthKl5lKl8KlYKYRKlX2wDthKA:Eix3TcVBcFTwso0+dJRcfgJhc5lc8cYs |
.sh | | | Linux/UNIX shell script (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
38752 | /bin/sh -c "sudo chown user /home/user/Desktop/xmr-go\.sh && chmod +x /home/user/Desktop/xmr-go\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/xmr-go\.sh " | /usr/bin/dash | — | any-guest-agent |
User: user Integrity Level: UNKNOWN | ||||
38753 | sudo chown user /home/user/Desktop/xmr-go.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
38754 | chown user /home/user/Desktop/xmr-go.sh | /usr/bin/chown | — | sudo |
User: root Integrity Level: UNKNOWN Exit code: 0 | ||||
38755 | chmod +x /home/user/Desktop/xmr-go.sh | /usr/bin/chmod | — | dash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38756 | sudo -iu user /home/user/Desktop/xmr-go.sh | /usr/bin/sudo | — | dash |
User: root Integrity Level: UNKNOWN | ||||
38758 | /bin/bash /home/user/Desktop/xmr-go.sh | /usr/bin/bash | — | sudo |
User: user Integrity Level: UNKNOWN | ||||
38759 | /usr/bin/locale-check C.UTF-8 | /usr/bin/locale-check | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38760 | uname -m | /usr/bin/uname | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 0 | ||||
38761 | crontab -r | /usr/bin/crontab | — | bash |
User: user Integrity Level: UNKNOWN Exit code: 256 | ||||
38762 | sudo -n "crontab -r" | /usr/bin/sudo | — | bash |
User: root Integrity Level: UNKNOWN Exit code: 256 |
PID | Process | Filename | Type | |
---|---|---|---|---|
38819 | xmr_linux_amd64 | /etc/hosts | text | |
MD5:— | SHA256:— | |||
38819 | xmr_linux_amd64 | /config/.config/openbox/autostart | text | |
MD5:— | SHA256:— | |||
38819 | xmr_linux_amd64 | /tmp/xmrig/xmrig-6.22.0/xmrig | binary | |
MD5:— | SHA256:— | |||
38819 | xmr_linux_amd64 | /tmp/xmrig/xmrig-6.22.0/config.json | text | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | — | 37.19.194.80:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | — | — | — |
— | — | GET | 204 | 185.125.190.48:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | — | 37.19.194.80:443 | https://odrs.gnome.org/1.0/reviews/api/ratings | unknown | — | — | — |
— | — | GET | — | 185.125.190.48:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | — | 185.125.190.48:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | 302 | 140.82.121.4:443 | https://github.com/spetterman66/verynicerepo/raw/main/xmr_linux_amd64 | unknown | — | — | — |
488 | NetworkManager | GET | 204 | 91.189.91.97:80 | http://connectivity-check.ubuntu.com/ | unknown | — | — | whitelisted |
— | — | GET | 302 | 140.82.121.4:443 | https://github.com/GamerHun1238/xmrig/releases/download/v6.22.0/xmrig_linux_static_amd64 | unknown | — | — | — |
— | — | POST | 200 | 185.125.188.54:443 | https://api.snapcraft.io/api/v1/snaps/auth/nonces | unknown | binary | 54 b | whitelisted |
— | — | POST | 200 | 185.125.188.59:443 | https://api.snapcraft.io/api/v1/snaps/auth/sessions | unknown | binary | 587 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
484 | avahi-daemon | 224.0.0.251:5353 | — | — | — | unknown |
— | — | 185.125.190.48:80 | connectivity-check.ubuntu.com | Canonical Group Limited | GB | whitelisted |
— | — | 207.211.211.27:443 | odrs.gnome.org | — | US | whitelisted |
— | — | 185.125.188.58:443 | api.snapcraft.io | Canonical Group Limited | GB | whitelisted |
488 | NetworkManager | 91.189.91.97:80 | connectivity-check.ubuntu.com | Canonical Group Limited | US | whitelisted |
— | — | 140.82.121.4:443 | github.com | GITHUB | US | shared |
— | — | 185.199.110.133:443 | raw.githubusercontent.com | FASTLY | US | shared |
38819 | xmr_linux_amd64 | 104.26.13.205:443 | api.ipify.org | CLOUDFLARENET | US | shared |
38819 | xmr_linux_amd64 | 104.21.4.25:443 | vmtracker.freechildporninthisserver.lol | CLOUDFLARENET | — | unknown |
38819 | xmr_linux_amd64 | 140.82.121.4:443 | github.com | GITHUB | US | shared |
Domain | IP | Reputation |
---|---|---|
connectivity-check.ubuntu.com |
| whitelisted |
odrs.gnome.org |
| whitelisted |
api.snapcraft.io |
| whitelisted |
google.com |
| whitelisted |
github.com |
| shared |
47.100.168.192.in-addr.arpa |
| unknown |
raw.githubusercontent.com |
| shared |
api.ipify.org |
| shared |
vmtracker.freechildporninthisserver.lol |
| unknown |
objects.githubusercontent.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
— | — | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
— | — | Misc activity | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI |
— | — | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
— | — | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |