File name:

server_setup.sh

Full analysis: https://app.any.run/tasks/a0fda35f-34e3-47e6-9eb8-4cffa6dfc1fe
Verdict: Malicious activity
Analysis date: May 10, 2024, 13:00:29
OS: Ubuntu 22.04.2
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable
MD5:

451B1604F73E4BC9FD74076ECD0A0565

SHA1:

C7BF68936FC74ED4EB211886FBF8FD954E8DC96D

SHA256:

C90777905E763351A08CCEDD30D5D22B85A2963500E79424E605A05510D4FC78

SSDEEP:

96:c+houly5iKi5LFJinh+huOJiHl/lwsw4ENV9g2WDoFI:cZuU5iKoOnh85QlNdw9ncMFI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Modifies hosts file

      • tar (PID: 9277)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • gnome-terminal-server (PID: 9287)

    • Uses wget to download content

      • server_setup.sh (PID: 9271)

    • Modifies file or directory owner

      • sudo (PID: 9266)

    • Creates shell script file

      • tar (PID: 9277)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
256
Monitored processes
36
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs server_setup.sh no specs locale-check no specs mkdir no specs wget no specs tar no specs xz no specs gnome-terminal no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dircolors no specs dirname no specs bash no specs bash no specs bash no specs ls no specs bash no specs bash no specs bash no specs bash no specs ls no specs ld-musl-x86_64.so.1 no specs readlink no specs dirname no specs ld-musl-x86_64.so.1 no specs readlink no specs dirname no specs ls no specs

Process information

PID
CMD
Path
Indicators
Parent process
9265/bin/sh -c "sudo chown user /home/user/server_setup\.sh && chmod +x /home/user/server_setup\.sh && DISPLAY=:0 sudo -iu user /home/user/server_setup\.sh "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
9282
9266sudo chown user /home/user/server_setup.sh/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9267chown user /home/user/server_setup.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
9268chmod +x /home/user/server_setup.sh/usr/bin/chmodsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9269sudo -iu user /home/user/server_setup.sh/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
9282
9271/bin/bash /home/user/server_setup.sh/home/user/server_setup.shsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
9282
9272/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkserver_setup.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9273mkdir -p /home/user/FXServer/server/usr/bin/mkdirserver_setup.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9274wget https://runtime.fivem.net/artifacts/fivem/build_proot_linux/master/7290-a654bcc2adfa27c4e020fc915a1a6343c3b4f921/fx.tar.xz -O /home/user/FXServer/server/fx.tar.xz/usr/bin/wgetserver_setup.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9277tar xf fx.tar.xz/usr/bin/tarserver_setup.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
209
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9274wget/home/user/FXServer/server/fx.tar.xz
MD5:
SHA256:
9274wget/home/user/.wget-hsts
MD5:
SHA256:
9277tar/home/user/FXServer/server/alpine/lib/libcrypto.so.3
MD5:
SHA256:
9277tar/home/user/FXServer/server/alpine/lib/ld-musl-x86_64.so.1
MD5:
SHA256:
9277tar/home/user/FXServer/server/alpine/lib/libcrypto.so.1.1
MD5:
SHA256:
9277tar/home/user/FXServer/server/alpine/lib/libblkid.so.1.1.0
MD5:
SHA256:
9277tar/home/user/FXServer/server/alpine/lib/libmount.so.1.1.0
MD5:
SHA256:
9277tar/home/user/FXServer/server/alpine/lib/sysctl.d/00-alpine.conf
MD5:
SHA256:
9277tar/home/user/FXServer/server/alpine/lib/apk/db/installed
MD5:
SHA256:
9277tar/home/user/FXServer/server/alpine/lib/apk/db/triggers
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
13
DNS requests
18
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.49:80
http://connectivity-check.ubuntu.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.49:80
Canonical Group Limited
US
unknown
91.189.91.48:80
Canonical Group Limited
US
unknown
224.0.0.251:5353
unknown
104.18.39.159:443
runtime.fivem.net
CLOUDFLARENET
unknown
172.64.148.97:443
runtime.fivem.net
CLOUDFLARENET
US
unknown
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown
23.128.64.141:443
ip.seeip.org
JOESDATACENTER
US
unknown
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
unknown
172.67.75.163:443
api.myip.com
CLOUDFLARENET
US
unknown
172.64.153.85:443
cfx.re
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
runtime.fivem.net
  • 104.18.39.159
  • 172.64.148.97
  • 2606:4700:4400::6812:279f
  • 2606:4700:4400::ac40:9461
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::23
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4002:1::196
unknown
210.100.168.192.in-addr.arpa
unknown
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.111.133
  • 2606:50c0:8003::154
  • 2606:50c0:8002::154
  • 2606:50c0:8000::154
  • 2606:50c0:8001::154
shared
changelogs-live.fivem.net
  • 104.18.39.159
  • 172.64.148.97
  • 2606:4700:4400::ac40:9461
  • 2606:4700:4400::6812:279f
unknown
ip.seeip.org
  • 23.128.64.141
  • 2602:fed3:2:b74f:112:9a23:af4f:2219
unknown
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
api.myip.com
  • 104.26.8.59
  • 172.67.75.163
  • 104.26.9.59
  • 2606:4700:20::681a:93b
  • 2606:4700:20::ac43:4ba3
  • 2606:4700:20::681a:83b
malicious
cfx.re
  • 172.64.153.85
  • 104.18.34.171
unknown
users.cfx.re
  • 51.178.63.28
  • 51.210.126.15
  • 146.59.204.24
  • 146.59.193.195
  • 51.178.63.83
  • 51.91.137.120
  • 51.210.127.214
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Device Retrieving External IP Address Detected
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
server_setup.sh