URL:

http://45.128.232.234/skib.sh

Full analysis: https://app.any.run/tasks/a648207f-3d0f-47d1-b189-574864a23ef2
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: May 17, 2024, 05:52:19
OS: Ubuntu 22.04.2
Tags:
opendir
mirai
botnet
MD5:

DFFC4E0D79F6B32E4F4A45A00B0BB7DF

SHA1:

1A9702C283DE7DA9C8D66F099320C77E18347B7E

SHA256:

CEF7AE3EF8B422CDE4F43812F091F3B42BBFBBE68F20827531CDB6059D05483D

SSDEEP:

3:N1KmKjWRK:CmKjN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • bash (PID: 9561)
      • gnome-terminal-server (PID: 9543)

    • Uses wget to download content

      • bash (PID: 9561)
      • bash (PID: 9613)

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 9623)
      • modprobe (PID: 9638)
      • modprobe (PID: 9643)
      • modprobe (PID: 9633)
      • modprobe (PID: 9618)
      • modprobe (PID: 9628)
      • modprobe (PID: 9648)

    • Intercepts program crashes

      • apport (PID: 9659)

    • Creates shell script file

      • wget (PID: 9590)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
368
Monitored processes
147
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chrome no specs locale-check no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome no specs chrome_crashpad_handler no specs chrome no specs chrome no specs nacl_helper no specs nacl_helper no specs chrome no specs chrome no specs systemctl no specs exe no specs chrome no specs xdg-settings no specs dbus-send no specs which no specs dash no specs basename no specs dash no specs which no specs readlink no specs dash no specs grep no specs cut no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs dash no specs awk no specs cut no specs basename no specs dash no specs which no specs readlink no specs dash no specs grep no specs cut no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs awk no specs cut no specs dash no specs basename no specs dash no specs which no specs readlink no specs grep no specs cut no specs dash no specs chrome no specs chrome no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs gnome-terminal no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dircolors no specs dirname no specs chrome no specs wget no specs tracker-extract-3 no specs ls no specs bash no specs bash no specs bash no specs bash no specs shasum no specs bash no specs bash no specs bash no specs wget no specs bash no specs chmod no specs bash no specs modprobe no specs wget no specs bash no specs chmod no specs bash no specs modprobe no specs wget no specs bash no specs chmod no specs bash no specs modprobe no specs wget no specs bash no specs chmod no specs bash no specs modprobe no specs wget no specs bash no specs chmod no specs bash no specs modprobe no specs wget no specs bash no specs chmod no specs bash no specs modprobe no specs wget no specs bash no specs chmod no specs bash no specs modprobe no specs wget no specs bash no specs chmod no specs bash no specs wget no specs bash no specs chmod no specs skibidi.x86_64 no specs apport skibidi.x86_64 no specs skibidi.x86_64 no specs ls no specs

Process information

PID
CMD
Path
Indicators
Parent process
9297/bin/sh -c "DISPLAY=:0 sudo -iu user google-chrome http://45\.128\.232\.234/skib\.sh "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
9298sudo -iu user google-chrome http://45.128.232.234/skib.sh/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
9299/usr/bin/google-chrome http://45.128.232.234/skib.sh/opt/google/chrome/chromesudo
User:
user
Integrity Level:
UNKNOWN
9300/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9301readlink -f /usr/bin/google-chrome/usr/bin/readlinkchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9302dirname /opt/google/chrome/google-chrome/usr/bin/dirnamechrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9303mkdir -p /home/user/.local/share/applications/usr/bin/mkdirchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9304cat/usr/bin/catchrome
User:
user
Integrity Level:
UNKNOWN
9305cat/usr/bin/catchrome
User:
user
Integrity Level:
UNKNOWN
9306/opt/google/chrome/chromechrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9299chrome/9299/fd/63
MD5:
SHA256:
9299chrome/home/user/.config/google-chrome/BrowserMetrics/BrowserMetrics-6646F098-2453.pma
MD5:
SHA256:
9299chrome/.com.google.Chrome.iDuXAp
MD5:
SHA256:
9299chrome/.com.google.Chrome.cwOg90
MD5:
SHA256:
9299chrome/.com.google.Chrome.U8Aid9
MD5:
SHA256:
9299chrome/home/user/.config/google-chrome/Default/Sync Data/LevelDB/LOG
MD5:
SHA256:
9299chrome/.com.google.Chrome.33Fgsg
MD5:
SHA256:
9299chrome/.com.google.Chrome.m5zPzC
MD5:
SHA256:
9299chrome/.com.google.Chrome.M99fSj
MD5:
SHA256:
9299chrome/home/user/.config/google-chrome/Default/Local Storage/leveldb/LOG
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
32
DNS requests
24
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
45.128.232.234:80
http://45.128.232.234/skib.sh
unknown
unknown
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
unknown
unknown
GET
404
45.128.232.234:80
http://45.128.232.234/favicon.ico
unknown
unknown
GET
200
45.128.232.234:80
http://45.128.232.234/skib.sh
unknown
unknown
GET
200
45.128.232.234:80
http://45.128.232.234/sigma/skibidi.arm4
unknown
unknown
GET
200
45.128.232.234:80
http://45.128.232.234/sigma/skibidi.arm7
unknown
unknown
GET
200
45.128.232.234:80
http://45.128.232.234/sigma/skibidi.arm5
unknown
unknown
GET
200
45.128.232.234:80
http://45.128.232.234/sigma/skibidi.arm6
unknown
unknown
GET
200
45.128.232.234:80
http://45.128.232.234/sigma/skibidi.mips
unknown
unknown
GET
200
45.128.232.234:80
http://45.128.232.234/sigma/skibidi.arm4
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.251:5353
unknown
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
74.125.71.84:443
accounts.google.com
GOOGLE
US
unknown
239.255.255.250:1900
unknown
142.250.184.227:443
clientservices.googleapis.com
GOOGLE
US
unknown
45.128.232.234:80
Enes Koken
BG
unknown
45.128.232.234:443
Enes Koken
BG
unknown
172.217.18.99:443
update.googleapis.com
GOOGLE
US
unknown
216.58.212.132:443
www.google.com
unknown

DNS requests

Domain
IP
Reputation
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.59
  • 185.125.188.54
  • 185.125.188.55
unknown
clientservices.googleapis.com
  • 142.250.184.227
whitelisted
accounts.google.com
  • 74.125.71.84
shared
update.googleapis.com
  • 172.217.18.99
unknown
14.100.168.192.in-addr.arpa
unknown
www.google.com
  • 216.58.212.132
whitelisted
optimizationguide-pa.googleapis.com
  • 172.217.18.10
  • 142.250.185.138
  • 142.250.181.234
  • 142.250.185.202
  • 142.250.184.202
  • 142.250.185.106
  • 142.250.185.74
  • 216.58.206.42
  • 142.250.74.202
  • 172.217.16.202
  • 142.250.186.170
  • 142.250.186.138
  • 142.250.184.234
  • 142.250.185.170
  • 142.250.186.106
  • 142.250.185.234
whitelisted
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::98
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::22
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::198
  • 2620:2d:4002:1::197
  • 2001:67c:1562::24
unknown
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
safebrowsing.googleapis.com
  • 142.250.185.106
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
Potentially Bad Traffic
ET INFO ARM7 File Download Request from IP Address
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://45.128.232.234/skib.sh