File name:

Any-run.txt

Full analysis: https://app.any.run/tasks/71462d92-ef70-4d4f-a9c1-c864508d8719
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: February 25, 2025, 07:58:57
OS: Ubuntu 22.04.2 LTS
Tags:
miner
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

6906A6DCA9E073B73BB9F077CCB795E7

SHA1:

356A9201F7A966B0304D2E5BB922B6D1AD47B919

SHA256:

DFE44B50126422D0B3EE7078368965DF7210B7DC7641E909AF965460A5C33C09

SSDEEP:

3:pKH9LIGNL8dsfEjA0UFQRz/sfELF/nsfEzuRz/sfRZlH:kHRJL8dsqZUONsyF/ns6uNs5/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • e824281b2 (PID: 40953)

    • MINER has been detected (SURICATA)

      • e824281b2 (PID: 40953)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • gnome-terminal-server (PID: 40745)
      • bash (PID: 40763)
      • e824281b2 (PID: 40953)

    • Connects to unusual port

      • curl (PID: 40785)
      • curl (PID: 40912)

    • Removes file immutable attribute

      • bash (PID: 40784)

    • Checks DMI information (probably VM detection)

      • e824281b2 (PID: 40953)
      • e824281b2 (PID: 40939)
      • 7xg5zcsx6xvlm (PID: 41062)
      • 7xg5zcsx6xvlm (PID: 41070)
      • 7xg5zcsx6xvlm (PID: 41168)
      • 7xg5zcsx6xvlm (PID: 41156)
      • 7xg5zcsx6xvlm (PID: 41108)
      • 7xg5zcsx6xvlm (PID: 41116)
      • 7xg5zcsx6xvlm (PID: 41223)
      • 7xg5zcsx6xvlm (PID: 41215)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • curl (PID: 40912)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 40784)

    • Potential Corporate Privacy Violation

      • curl (PID: 40785)
      • e824281b2 (PID: 40953)

    • Modifies Cron jobs

      • bash (PID: 41046)

    • Modifies bash configuration script

      • e824281b2 (PID: 40953)

    • Checks the user who created the process

      • cron (PID: 41060)
      • cron (PID: 41106)
      • cron (PID: 41154)
      • cron (PID: 41213)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
464
Monitored processes
240
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs gnome-text-editor no specs locale-check no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs python3.10 no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs dash no specs basename no specs dash no specs dircolors no specs dirname no specs bash no specs bash no specs bash no specs curl snap-seccomp no specs snap-confine no specs dumpe2fs no specs snap-update-ns no specs dumpe2fs no specs bash no specs date no specs md5sum no specs mawk no specs chattr no specs bash no specs crontab no specs whoami no specs readlink no specs readlink no specs readlink no specs readlink no specs date no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs readlink no specs id no specs bash no specs ps no specs grep no specs grep no specs grep no specs whoami no specs bash no specs find no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs e824281b2 no specs tracker-extract-3 no specs #MINER e824281b2 bash no specs sleep no specs bash no specs rm no specs bash no specs rm no specs touch no specs bash no specs bash no specs bash no specs find no specs grep no specs cat no specs grep no specs mawk no specs find no specs uniq no specs bash no specs bash no specs bash no specs bash no specs cat no specs grep no specs mawk no specs cat no specs grep no specs grep no specs cat no specs grep no specs uniq no specs find no specs uniq no specs xargs no specs mawk no specs mawk no specs uniq no specs grep no specs find no specs bash no specs bash no specs tr no specs nl no specs sort no specs sort no specs cut no specs bash no specs bash no specs grep no specs tr no specs nl no specs sort no specs sort no specs cut no specs bash no specs bash no specs tr no specs nl no specs sort no specs sort no specs cut no specs nm7u1tx1warq no specs nm7u1tx1warq no specs crontab no specs dash no specs crontab no specs crontab no specs bash no specs bash no specs crontab no specs crontab no specs tracker-extract-3 no specs cron no specs dash no specs 7xg5zcsx6xvlm no specs 7xg5zcsx6xvlm no specs crontab no specs dash no specs crontab no specs crontab no specs dash no specs crontab no specs crontab no specs dash no specs crontab no specs ls no specs cron no specs dash no specs 7xg5zcsx6xvlm no specs 7xg5zcsx6xvlm no specs crontab no specs dash no specs crontab no specs crontab no specs dash no specs crontab no specs crontab no specs dash no specs crontab no specs cron no specs dash no specs 7xg5zcsx6xvlm no specs 7xg5zcsx6xvlm no specs crontab no specs dash no specs crontab no specs crontab no specs dash no specs crontab no specs crontab no specs dash no specs crontab no specs cron no specs dash no specs 7xg5zcsx6xvlm no specs 7xg5zcsx6xvlm no specs

Process information

PID
CMD
Path
Indicators
Parent process
40677/bin/sh -c "DISPLAY=:0 sudo -iu user gnome-text-editor /home/user/Desktop/Any-run\.txt "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
40678sudo -iu user gnome-text-editor /home/user/Desktop/Any-run.txt/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
40679gnome-text-editor /home/user/Desktop/Any-run.txt/usr/bin/gnome-text-editorsudo
User:
user
Integrity Level:
UNKNOWN
40680/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkgnome-text-editor
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40727systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40729systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40730systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40731systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40738/usr/bin/python3 /usr/bin/gnome-terminal/usr/bin/python3.10gnome-shell
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40740/usr/bin/gnome-terminal.real/usr/bin/gnome-terminal.realpython3.10
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
10
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
40679gnome-text-editor/home/user/.cache/mesa_shader_cache/07/a5ca34ded861cac74dd87c9367c0531ebaf63dbinary
MD5:
SHA256:
40679gnome-text-editor/home/user/.cache/mesa_shader_cache/ab/bb62a84ebd8c6f699de6da1f95cf51d1deb40abinary
MD5:
SHA256:
40679gnome-text-editor/home/user/.cache/mesa_shader_cache/d2/ea27fa2c8972e4719271e6ea166eb60cb88796binary
MD5:
SHA256:
40679gnome-text-editor/home/user/.cache/mesa_shader_cache/74/0feed80fcc6c9ed6fbc025c5e0aa962968fa40binary
MD5:
SHA256:
40679gnome-text-editor/home/user/.local/share/org.gnome.TextEditor/session.gvariant (deleted)binary
MD5:
SHA256:
40679gnome-text-editor/home/user/.local/share/org.gnome.TextEditor/session.gvariantbinary
MD5:
SHA256:
40679gnome-text-editor/home/user/.local/share/org.gnome.TextEditor/recently-used.xbelxml
MD5:
SHA256:
40679gnome-text-editor/home/user/.cache/mesa_shader_cache/92/143bd47bc036b374d409d26257fa05426c8ecebinary
MD5:
SHA256:
40912curl/home/user/e824281b2o
MD5:
SHA256:
40953e824281b2/usr/share/ppd/custom/nm7u1tx1warqbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
16
DNS requests
21
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
40785
curl
GET
200
91.208.197.40:6601
http://91.208.197.40:6601/ldr.sh
unknown
unknown
488
NetworkManager
GET
204
91.189.91.48:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
40912
curl
GET
200
91.208.197.40:6601
http://91.208.197.40:6601/app
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
195.181.170.19:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
40785
curl
91.208.197.40:6601
Alexhost Srl
MD
unknown
40912
curl
91.208.197.40:6601
Alexhost Srl
MD
unknown
40953
e824281b2
142.250.180.83:443
www.dblikes.cyou
GOOGLE
US
unknown
40953
e824281b2
152.53.121.6:80
gulf.moneroocean.stream
US
shared

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
  • 2a00:1450:4001:82f::200e
whitelisted
odrs.gnome.org
  • 195.181.170.19
  • 212.102.56.178
  • 195.181.175.41
  • 169.150.255.184
  • 207.211.211.26
  • 37.19.194.80
  • 169.150.255.181
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::18
whitelisted
connectivity-check.ubuntu.com
  • 91.189.91.96
  • 185.125.190.17
  • 185.125.190.49
  • 91.189.91.49
  • 91.189.91.98
  • 185.125.190.98
  • 185.125.190.18
  • 185.125.190.97
  • 91.189.91.97
  • 91.189.91.48
  • 185.125.190.96
  • 185.125.190.48
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::23
  • 2001:67c:1562::24
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.58
  • 185.125.188.55
  • 185.125.188.59
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
whitelisted
118.100.168.192.in-addr.arpa
unknown
gulf.moneroocean.stream
  • 2a0a:4cc0:c0:4ac2:541e:d9ff:fe44:37fc
  • 152.53.121.6
shared
auto.c3pool.org
  • 88.198.117.174
  • 5.75.158.61
malicious
www.dblikes.cyou
  • 2a00:1450:4008:804::2013
  • 142.250.180.83
unknown

Threats

PID
Process
Class
Message
40785
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
40785
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
40785
curl
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] The user name associated in PS.Script has been detected
40785
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download
40953
e824281b2
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
40953
e824281b2
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Any-run.txt