download:

/keroserene/rickrollrc/master/roll.sh

Full analysis: https://app.any.run/tasks/ccc4b87d-212c-4642-b43f-9d38bc042af4
Verdict: Malicious activity
Analysis date: July 03, 2024, 07:56:18
OS: Ubuntu 22.04.2
MIME: text/x-shellscript
File info: Bourne-Again shell script, Unicode text, UTF-8 text executable
MD5:

F07F3F79956FBAB57D576865F3863D9E

SHA1:

C6E8A87749D13BB6F564A13F4F32648CF78B01A9

SHA256:

F70189EF3854E70101EF61B17C0A7ED3CA6DCC45E78B9061955128913E2CB06C

SSDEEP:

48:mMuyKA8rQsSGBL8ajgR7d/XmgEsK8t8DJBfWqr/mp5UR2CZ34AmyyITW7WLAUxQO:duu8Es5BL8omV258t8FAMOS9YITWwAdO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 12939)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • curl (PID: 12959)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
242
Monitored processes
28
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
sh no specs sudo no specs chown no specs chmod no specs sudo no specs roll.sh no specs locale-check no specs bash no specs aplay no specs bash no specs bash no specs curl cat no specs bash no specs bash no specs bunzip2 no specs curl snap-seccomp no specs snap-seccomp no specs snap-confine no specs snap-confine no specs snap-confine no specs snap-confine no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs

Process information

PID
CMD
Path
Indicators
Parent process
12938/bin/sh -c "sudo chown user /home/user/roll\.sh && chmod +x /home/user/roll\.sh && DISPLAY=:0 sudo -iu user /home/user/roll\.sh "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12939sudo chown user /home/user/roll.sh/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12940chown user /home/user/roll.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12941chmod +x /home/user/roll.sh/usr/bin/chmodsh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12942sudo -iu user /home/user/roll.sh/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12944/bin/bash /home/user/roll.sh/home/user/roll.shsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12945/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkroll.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12946/bin/bash /home/user/roll.sh/usr/bin/bashroll.sh
User:
user
Integrity Level:
UNKNOWN
12947aplay -Dplug:default -q -f S16_LE -r 8000/usr/bin/aplayroll.sh
User:
user
Integrity Level:
UNKNOWN
12948/bin/bash /home/user/roll.sh/usr/bin/bashroll.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
10
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
12959
curl
69.163.140.191:443
keroserene.net
DREAMHOST-AS
US
unknown
12950
curl
69.163.140.191:443
keroserene.net
DREAMHOST-AS
US
unknown
485
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
malicious

DNS requests

Domain
IP
Reputation
odrs.gnome.org
  • 195.181.175.41
  • 212.102.56.182
  • 156.146.33.137
  • 156.146.33.15
  • 156.146.33.141
  • 195.181.175.15
  • 212.102.56.178
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::17
  • 2a02:6ea0:c700::10
  • 2a02:6ea0:c700::22
unknown
keroserene.net
  • 69.163.140.191
unknown
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.58
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::22
  • 2001:67c:1562::24
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::196
unknown
30.100.168.192.in-addr.arpa
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/keroserene/rickrollrc/master/roll.sh