download:	/2025/07/22/P4XLO.jpeg
Full analysis:	https://app.any.run/tasks/0be923e0-2514-4918-9678-b1bb5d5efae2
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	July 25, 2025, 19:56:40
OS:	Ubuntu 22.04.2
Tags:	github miner
Indicators:
MIME:	image/jpeg
File info:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 640x640, components 3
MD5:	65C2498D7393BF1141578F4CEB3F348E
SHA1:	0D418AED57749A1829B7D497EBF44F68272F4E07
SHA256:	F8C6C873E8289EBBD52D3FC5B6552129D7E20F8A3466ACA2D6F1DD2CDD578780
SSDEEP:	6144:wngxqIQ/jyOOqJV9H8cXLiS7JSZlb5Y/iLkiUNH9V9MO:wng8IYJOq/18giOvNH9V9MO

.jpg	\|	JFIF JPEG bitmap (50)
.jpg	\|	JPEG bitmap (37.4)
.mp3	\|	MP3 audio (12.4)

JFIFVersion:	1.01
ResolutionUnit:	None
XResolution:	1
YResolution:	1

PID	Process	Filename		Type
41410	eog	/home/user/.cache/thumbnails/normal/695ae0065f5ae46fba0a275a1711af44.png		image
		MD5:—	SHA256:—
41410	eog	/home/user/.local/share/recently-used.xbel		xml
		MD5:—	SHA256:—
41497	dd	/home/user/Desktop/panda-v14.sh		text
		MD5:—	SHA256:—
41515	less	/home/user/.lesshsQ		text
		MD5:—	SHA256:—
41569	apt-get	/tmp/#6029335 (deleted)		text
		MD5:—	SHA256:—
41569	apt-get	/tmp/#6029338 (deleted)		text
		MD5:—	SHA256:—
41569	apt-get	/tmp/#6029339 (deleted)		text
		MD5:—	SHA256:—
41569	apt-get	/tmp/#6029359 (deleted)		text
		MD5:—	SHA256:—
41569	apt-get	/tmp/#6029358 (deleted)		text
		MD5:—	SHA256:—
41569	apt-get	/tmp/#6029364 (deleted)		text
		MD5:—	SHA256:—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.97:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	37.19.194.80:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	185.125.190.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
41531	curl	140.82.121.4:443	github.com	GITHUB	US	whitelisted
41630	bash	51.79.215.200:7022	stratum-asia.rplant.xyz	OVH SAS	SG	unknown
41646	curl	140.82.121.4:443	github.com	GITHUB	US	whitelisted

Domain	IP	Reputation
connectivity-check.ubuntu.com	91.189.91.97 91.189.91.96 185.125.190.98 185.125.190.49 91.189.91.98 185.125.190.48 185.125.190.96 185.125.190.97 185.125.190.18 91.189.91.49 91.189.91.48 185.125.190.17 2620:2d:4002:1::196 2620:2d:4000:1::2a 2620:2d:4000:1::97 2620:2d:4000:1::23 2001:67c:1562::24 2620:2d:4000:1::22 2620:2d:4000:1::96 2620:2d:4002:1::198 2620:2d:4000:1::2b 2620:2d:4002:1::197 2620:2d:4000:1::98 2001:67c:1562::23	whitelisted
google.com	142.250.186.46 2a00:1450:4001:827::200e	whitelisted
odrs.gnome.org	37.19.194.80 195.181.170.19 195.181.175.41 169.150.255.181 212.102.56.179 207.211.211.27 2a02:6ea0:c700::101 2a02:6ea0:c700::11 2a02:6ea0:c700::21 2a02:6ea0:c700::107 2a02:6ea0:c700::18 2a02:6ea0:c700::19	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.54 185.125.188.58 185.125.188.57 2620:2d:4000:1010::117 2620:2d:4000:1010::2e6 2620:2d:4000:1010::344 2620:2d:4000:1010::42	whitelisted
12.100.168.192.in-addr.arpa	—	unknown
github.com	140.82.121.4	whitelisted
stratum-asia.rplant.xyz	51.79.215.200	unknown
release-assets.githubusercontent.com	185.199.111.133 185.199.109.133 185.199.108.133 185.199.110.133	unknown

PID	Process	Class	Message
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access release user assets on GitHub
—	—	Potential Corporate Privacy Violation	AV POLICY NiceHash Miner Subscribing To Pool
—	—	Crypto Currency Mining Activity Detected	ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
—	—	Crypto Currency Mining Activity Detected	ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
—	—	Potential Corporate Privacy Violation	AV POLICY NiceHash Miner Subscribing To Pool
—	—	Crypto Currency Mining Activity Detected	ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message

ImageSize:	640x640
Megapixels:	0.41

General Info

/2025/07/22/P4XLO.jpeg

65C2498D7393BF1141578F4CEB3F348E

0D418AED57749A1829B7D497EBF44F68272F4E07

F8C6C873E8289EBBD52D3FC5B6552129D7E20F8A3466ACA2D6F1DD2CDD578780

6144:wngxqIQ/jyOOqJV9H8cXLiS7JSZlb5Y/iLkiUNH9V9MO:wng8IYJOq/18giOvNH9V9MO

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MINER has been detected (SURICATA)

Application was dropped or rewritten from another process

SUSPICIOUS

Executes commands using command-line interpreter

Check the Environment Variables Related to System Identification (os-release)

Creates shell script file

Checks kernel name (uname)

Reads passwd file

Gets information about currently running processes

Potential Corporate Privacy Violation

Crypto Currency Mining Activity Detected

Checks type of computer hardware (uname)

Uses tools that copy files from or to remote systems

Connects to unusual port

Modifies bash configuration script

Uses base64 (probably to encode stolen data or decode malicious payload)

Executes the "rm" command to delete files or directories

Clears command history

INFO

Checks timezone

Malware configuration

Static information

TRiD

EXIF

JFIF

Composite

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings