Open-source atomic malware analysis

Analyze another

github.com-ocaml-dune-v0.0.0-20260614152231-2386906cca5e.zip

ZIP
Verdict: BENIGN
SHA256: 4e266d05bc815855f1991ad455fe7febf0a73d2877f8795611377bb3111b1a6a
Mal-ecule
O₈(AlC₃EuSAs₄DyEr₂Xe₂)H₇(Cm₇CrDbDsF₁₀Os₆Po₁₁)Md₃(Bi₂BkHe)
Size 6.1 MB download
First seen 1 day ago
Analyzed 1 day ago
Ecosystem go
Source googleusercontent.com
suspicious severity cross-file finding. Replace out or target artifacts
github.com-ocaml-dune-v0.0.0-20260614152231-2386906cca5e.zip zip
0x0 504b0304140008000800000000000000 PK..............User information fingerprinting
0x10 000000000000000000005c0000006769 ..........\...gi
0x20 746875622e636f6d2f6f63616d6c2f64 thub.com/ocaml/d
0x30 756e654076302e302e302d3230323630 une@v0.0.0-20260
0x40 3631343135323233312d323338363930 614152231-238690
0x50 3663636135652f2e636c6175 6cca5e/.clau
helpers.sh shell
1 export XDG_CACHE_HOME="$PWD/.cache"High-entropy function names
3 # Set the default platform for the purposes of solving dependencies so that the
4 # output of tests is platform-independent.output keyword
5 export DUNE_CONFIG__OS=linux
6 export DUNE_CONFIG__ARCH=x86_64
16 default_lock_dir="dune.lock"
17 source_lock_dir="${default_lock_dir}"
18 mock_packages="mock-opam-repository/packages"Codebase deletion target
20 # this needs to be a function, because it might be called from a subdir
21 default_repo_path() {
22 echo "file://$(pwd)/mock-opam-repository"Shell command execution capability detected
23 }
53 local prefix
54 prefix="$(get_build_pkg_dir "$pkg")"
55 find "$prefix" | sort | dune_cmd subst "$prefix" ""find command token
56 }
65 show_pkg_cookie() {
66 local pkg=$1
67 $dune internal dump "$(get_build_pkg_dir "$pkg")/target/cookie" 2>&1 | censorStealthy shell command chain with multiple pipes and concealment
68 }
70 mkrepo() {
71 mkdir -p $mock_packagesUses multiple Linux system utilities
72 }
106 mkdir foo
107 cat > foo/dune-project <<-'EOF'Project or workspace deletion target
108 (lang dune 3.13)
109 (package (name foo))
115 EOF
116 tar cf foo.tar foo
117 rm -rf fooShell execution capability
118 }
137 ]
138 url {
139 src: "http://0.0.0.0:${PORT}"HTTP request targets loopback address (local IPC)
140 checksum: [
141 "md5=$(md5sum foo.tar | cut -f1 -d' ')"Invokes md5sum
142 ]
143 }
284 (source
285 (fetch
286 (url http://localhost:1)Hardcoded localhost network host
287 (checksum md5=${src_checksum})))
288 EOF
558 solve_project <<EOFshell script heredoc
559 (lang dune 3.11)
560 (package
setup-script.sh shell
1 jq() {High-entropy function names
2 command jq -L"$INSIDE_DUNE"/test/blackbox-tests "$@"cmd/command/result vocabulary word
3 }
49 export XDG_CACHE_HOME="$PWD/.cache"Discovers system information via environment variables
51 setup_xdg_runtime_dir () {
52 export XDG_RUNTIME_DIR="${TMPDIR:-$PWD}/.xdg-runtime"
53 mkdir -p "$XDG_RUNTIME_DIR"Has code execution capability
54 chmod 700 "$XDG_RUNTIME_DIR"Shell chmod 7xx (executable)
55 }
60 cat > config <<EOFshell script heredoc
61 (lang dune 3.0)
62 (cache enabled)
67 EOF
68 fi
69 cat > dune-project <<EOFProject or workspace deletion target
70 (lang dune 3.5)
71 EOF
192 echo 'DUNE_SANDBOX=symlink dune "$@"'
193 } >sdune
194 chmod +x sdunechmod +x (make executable)
195 }
702 (modules ())
703 (inline_tests.backend
704 e_runner (run sed "s/(\\*TEST:\\(.*\\)\\*)/let () = if \"%{inline_tests}\" = \"enabled\" then \\1;;/Contains Windows executable file path
705
706 (library
988 (with-stdout-to
989 foo.ml
990 (run ./gen.exe)))Windows executable extension marker
991 EOF
992 fi
1402 with_timeout_quiet () {
1403 output=$(mktemp)Shell command execution capability detected
1404 $timeout 2 "$@" >"$output" 2>&1
1405 exit_code=$?
1428 # On Linux, we may run into a bash pid aliasing bug that causes wait to
1429 # reject the pid. Therefore we use tail to wait instead.
1430 if [ "$(uname -s)" = "Linux" ]uname command for fingerprinting
1431 then
1432 # wait for all child processes
1441 pid=$1
1442 iterations=$2
1443 while kill -0 "$pid" 2>/dev/nullOutput/error suppression
1444 do
1445 if [ "$iterations" = 0 ]
1493 build . | grep -v Success
1494 between=$(cat _build/default/result)
1495 bash -c "$action"any interactive shell exec
1496 build . | grep -v Success
1497 stop_dune >> .#tmpReference to a temporary directory
1498 after=$(cat _build/default/result)
1499 cat .#tmp
conf.py python
1 #!/usr/bin/env python3Python file extension
2 # -*- coding: utf-8 -*-
3 #
5 # sphinx-quickstart on Tue Apr 11 21:24:42 2017.
6 #
7 # This file is execfile()d with the current directory set to itsEnglish language detection
8 # containing dir.
9 #
20 import os
21 import sys
22 sys.path.append(os.path.abspath('exts'))sys.path mutation (alters module search path)
36 # Read constant from a file
37 version_file = Path(__file__).parent.parent / "otherlibs/dune-rpc/types.ml"
38 text = version_file.read_text()Read text via pathlib
57 def add_describe_anchors(app: Sphinx, doctree):
58 for desc in doctree.findall(addnodes.desc):Iteration or loop pattern
59 if desc.get("desctype") != "describe":
60 continue
69 def setup(app: Sphinx):setup.py installation file
70 app.add_config_value("latest", LATEST, "env")
71 app.connect("source-read", replace_substitutions)any language socket dial primitive
72 app.connect("doctree-read", add_describe_anchors)
103 # General information about the project.Project/workspace keyword
104 project = 'Dune'
105 copyright = u'2017 - 2025, Jérémie Dimino & the Dune maintainers'
115 # List of patterns, relative to source directory, that match files and
116 # directories to ignore when looking for source files.Source or test keyword
117 # This patterns also effect to html_static_path and html_extra_path
118 exclude_patterns = [
148 "source_repository": "https://github.com/ocaml/dune/",HTTPS protocol prefix
149 "source_branch": "main",
150 "source_directory": "doc/",

Objectives

suspicious severity, 90% confident.
anti-analysis/sandbox-detect Python strace or ltrace tool string
suspicious severity, 94% confident.
command-and-control/backdoor/tasking Kotlin activate token
suspicious severity, 90% confident.
exfiltration/http Shell creates tar archive

Micro-behaviors

notable severity, 100% confident.
communications/http/services GitHub issue management
notable severity, 100% confident.
communications/socket Raw socket send call
notable severity, 92% confident.
fs/lock Exclusive byte-range file locking

Metadata

20 of 146 traits shown

Identity

SHA-256 4e266d05bc815855f1991ad455fe7febf0a73d2877f8795611377bb3111b1a6a
Canonical SHA-256 001c2eab9458a974be446e76ed6d3b0befffb152b8555adba68d5e225ec2f62f
Filename github.com-ocaml-dune-v0.0.0-20260614152231-2386906cca5e.zip
Package github.com
Version v0.0.0-20260614152231-2386906cca5e

Origin

Source harvest
Feed pkg.go.dev
Ecosystem go
Domain googleusercontent.com

Timeline

First seen 14 Jun 2026 12:53 UTC
First analyzed 14 Jun 2026 14:05 UTC
Last analyzed 14 Jun 2026 14:05 UTC
Last updated 14 Jun 2026 14:05 UTC

Labeling

Label unknown
Label source harvest
Traits version 061e3