lmc999
The script seem to be malicious
It uses ins_amd64 binary from this repository and behavior check at VirusTotal shows that it interacts with /etc/passwd, /proc, creates systemd service. Can the repository maintainer explain this and/or provide source code for it?
I'd like to clarify the behavior you observed in the VirusTotal report.
-
About /etc/passwd and /proc access This is standard behavior for any Go program using the net/http package. When establishing HTTPS connections, Go's runtime performs system calls that read these files: /etc/passwd - User lookup during network operations (part of getpwuid syscall) /proc - Process information for network socket operations /etc/ssl/certs/*.pem - CA certificates for TLS verification This is not data exfiltration. You can verify that the network traffic only connects to Instagram's servers (i.instagram.com, www.instagram.com) and no sensitive data is transmitted.
-
About the systemd service The systemd-related behavior shown in some VirusTotal sandbox reports is from the sandbox environment itself, not from this binary. Different sandbox environments (CAPE, Zenbox, etc.) have different background services running.
-
VirusTotal detection result The file has 0/72 detection rate - no antivirus engine flags it as malicious.
Did a little experiment on my end. By running the instagram music test in WSL and monitoring the WSL NIC traffic using Wireshark, I can see that it only connected to 4 IP addresses, two belonging to GitHub, and two belonging to Instagram, as seen in the DNS query prior to contacting each IP address.
However, I would urge the author to publish the source code to this binary.
Finally, thank you to the author very much for creating this tool! It is very useful.
