Malware analysis tplink.sh Malicious activity | ANY.RUN

Add for printing

File name:	tplink.sh
Full analysis:	https://app.any.run/tasks/087703bc-c004-4f58-894d-2b88508fce31
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	June 01, 2025, 06:48:11
OS:	Ubuntu 22.04.2
Tags:	mirai botnet
Indicators:
MIME:	text/plain
File info:	ASCII text
MD5:	9CB948FC7C8F64D5F2629D1613F7CA65
SHA1:	C729F0093EB6CDC60BA3F5A54A763FE1B80D110F
SHA256:	2DF3B9C7A1EF50F1E6CCDC8A3AECF5FF4674024069286398A5340037D0237345
SSDEEP:	12:QvJXOpue8f+AiJKggrWKIw+gBA8U8W648v8o/uwvwQewKwUcolK4w30w3lK5q1:QvZi4w3RaBA8U8WB8v8o/uIGTW4dcK+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - wget (PID: 41486)
SUSPICIOUS
- Executes commands using command-line interpreter
  - sudo (PID: 41036)
  - bash (PID: 41037)
- Reads passwd file
  - ls (PID: 41040)
  - ls (PID: 41044)
  - ls (PID: 41042)
  - ls (PID: 41046)
  - ls (PID: 41052)
  - ls (PID: 41058)
  - ls (PID: 41060)
  - ls (PID: 41062)
  - ls (PID: 41064)
  - ls (PID: 41066)
  - ls (PID: 41048)
  - ls (PID: 41050)
  - ls (PID: 41054)
  - ls (PID: 41056)
  - ls (PID: 41072)
  - ls (PID: 41074)
  - ls (PID: 41076)
  - ls (PID: 41078)
  - ls (PID: 41082)
  - ls (PID: 41080)
  - ls (PID: 41068)
  - ls (PID: 41070)
  - ls (PID: 41086)
  - ls (PID: 41090)
  - ls (PID: 41092)
  - ls (PID: 41096)
  - ls (PID: 41094)
  - ls (PID: 41098)
  - ls (PID: 41102)
  - ls (PID: 41100)
  - ls (PID: 41084)
  - ls (PID: 41088)
  - ls (PID: 41104)
  - ls (PID: 41106)
  - ls (PID: 41108)
  - ls (PID: 41110)
  - ls (PID: 41116)
  - ls (PID: 41114)
  - ls (PID: 41112)
  - ls (PID: 41118)
  - ls (PID: 41124)
  - ls (PID: 41126)
  - ls (PID: 41130)
  - ls (PID: 41132)
  - ls (PID: 41128)
  - ls (PID: 41136)
  - ls (PID: 41134)
  - ls (PID: 41120)
  - ls (PID: 41122)
  - ls (PID: 41138)
  - ls (PID: 41142)
  - ls (PID: 41140)
  - ls (PID: 41144)
  - ls (PID: 41148)
  - ls (PID: 41150)
  - ls (PID: 41146)
  - ls (PID: 41160)
  - ls (PID: 41162)
  - ls (PID: 41166)
  - ls (PID: 41152)
  - ls (PID: 41154)
  - ls (PID: 41158)
  - ls (PID: 41156)
  - ls (PID: 41170)
  - ls (PID: 41172)
  - ls (PID: 41174)
  - ls (PID: 41176)
  - ls (PID: 41178)
  - ls (PID: 41182)
  - ls (PID: 41164)
  - ls (PID: 41168)
  - ls (PID: 41186)
  - ls (PID: 41184)
  - ls (PID: 41192)
  - ls (PID: 41198)
  - ls (PID: 41196)
  - ls (PID: 41180)
  - ls (PID: 41188)
  - ls (PID: 41190)
  - ls (PID: 41200)
  - ls (PID: 41206)
  - ls (PID: 41208)
  - ls (PID: 41202)
  - ls (PID: 41204)
  - ls (PID: 41210)
  - ls (PID: 41194)
  - ls (PID: 41214)
  - ls (PID: 41216)
  - ls (PID: 41222)
  - ls (PID: 41220)
  - ls (PID: 41224)
  - ls (PID: 41226)
  - ls (PID: 41232)
  - ls (PID: 41212)
  - ls (PID: 41218)
  - ls (PID: 41228)
  - ls (PID: 41236)
  - ls (PID: 41234)
  - ls (PID: 41238)
  - ls (PID: 41240)
  - ls (PID: 41242)
  - ls (PID: 41230)
  - ls (PID: 41250)
  - ls (PID: 41252)
  - ls (PID: 41254)
  - ls (PID: 41258)
  - ls (PID: 41256)
  - ls (PID: 41260)
  - ls (PID: 41262)
  - ls (PID: 41246)
  - ls (PID: 41244)
  - ls (PID: 41248)
  - ls (PID: 41264)
  - ls (PID: 41266)
  - ls (PID: 41272)
  - ls (PID: 41274)
  - ls (PID: 41270)
  - ls (PID: 41268)
  - ls (PID: 41278)
  - ls (PID: 41280)
  - ls (PID: 41284)
  - ls (PID: 41276)
  - ls (PID: 41290)
  - ls (PID: 41292)
  - ls (PID: 41286)
  - ls (PID: 41288)
  - ls (PID: 41302)
  - ls (PID: 41304)
  - ls (PID: 41282)
  - ls (PID: 41300)
  - ls (PID: 41296)
  - ls (PID: 41306)
  - ls (PID: 41308)
  - ls (PID: 41310)
  - ls (PID: 41312)
  - ls (PID: 41298)
  - ls (PID: 41294)
  - ls (PID: 41316)
  - ls (PID: 41318)
  - ls (PID: 41322)
  - ls (PID: 41328)
  - ls (PID: 41330)
  - ls (PID: 41324)
  - ls (PID: 41326)
  - ls (PID: 41334)
  - ls (PID: 41320)
  - ls (PID: 41314)
  - ls (PID: 41332)
  - ls (PID: 41338)
  - ls (PID: 41336)
  - ls (PID: 41342)
  - ls (PID: 41340)
  - ls (PID: 41344)
  - ls (PID: 41348)
  - ls (PID: 41346)
  - ls (PID: 41352)
  - ls (PID: 41350)
  - ls (PID: 41364)
  - ls (PID: 41362)
  - ls (PID: 41358)
  - ls (PID: 41360)
  - ls (PID: 41354)
  - ls (PID: 41356)
  - ls (PID: 41370)
  - ls (PID: 41384)
  - ls (PID: 41382)
  - ls (PID: 41376)
  - ls (PID: 41374)
  - ls (PID: 41380)
  - ls (PID: 41372)
  - ls (PID: 41366)
  - ls (PID: 41368)
  - ls (PID: 41388)
  - ls (PID: 41396)
  - ls (PID: 41390)
  - ls (PID: 41394)
  - ls (PID: 41392)
  - ls (PID: 41412)
  - ls (PID: 41408)
  - ls (PID: 41406)
  - ls (PID: 41378)
  - ls (PID: 41398)
  - ls (PID: 41386)
  - ls (PID: 41404)
  - ls (PID: 41410)
  - ls (PID: 41402)
  - ls (PID: 41400)
  - ls (PID: 41418)
  - ls (PID: 41414)
  - ls (PID: 41416)
  - ls (PID: 41420)
  - ls (PID: 41424)
  - ls (PID: 41422)
  - ls (PID: 41428)
  - ls (PID: 41430)
  - ls (PID: 41434)
  - ls (PID: 41432)
  - ls (PID: 41436)
  - ls (PID: 41426)
  - ls (PID: 41438)
  - ls (PID: 41444)
  - ls (PID: 41442)
  - ls (PID: 41450)
  - ls (PID: 41448)
  - ls (PID: 41452)
  - ls (PID: 41446)
  - ls (PID: 41440)
  - ls (PID: 41462)
  - ls (PID: 41458)
  - ls (PID: 41464)
  - ls (PID: 41454)
  - ls (PID: 41466)
  - ls (PID: 41470)
  - ls (PID: 41474)
  - ls (PID: 41478)
  - ls (PID: 41476)
  - ls (PID: 41480)
  - ls (PID: 41472)
  - ls (PID: 41456)
  - ls (PID: 41460)
  - ls (PID: 41468)
  - ls (PID: 41484)
  - ls (PID: 41482)
- Modifies file or directory owner
  - sudo (PID: 41033)
- Executes the "rm" command to delete files or directories
  - bash (PID: 41037)
- Uses wget to download content
  - bash (PID: 41037)
- Potential Corporate Privacy Violation
  - wget (PID: 41490)
  - wget (PID: 41494)
  - wget (PID: 41498)
  - wget (PID: 41502)
- Connects to the server without a host name
  - wget (PID: 41494)
  - wget (PID: 41498)
  - wget (PID: 41502)
INFO
- Checks timezone
  - ls (PID: 41042)
  - ls (PID: 41040)
  - ls (PID: 41046)
  - ls (PID: 41044)
  - ls (PID: 41054)
  - ls (PID: 41052)
  - ls (PID: 41056)
  - ls (PID: 41062)
  - ls (PID: 41064)
  - ls (PID: 41060)
  - ls (PID: 41048)
  - ls (PID: 41050)
  - ls (PID: 41058)
  - ls (PID: 41070)
  - ls (PID: 41068)
  - ls (PID: 41074)
  - ls (PID: 41076)
  - ls (PID: 41078)
  - ls (PID: 41080)
  - ls (PID: 41066)
  - ls (PID: 41072)
  - ls (PID: 41086)
  - ls (PID: 41088)
  - ls (PID: 41090)
  - ls (PID: 41092)
  - ls (PID: 41094)
  - ls (PID: 41096)
  - ls (PID: 41098)
  - ls (PID: 41102)
  - ls (PID: 41082)
  - ls (PID: 41084)
  - ls (PID: 41100)
  - ls (PID: 41106)
  - ls (PID: 41104)
  - ls (PID: 41108)
  - ls (PID: 41110)
  - ls (PID: 41116)
  - ls (PID: 41112)
  - ls (PID: 41114)
  - ls (PID: 41118)
  - ls (PID: 41122)
  - ls (PID: 41124)
  - ls (PID: 41126)
  - ls (PID: 41130)
  - ls (PID: 41128)
  - ls (PID: 41132)
  - ls (PID: 41134)
  - ls (PID: 41120)
  - ls (PID: 41136)
  - ls (PID: 41138)
  - ls (PID: 41142)
  - ls (PID: 41140)
  - ls (PID: 41144)
  - ls (PID: 41148)
  - ls (PID: 41146)
  - ls (PID: 41156)
  - ls (PID: 41160)
  - ls (PID: 41162)
  - ls (PID: 41164)
  - ls (PID: 41150)
  - ls (PID: 41154)
  - ls (PID: 41152)
  - ls (PID: 41158)
  - ls (PID: 41170)
  - ls (PID: 41174)
  - ls (PID: 41176)
  - ls (PID: 41178)
  - ls (PID: 41166)
  - ls (PID: 41168)
  - ls (PID: 41172)
  - ls (PID: 41186)
  - ls (PID: 41184)
  - ls (PID: 41188)
  - ls (PID: 41182)
  - ls (PID: 41192)
  - ls (PID: 41196)
  - ls (PID: 41180)
  - ls (PID: 41190)
  - ls (PID: 41204)
  - ls (PID: 41206)
  - ls (PID: 41208)
  - ls (PID: 41202)
  - ls (PID: 41210)
  - ls (PID: 41212)
  - ls (PID: 41194)
  - ls (PID: 41198)
  - ls (PID: 41200)
  - ls (PID: 41220)
  - ls (PID: 41218)
  - ls (PID: 41224)
  - ls (PID: 41222)
  - ls (PID: 41226)
  - ls (PID: 41216)
  - ls (PID: 41214)
  - ls (PID: 41236)
  - ls (PID: 41234)
  - ls (PID: 41238)
  - ls (PID: 41240)
  - ls (PID: 41246)
  - ls (PID: 41242)
  - ls (PID: 41232)
  - ls (PID: 41228)
  - ls (PID: 41230)
  - ls (PID: 41248)
  - ls (PID: 41252)
  - ls (PID: 41254)
  - ls (PID: 41250)
  - ls (PID: 41256)
  - ls (PID: 41258)
  - ls (PID: 41262)
  - ls (PID: 41260)
  - ls (PID: 41264)
  - ls (PID: 41244)
  - ls (PID: 41266)
  - ls (PID: 41274)
  - ls (PID: 41270)
  - ls (PID: 41272)
  - ls (PID: 41268)
  - ls (PID: 41276)
  - ls (PID: 41278)
  - ls (PID: 41284)
  - ls (PID: 41280)
  - ls (PID: 41292)
  - ls (PID: 41290)
  - ls (PID: 41286)
  - ls (PID: 41288)
  - ls (PID: 41300)
  - ls (PID: 41302)
  - ls (PID: 41282)
  - ls (PID: 41306)
  - ls (PID: 41308)
  - ls (PID: 41310)
  - ls (PID: 41312)
  - ls (PID: 41294)
  - ls (PID: 41298)
  - ls (PID: 41296)
  - ls (PID: 41314)
  - ls (PID: 41316)
  - ls (PID: 41322)
  - ls (PID: 41326)
  - ls (PID: 41324)
  - ls (PID: 41328)
  - ls (PID: 41330)
  - ls (PID: 41320)
  - ls (PID: 41304)
  - ls (PID: 41318)
  - ls (PID: 41334)
  - ls (PID: 41332)
  - ls (PID: 41338)
  - ls (PID: 41336)
  - ls (PID: 41340)
  - ls (PID: 41342)
  - ls (PID: 41344)
  - ls (PID: 41346)
  - ls (PID: 41348)
  - ls (PID: 41356)
  - ls (PID: 41352)
  - ls (PID: 41350)
  - ls (PID: 41360)
  - ls (PID: 41358)
  - ls (PID: 41362)
  - ls (PID: 41364)
  - ls (PID: 41366)
  - ls (PID: 41368)
  - ls (PID: 41354)
  - ls (PID: 41370)
  - ls (PID: 41382)
  - ls (PID: 41384)
  - ls (PID: 41376)
  - ls (PID: 41374)
  - ls (PID: 41372)
  - ls (PID: 41378)
  - ls (PID: 41380)
  - ls (PID: 41396)
  - ls (PID: 41386)
  - ls (PID: 41388)
  - ls (PID: 41392)
  - ls (PID: 41394)
  - ls (PID: 41390)
  - ls (PID: 41398)
  - ls (PID: 41400)
  - ls (PID: 41410)
  - ls (PID: 41404)
  - ls (PID: 41402)
  - ls (PID: 41408)
  - ls (PID: 41406)
  - ls (PID: 41412)
  - ls (PID: 41418)
  - ls (PID: 41416)
  - ls (PID: 41414)
  - ls (PID: 41420)
  - ls (PID: 41422)
  - ls (PID: 41428)
  - ls (PID: 41430)
  - ls (PID: 41434)
  - ls (PID: 41432)
  - ls (PID: 41436)
  - ls (PID: 41424)
  - ls (PID: 41426)
  - ls (PID: 41438)
  - ls (PID: 41446)
  - ls (PID: 41444)
  - ls (PID: 41440)
  - ls (PID: 41450)
  - ls (PID: 41448)
  - ls (PID: 41442)
  - ls (PID: 41462)
  - ls (PID: 41454)
  - ls (PID: 41458)
  - ls (PID: 41452)
  - ls (PID: 41466)
  - ls (PID: 41456)
  - ls (PID: 41470)
  - ls (PID: 41480)
  - ls (PID: 41478)
  - ls (PID: 41468)
  - ls (PID: 41474)
  - ls (PID: 41472)
  - ls (PID: 41464)
  - ls (PID: 41460)
  - ls (PID: 41476)
  - wget (PID: 41486)
  - ls (PID: 41482)
  - ls (PID: 41484)
  - wget (PID: 41490)
  - wget (PID: 41494)
  - wget (PID: 41498)
  - wget (PID: 41502)
- Creates file in the temporary folder
  - bash (PID: 41037)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

598

Monitored processes

470

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

41032

/bin/sh -c "sudo chown user /tmp/tplink\.sh && chmod +x /tmp/tplink\.sh && DISPLAY=:0 sudo -iu user /tmp/tplink\.sh "

/usr/bin/dash

—

IntiFjKCklFyPMJr

User:

root

Integrity Level:

UNKNOWN

Exit code:

32256

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41033

sudo chown user /tmp/tplink.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41034

chown user /tmp/tplink.sh

/usr/bin/chown

—

sudo

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41035

chmod +x /tmp/tplink.sh

/usr/bin/chmod

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41036

sudo -iu user /tmp/tplink.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

32256

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41037

-bash --login -c \/tmp\/tplink\.sh

/usr/bin/bash

—

sudo

User:

user

Integrity Level:

UNKNOWN

Exit code:

32256

Modules

Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6

41038

/usr/bin/locale-check C.UTF-8

/usr/bin/locale-check

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41039

-bash --login -c \/tmp\/tplink\.sh

/usr/bin/bash

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

512

41040

ls -l /proc/1/exe

/usr/bin/ls

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

512

Modules

Images
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4

41041

-bash --login -c \/tmp\/tplink\.sh

/usr/bin/bash

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
41490	wget	/var/tmp/skid.mpsl		binary
		MD5:—	SHA256:—
41494	wget	/var/tmp/skid.arm		binary
		MD5:—	SHA256:—
41498	wget	/var/tmp/skid.arm5		binary
		MD5:—	SHA256:—
41502	wget	/var/tmp/skid.arm7		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.49:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
41486	wget	GET	403	42.112.26.129:80	http://42.112.26.129/skid.mips	unknown	—	—	malicious
41487	busybox	GET	403	42.112.26.129:80	http://42.112.26.129/skid.mips	unknown	—	—	malicious
41494	wget	GET	200	42.112.26.129:80	http://42.112.26.129/skid.arm	unknown	—	—	malicious
41490	wget	GET	200	42.112.26.129:80	http://42.112.26.129/skid.mpsl	unknown	—	—	malicious
41498	wget	GET	200	42.112.26.129:80	http://42.112.26.129/skid.arm5	unknown	—	—	malicious
41502	wget	GET	200	42.112.26.129:80	http://42.112.26.129/skid.arm7	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	169.150.255.181:443	odrs.gnome.org	—	GB	whitelisted
—	—	91.189.91.49:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
41486	wget	42.112.26.129:80	—	FPT Telecom Company	VN	malicious
41487	busybox	42.112.26.129:80	—	FPT Telecom Company	VN	malicious
41490	wget	42.112.26.129:80	—	FPT Telecom Company	VN	malicious

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	185.125.190.98 91.189.91.98 185.125.190.49 185.125.190.18 91.189.91.97 185.125.190.96 185.125.190.48 91.189.91.96 91.189.91.48 185.125.190.97 91.189.91.49 185.125.190.17 2620:2d:4000:1::23 2620:2d:4000:1::97 2620:2d:4002:1::197 2620:2d:4002:1::196 2620:2d:4000:1::2b 2620:2d:4000:1::96 2001:67c:1562::24 2620:2d:4000:1::22 2620:2d:4000:1::98 2620:2d:4000:1::2a 2620:2d:4002:1::198 2001:67c:1562::23	whitelisted
google.com	172.217.18.14 2a00:1450:4001:80b::200e	whitelisted
odrs.gnome.org	169.150.255.181 169.150.255.184 212.102.56.179 195.181.175.41 195.181.170.18 37.19.194.81 207.211.211.27 2a02:6ea0:c700::101 2a02:6ea0:c700::107 2a02:6ea0:c700::11 2a02:6ea0:c700::112 2a02:6ea0:c700::19 2a02:6ea0:c700::18 2a02:6ea0:c700::21	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.58 185.125.188.54 185.125.188.57 2620:2d:4000:1010::344 2620:2d:4000:1010::117 2620:2d:4000:1010::42 2620:2d:4000:1010::2e6	whitelisted
11.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
—	—	A Network Trojan was detected	AV INFO Possible Mirai .mips Executable Download
—	—	Potentially Bad Traffic	ET INFO MIPS File Download Request from IP Address
—	—	Potentially Bad Traffic	ET INFO MIPS File Download Request from IP Address
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potentially Bad Traffic	ET INFO ARM File Download Request from IP Address
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potentially Bad Traffic	ET INFO ARM7 File Download Request from IP Address
—	—	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File

Add for printing

No debug info

General Info

tplink.sh

9CB948FC7C8F64D5F2629D1613F7CA65

C729F0093EB6CDC60BA3F5A54A763FE1B80D110F

2DF3B9C7A1EF50F1E6CCDC8A3AECF5FF4674024069286398A5340037D0237345

12:QvJXOpue8f+AiJKggrWKIw+gBA8U8W648v8o/uwvwQewKwUcolK4w30w3lK5q1:QvZi4w3RaBA8U8WB8v8o/uIGTW4dcK+

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Executes commands using command-line interpreter

Reads passwd file

Modifies file or directory owner

Executes the "rm" command to delete files or directories

Uses wget to download content

Potential Corporate Privacy Violation

Connects to the server without a host name

INFO

Checks timezone

Creates file in the temporary folder

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings