Malware analysis tplink.sh Malicious activity | ANY.RUN

Add for printing

File name:	tplink.sh
Full analysis:	https://app.any.run/tasks/5621c321-0a54-4043-b07f-03f3daaf7e8f
Verdict:	Malicious activity
Analysis date:	April 25, 2025, 12:39:37
OS:	Ubuntu 22.04.2
MIME:	text/plain
File info:	ASCII text
MD5:	5AAE484F5E2EBB9E1F0CF546FE79030F
SHA1:	74248990CE73E523C5C4A203F032F9DED2C934BA
SHA256:	8237B49B2758863BE8366507F4199236F489EAB12BC823EE74A2DB9BFA9459DE
SSDEEP:	24:QvZi4w3Rk5zOt+MB083t3nkgyQ1kgmZQpkgKgkX:QvZi4whk5CEA0893kgP1kgmZQpkgKgkX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads passwd file
  - ls (PID: 40670)
  - ls (PID: 40672)
  - ls (PID: 40676)
  - ls (PID: 40674)
  - ls (PID: 40678)
  - ls (PID: 40688)
  - ls (PID: 40694)
  - ls (PID: 40692)
  - ls (PID: 40696)
  - ls (PID: 40680)
  - ls (PID: 40682)
  - ls (PID: 40684)
  - ls (PID: 40686)
  - ls (PID: 40690)
  - ls (PID: 40702)
  - ls (PID: 40704)
  - ls (PID: 40706)
  - ls (PID: 40708)
  - ls (PID: 40710)
  - ls (PID: 40712)
  - ls (PID: 40700)
  - ls (PID: 40698)
  - ls (PID: 40718)
  - ls (PID: 40724)
  - ls (PID: 40720)
  - ls (PID: 40729)
  - ls (PID: 40714)
  - ls (PID: 40716)
  - ls (PID: 40722)
  - ls (PID: 40726)
  - ls (PID: 40735)
  - ls (PID: 40740)
  - ls (PID: 40742)
  - ls (PID: 40745)
  - ls (PID: 40747)
  - ls (PID: 40731)
  - ls (PID: 40733)
  - ls (PID: 40737)
  - ls (PID: 40755)
  - ls (PID: 40763)
  - ls (PID: 40765)
  - ls (PID: 40759)
  - ls (PID: 40761)
  - ls (PID: 40749)
  - ls (PID: 40753)
  - ls (PID: 40751)
  - ls (PID: 40757)
  - ls (PID: 40775)
  - ls (PID: 40773)
  - ls (PID: 40769)
  - ls (PID: 40767)
  - ls (PID: 40771)
  - ls (PID: 40779)
  - ls (PID: 40781)
  - ls (PID: 40777)
  - ls (PID: 40787)
  - ls (PID: 40789)
  - ls (PID: 40795)
  - ls (PID: 40797)
  - ls (PID: 40799)
  - ls (PID: 40793)
  - ls (PID: 40783)
  - ls (PID: 40785)
  - ls (PID: 40791)
  - ls (PID: 40801)
  - ls (PID: 40811)
  - ls (PID: 40815)
  - ls (PID: 40809)
  - ls (PID: 40819)
  - ls (PID: 40803)
  - ls (PID: 40805)
  - ls (PID: 40807)
  - ls (PID: 40813)
  - ls (PID: 40817)
  - ls (PID: 40831)
  - ls (PID: 40823)
  - ls (PID: 40827)
  - ls (PID: 40825)
  - ls (PID: 40837)
  - ls (PID: 40835)
  - ls (PID: 40821)
  - ls (PID: 40829)
  - ls (PID: 40833)
  - ls (PID: 40843)
  - ls (PID: 40845)
  - ls (PID: 40851)
  - ls (PID: 40847)
  - ls (PID: 40849)
  - ls (PID: 40839)
  - ls (PID: 40841)
  - ls (PID: 40859)
  - ls (PID: 40861)
  - ls (PID: 40863)
  - ls (PID: 40867)
  - ls (PID: 40869)
  - ls (PID: 40853)
  - ls (PID: 40855)
  - ls (PID: 40857)
  - ls (PID: 40877)
  - ls (PID: 40873)
  - ls (PID: 40883)
  - ls (PID: 40885)
  - ls (PID: 40879)
  - ls (PID: 40887)
  - ls (PID: 40871)
  - ls (PID: 40865)
  - ls (PID: 40875)
  - ls (PID: 40891)
  - ls (PID: 40899)
  - ls (PID: 40893)
  - ls (PID: 40895)
  - ls (PID: 40897)
  - ls (PID: 40907)
  - ls (PID: 40881)
  - ls (PID: 40889)
  - ls (PID: 40923)
  - ls (PID: 40905)
  - ls (PID: 40915)
  - ls (PID: 40917)
  - ls (PID: 40925)
  - ls (PID: 40901)
  - ls (PID: 40909)
  - ls (PID: 40903)
  - ls (PID: 40913)
  - ls (PID: 40941)
  - ls (PID: 40933)
  - ls (PID: 40911)
  - ls (PID: 40919)
  - ls (PID: 40921)
  - ls (PID: 40943)
  - ls (PID: 40937)
  - ls (PID: 40947)
  - ls (PID: 40949)
  - ls (PID: 40935)
  - ls (PID: 40939)
  - ls (PID: 40945)
  - ls (PID: 40929)
  - ls (PID: 40951)
  - ls (PID: 40953)
  - ls (PID: 40927)
  - ls (PID: 40931)
  - ls (PID: 40961)
  - ls (PID: 40955)
  - ls (PID: 40963)
  - ls (PID: 40967)
  - ls (PID: 40969)
  - ls (PID: 40957)
  - ls (PID: 40959)
  - ls (PID: 40965)
  - ls (PID: 40977)
  - ls (PID: 40979)
  - ls (PID: 40981)
  - ls (PID: 40985)
  - ls (PID: 40987)
  - ls (PID: 40971)
  - ls (PID: 40973)
  - ls (PID: 40975)
  - ls (PID: 40983)
  - ls (PID: 40993)
  - ls (PID: 40995)
  - ls (PID: 41003)
  - ls (PID: 40999)
  - ls (PID: 41001)
  - ls (PID: 40989)
  - ls (PID: 40991)
  - ls (PID: 40997)
  - ls (PID: 41011)
  - ls (PID: 41009)
  - ls (PID: 41015)
  - ls (PID: 41013)
  - ls (PID: 41019)
  - ls (PID: 41005)
  - ls (PID: 41007)
  - ls (PID: 41027)
  - ls (PID: 41025)
  - ls (PID: 41033)
  - ls (PID: 41031)
  - ls (PID: 41037)
  - ls (PID: 41035)
  - ls (PID: 41017)
  - ls (PID: 41023)
  - ls (PID: 41021)
  - ls (PID: 41029)
  - ls (PID: 41041)
  - ls (PID: 41049)
  - ls (PID: 41051)
  - ls (PID: 41059)
  - ls (PID: 41045)
  - ls (PID: 41043)
  - ls (PID: 41057)
  - ls (PID: 41039)
  - ls (PID: 41047)
  - ls (PID: 41055)
  - ls (PID: 41063)
  - ls (PID: 41067)
  - ls (PID: 41065)
  - ls (PID: 41061)
  - ls (PID: 41069)
  - ls (PID: 41075)
  - ls (PID: 41053)
  - ls (PID: 41079)
  - ls (PID: 41085)
  - ls (PID: 41083)
  - ls (PID: 41081)
  - ls (PID: 41099)
  - ls (PID: 41097)
  - ls (PID: 41077)
  - ls (PID: 41073)
  - ls (PID: 41071)
  - ls (PID: 41087)
  - ls (PID: 41089)
  - ls (PID: 41091)
  - ls (PID: 41101)
  - ls (PID: 41095)
  - ls (PID: 41093)
  - ls (PID: 41111)
  - ls (PID: 41105)
  - ls (PID: 41107)
  - ls (PID: 41115)
  - ls (PID: 41103)
  - ls (PID: 41109)
  - ls (PID: 41113)
- Modifies file or directory owner
  - sudo (PID: 40661)
- Executes commands using command-line interpreter
  - sudo (PID: 40665)
- Executes the "rm" command to delete files or directories
  - bash (PID: 40667)
- Uses wget to download content
  - bash (PID: 41145)
  - bash (PID: 41130)
  - bash (PID: 41135)
  - bash (PID: 41140)
- Reads /proc/mounts (likely used to find writable filesystems)
  - cat (PID: 41117)
- Potential Corporate Privacy Violation
  - wget (PID: 41131)
  - wget (PID: 41136)
  - wget (PID: 41141)
  - wget (PID: 41146)
INFO
- Checks timezone
  - ls (PID: 40672)
  - ls (PID: 40670)
  - ls (PID: 40676)
  - ls (PID: 40674)
  - ls (PID: 40682)
  - ls (PID: 40678)
  - ls (PID: 40680)
  - ls (PID: 40684)
  - ls (PID: 40692)
  - ls (PID: 40690)
  - ls (PID: 40694)
  - ls (PID: 40698)
  - ls (PID: 40688)
  - ls (PID: 40686)
  - ls (PID: 40696)
  - ls (PID: 40708)
  - ls (PID: 40714)
  - ls (PID: 40706)
  - ls (PID: 40710)
  - ls (PID: 40712)
  - ls (PID: 40700)
  - ls (PID: 40704)
  - ls (PID: 40702)
  - ls (PID: 40724)
  - ls (PID: 40722)
  - ls (PID: 40733)
  - ls (PID: 40729)
  - ls (PID: 40726)
  - ls (PID: 40716)
  - ls (PID: 40718)
  - ls (PID: 40720)
  - ls (PID: 40740)
  - ls (PID: 40742)
  - ls (PID: 40745)
  - ls (PID: 40747)
  - ls (PID: 40731)
  - ls (PID: 40735)
  - ls (PID: 40737)
  - ls (PID: 40757)
  - ls (PID: 40755)
  - ls (PID: 40765)
  - ls (PID: 40763)
  - ls (PID: 40749)
  - ls (PID: 40753)
  - ls (PID: 40751)
  - ls (PID: 40771)
  - ls (PID: 40769)
  - ls (PID: 40761)
  - ls (PID: 40759)
  - ls (PID: 40767)
  - ls (PID: 40775)
  - ls (PID: 40773)
  - ls (PID: 40777)
  - ls (PID: 40781)
  - ls (PID: 40779)
  - ls (PID: 40783)
  - ls (PID: 40791)
  - ls (PID: 40799)
  - ls (PID: 40795)
  - ls (PID: 40797)
  - ls (PID: 40785)
  - ls (PID: 40787)
  - ls (PID: 40789)
  - ls (PID: 40793)
  - ls (PID: 40807)
  - ls (PID: 40805)
  - ls (PID: 40815)
  - ls (PID: 40809)
  - ls (PID: 40813)
  - ls (PID: 40811)
  - ls (PID: 40817)
  - ls (PID: 40801)
  - ls (PID: 40803)
  - ls (PID: 40831)
  - ls (PID: 40825)
  - ls (PID: 40829)
  - ls (PID: 40839)
  - ls (PID: 40833)
  - ls (PID: 40819)
  - ls (PID: 40821)
  - ls (PID: 40823)
  - ls (PID: 40827)
  - ls (PID: 40837)
  - ls (PID: 40845)
  - ls (PID: 40843)
  - ls (PID: 40851)
  - ls (PID: 40849)
  - ls (PID: 40847)
  - ls (PID: 40835)
  - ls (PID: 40841)
  - ls (PID: 40853)
  - ls (PID: 40859)
  - ls (PID: 40863)
  - ls (PID: 40871)
  - ls (PID: 40865)
  - ls (PID: 40867)
  - ls (PID: 40855)
  - ls (PID: 40857)
  - ls (PID: 40861)
  - ls (PID: 40873)
  - ls (PID: 40875)
  - ls (PID: 40879)
  - ls (PID: 40877)
  - ls (PID: 40887)
  - ls (PID: 40881)
  - ls (PID: 40883)
  - ls (PID: 40885)
  - ls (PID: 40869)
  - ls (PID: 40897)
  - ls (PID: 40891)
  - ls (PID: 40899)
  - ls (PID: 40893)
  - ls (PID: 40903)
  - ls (PID: 40905)
  - ls (PID: 40895)
  - ls (PID: 40889)
  - ls (PID: 40909)
  - ls (PID: 40913)
  - ls (PID: 40919)
  - ls (PID: 40923)
  - ls (PID: 40921)
  - ls (PID: 40907)
  - ls (PID: 40901)
  - ls (PID: 40911)
  - ls (PID: 40925)
  - ls (PID: 40937)
  - ls (PID: 40915)
  - ls (PID: 40917)
  - ls (PID: 40927)
  - ls (PID: 40929)
  - ls (PID: 40953)
  - ls (PID: 40939)
  - ls (PID: 40931)
  - ls (PID: 40933)
  - ls (PID: 40951)
  - ls (PID: 40949)
  - ls (PID: 40935)
  - ls (PID: 40947)
  - ls (PID: 40945)
  - ls (PID: 40941)
  - ls (PID: 40961)
  - ls (PID: 40955)
  - ls (PID: 40957)
  - ls (PID: 40969)
  - ls (PID: 40959)
  - ls (PID: 40965)
  - ls (PID: 40967)
  - ls (PID: 40971)
  - ls (PID: 40943)
  - ls (PID: 40963)
  - ls (PID: 40975)
  - ls (PID: 40979)
  - ls (PID: 40973)
  - ls (PID: 40985)
  - ls (PID: 40987)
  - ls (PID: 40981)
  - ls (PID: 40977)
  - ls (PID: 40983)
  - ls (PID: 40995)
  - ls (PID: 40989)
  - ls (PID: 40991)
  - ls (PID: 40997)
  - ls (PID: 41005)
  - ls (PID: 41003)
  - ls (PID: 40993)
  - ls (PID: 40999)
  - ls (PID: 41013)
  - ls (PID: 41011)
  - ls (PID: 41009)
  - ls (PID: 41023)
  - ls (PID: 41021)
  - ls (PID: 41001)
  - ls (PID: 41007)
  - ls (PID: 41015)
  - ls (PID: 41029)
  - ls (PID: 41027)
  - ls (PID: 41033)
  - ls (PID: 41025)
  - ls (PID: 41019)
  - ls (PID: 41017)
  - ls (PID: 41031)
  - ls (PID: 41043)
  - ls (PID: 41049)
  - ls (PID: 41045)
  - ls (PID: 41047)
  - ls (PID: 41055)
  - ls (PID: 41041)
  - ls (PID: 41039)
  - ls (PID: 41037)
  - ls (PID: 41035)
  - ls (PID: 41053)
  - ls (PID: 41057)
  - ls (PID: 41065)
  - ls (PID: 41067)
  - ls (PID: 41071)
  - ls (PID: 41061)
  - ls (PID: 41063)
  - ls (PID: 41051)
  - ls (PID: 41059)
  - ls (PID: 41069)
  - ls (PID: 41075)
  - ls (PID: 41077)
  - ls (PID: 41085)
  - ls (PID: 41093)
  - ls (PID: 41079)
  - ls (PID: 41081)
  - ls (PID: 41073)
  - ls (PID: 41083)
  - ls (PID: 41089)
  - ls (PID: 41099)
  - ls (PID: 41101)
  - ls (PID: 41095)
  - ls (PID: 41105)
  - ls (PID: 41091)
  - ls (PID: 41087)
  - ls (PID: 41097)
  - ls (PID: 41103)
  - ls (PID: 41113)
  - ls (PID: 41111)
  - ls (PID: 41107)
  - ls (PID: 41109)
  - ls (PID: 41115)
  - wget (PID: 41146)
  - wget (PID: 41131)
  - wget (PID: 41136)
  - wget (PID: 41141)
- Creates file in the temporary folder
  - bash (PID: 40667)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

705

Monitored processes

485

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
40660	/bin/sh -c "sudo chown user /tmp/tplink\.sh && chmod +x /tmp/tplink\.sh && DISPLAY=:0 sudo -iu user /tmp/tplink\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
40661	sudo chown user /tmp/tplink.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40662	chown user /tmp/tplink.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
40663	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
40664	chmod +x /tmp/tplink.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40665	sudo -iu user /tmp/tplink.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40666	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
40667	-bash --login -c \/tmp\/tplink\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
40668	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
40669	-bash --login -c \/tmp\/tplink\.sh	/usr/bin/bash	—	bash
User: user Integrity Level: UNKNOWN Exit code: 512

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	204	91.189.91.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
41136	wget	GET	200	212.18.104.182:80	http://212.18.104.182/arm7	unknown	—	—	unknown
41141	wget	GET	200	212.18.104.182:80	http://212.18.104.182/mips	unknown	—	—	unknown
41131	wget	GET	200	212.18.104.182:80	http://212.18.104.182/arm5	unknown	—	—	unknown
41146	wget	GET	200	212.18.104.182:80	http://212.18.104.182/mpsl	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.97:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	169.150.255.184:443	odrs.gnome.org	—	GB	whitelisted
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
41131	wget	212.18.104.182:80	—	Anas Firas Flayyih Al-Qaysi	GB	unknown
41136	wget	212.18.104.182:80	—	Anas Firas Flayyih Al-Qaysi	GB	unknown
41141	wget	212.18.104.182:80	—	Anas Firas Flayyih Al-Qaysi	GB	unknown
41146	wget	212.18.104.182:80	—	Anas Firas Flayyih Al-Qaysi	GB	unknown

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	91.189.91.97 185.125.190.49 185.125.190.17 185.125.190.48 185.125.190.96 185.125.190.18 91.189.91.48 91.189.91.96 185.125.190.97 91.189.91.98 91.189.91.49 185.125.190.98 2001:67c:1562::24 2620:2d:4000:1::98 2620:2d:4000:1::96 2620:2d:4002:1::198 2001:67c:1562::23 2620:2d:4002:1::196 2620:2d:4002:1::197 2620:2d:4000:1::23 2620:2d:4000:1::2b 2620:2d:4000:1::97 2620:2d:4000:1::2a 2620:2d:4000:1::22	whitelisted
odrs.gnome.org	169.150.255.184 207.211.211.26 195.181.170.18 37.19.194.81 169.150.255.181 212.102.56.178 195.181.175.40 2a02:6ea0:c700::112 2a02:6ea0:c700::21 2a02:6ea0:c700::101 2a02:6ea0:c700::11 2a02:6ea0:c700::18 2a02:6ea0:c700::107 2a02:6ea0:c700::19	whitelisted
google.com	142.250.186.78 2a00:1450:4001:828::200e	whitelisted
api.snapcraft.io	185.125.188.55 185.125.188.59 185.125.188.58 185.125.188.54 2620:2d:4000:1010::117 2620:2d:4000:1010::6d 2620:2d:4000:1010::344 2620:2d:4000:1010::42	whitelisted
8.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
41131	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41136	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41141	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41146	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

tplink.sh

5AAE484F5E2EBB9E1F0CF546FE79030F

74248990CE73E523C5C4A203F032F9DED2C934BA

8237B49B2758863BE8366507F4199236F489EAB12BC823EE74A2DB9BFA9459DE

24:QvZi4w3Rk5zOt+MB083t3nkgyQ1kgmZQpkgKgkX:QvZi4whk5CEA0893kgP1kgmZQpkgKgkX

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Reads passwd file

Modifies file or directory owner

Executes commands using command-line interpreter

Executes the "rm" command to delete files or directories

Uses wget to download content

Reads /proc/mounts (likely used to find writable filesystems)

Potential Corporate Privacy Violation

INFO

Checks timezone

Creates file in the temporary folder

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings