File name:

sora.x86

Full analysis: https://app.any.run/tasks/3c062a55-7eca-4cf6-b900-9e4304edd047
Verdict: Malicious activity
Analysis date: August 30, 2024, 04:25:57
OS: Ubuntu 22.04.2
Indicators:
MIME: application/x-executable
File info: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
MD5:

A79B65451ED1200FC3BA344C1C091DA9

SHA1:

0498AF29F1C04E94DEF58E61E3482E7EE2EF202D

SHA256:

23163D973C073F2295767B034B3DB17B5BA1308302E1674D061B5D60CDBA332F

SSDEEP:

768:/WR02ysGo26pzR5+Cqd/mTwIJA2wJTYbKwl:/IZGod9R5+CqZm8Iy2wJTl+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • sora.x86.o (PID: 13422)

  • SUSPICIOUS

    • Gets active TCP connections

      • sora.x86.o (PID: 13418)
      • sora.x86.o (PID: 13422)

    • Modifies file or directory owner

      • sudo (PID: 13413)

    • Reads network configuration

      • sora.x86.o (PID: 13418)
      • sora.x86.o (PID: 13422)

    • Connects to unusual port

      • sora.x86.o (PID: 13422)

    • Contacting a server suspected of hosting an CnC

      • sora.x86.o (PID: 13422)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 32 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: i386
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
229
Monitored processes
15
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs sora.x86.o no specs locale-check no specs sora.x86.o no specs sora.x86.o no specs #MIRAI sora.x86.o sora.x86.o no specs sora.x86.o no specs sora.x86.o no specs systemctl no specs systemctl no specs

Process information

PID
CMD
Path
Indicators
Parent process
13412/bin/sh -c "sudo chown user /tmp/sora\.x86\.o && chmod +x /tmp/sora\.x86\.o && DISPLAY=:0 sudo -iu user /tmp/sora\.x86\.o "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13413sudo chown user /tmp/sora.x86.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13414chown user /tmp/sora.x86.o/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13415chmod +x /tmp/sora.x86.o/usr/bin/chmodsh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13416sudo -iu user /tmp/sora.x86.o/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13418/tmp/sora.x86.o/tmp/sora.x86.osudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13419/usr/bin/locale-check C.UTF-8/usr/bin/locale-checksora.x86.o
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13420/tmp/sora.x86.osora.x86.o
User:
user
Integrity Level:
UNKNOWN
13421/tmp/sora.x86.osora.x86.o
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
13422/tmp/sora.x86.o
sora.x86.o
User:
user
Integrity Level:
UNKNOWN
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
10
DNS requests
14
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
470
avahi-daemon
224.0.0.251:5353
unknown
169.150.255.181:443
odrs.gnome.org
GB
whitelisted
91.189.91.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
13422
sora.x86.o
5.59.248.234:1312
CZ
unknown
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
485
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.49
  • 91.189.91.97
  • 185.125.190.48
  • 91.189.91.48
  • 185.125.190.98
  • 185.125.190.97
  • 185.125.190.18
  • 91.189.91.49
  • 185.125.190.17
  • 185.125.190.96
  • 91.189.91.96
  • 91.189.91.98
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::24
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::97
whitelisted
google.com
  • 142.250.184.238
  • 2a00:1450:4001:831::200e
whitelisted
odrs.gnome.org
  • 169.150.255.181
  • 195.181.170.18
  • 37.19.194.80
  • 207.211.211.27
  • 195.181.175.40
  • 169.150.255.183
  • 212.102.56.179
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::21
whitelisted
api.snapcraft.io
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.55
  • 185.125.188.58
whitelisted
188.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
13422
sora.x86.o
Misc Attack
ET CINS Active Threat Intelligence Poor Reputation IP group 6
13422
sora.x86.o
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
13422
sora.x86.o
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sora.x86