File name:

sora.arm7

Full analysis: https://app.any.run/tasks/c8b076b5-4a90-42cb-8128-3a7690113ec1
Verdict: Malicious activity
Analysis date: October 03, 2025, 17:37:42
OS: Debian 12.2
Indicators:
MIME: application/x-executable
File info: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
MD5:

3D27CACA75855FDCD14FAE40BAA67FD2

SHA1:

B23D5CF58C71103E3935823CA2434D4A32D41060

SHA256:

8AC95425B0E37CB44BAFF04E531D2F059D4935143A040B046351A0BE05021C72

SSDEEP:

3072:P+SYHpczjcZNirKPniECUXfngM/iPggSa/kP:YmiNWKPniECUXfgM/iPgO/kP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIRAI has been detected (SURICATA)

      • sora.arm7.elf (PID: 2169)
      • sora.arm7.elf (PID: 2154)
      • sora.arm7.elf (PID: 2153)
      • sora.arm7.elf (PID: 2170)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 2144)

    • Modifies file or directory owner

      • sudo (PID: 2141)

    • Connects to unusual port

      • sora.arm7.elf (PID: 2153)
      • sora.arm7.elf (PID: 2169)
      • sora.arm7.elf (PID: 2154)
      • sora.arm7.elf (PID: 2170)

    • Reads network configuration

      • sora.arm7.elf (PID: 2147)
      • sora.arm7.elf (PID: 2153)

    • Gets active TCP connections

      • sora.arm7.elf (PID: 2147)
      • sora.arm7.elf (PID: 2153)

    • Contacting a server suspected of hosting an CnC

      • sora.arm7.elf (PID: 2154)
      • sora.arm7.elf (PID: 2169)
      • sora.arm7.elf (PID: 2153)
      • sora.arm7.elf (PID: 2170)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture: 32 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: Arm (up to Armv7/AArch32)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
215
Monitored processes
23
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs sora.arm7.elf no specs id no specs sora.arm7.elf no specs sora.arm7.elf no specs #MIRAI sora.arm7.elf #MIRAI sora.arm7.elf sora.arm7.elf no specs sora.arm7.elf no specs fstrim no specs sora.arm7.elf no specs #MIRAI sora.arm7.elf #MIRAI sora.arm7.elf sora.arm7.elf no specs sora.arm7.elf no specs sora.arm7.elf no specs sora.arm7.elf no specs sora.arm7.elf no specs sora.arm7.elf no specs

Process information

PID
CMD
Path
Indicators
Parent process
2140/bin/sh -c "sudo chown user /tmp/sora\.arm7\.elf && chmod +x /tmp/sora\.arm7\.elf && DISPLAY=:0 sudo -iu user /tmp/sora\.arm7\.elf "/usr/bin/dashany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2141sudo chown user /tmp/sora.arm7.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2142chown user /tmp/sora.arm7.elf/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2143chmod +x /tmp/sora.arm7.elf/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2144sudo -iu user /tmp/sora.arm7.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2147/tmp/sora.arm7.elf/tmp/sora.arm7.elfsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
2148id -u/usr/bin/idsora.arm7.elf
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
2151kjf3d40ia1boopf13g/tmp/sora.arm7.elfsora.arm7.elf
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
2152kjf3d40ia1boopf13g/tmp/sora.arm7.elfsora.arm7.elf
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
2153kjf3d40ia1boopf13g/tmp/sora.arm7.elf
sora.arm7.elf
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
2
Threats
8

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
481
avahi-daemon
224.0.0.251:5353
whitelisted
2153
sora.arm7.elf
91.235.116.149:1312
Tipzor Media Srl
RO
malicious
447
systemd-timesyncd
168.119.211.223:123
unknown
447
systemd-timesyncd
94.130.184.193:123
unknown
2169
sora.arm7.elf
91.235.116.149:1312
Tipzor Media Srl
RO
malicious
2154
sora.arm7.elf
91.235.116.149:1312
Tipzor Media Srl
RO
malicious
2170
sora.arm7.elf
91.235.116.149:1312
Tipzor Media Srl
RO
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
  • 2a00:1450:4001:809::200e
whitelisted

Threats

PID
Process
Class
Message
2154
sora.arm7.elf
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
2154
sora.arm7.elf
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
2169
sora.arm7.elf
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
2169
sora.arm7.elf
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
2153
sora.arm7.elf
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
2153
sora.arm7.elf
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
2170
sora.arm7.elf
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
2170
sora.arm7.elf
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sora.arm7