Malware Analysis Report

2025-06-16 02:03

Sample ID 250221-tgvz4swrs9
Target na.elf
SHA256 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476
Tags
upx prometei_elf botnet discovery miner persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476

Threat Level: Known bad

The file na.elf was found to be: Known bad.

Malicious Activity Summary

upx prometei_elf botnet discovery miner persistence privilege_escalation

Prometei

Prometei_elf family

Deletes itself

Modifies hosts file

Modifies systemd

Write file to user bin folder

Enumerates running processes

UPX packed file

Reads CPU attributes

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-21 16:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-21 16:02

Reported

2025-02-21 16:04

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

6s

Max time network

131s

Command Line

[/tmp/na.elf]

Signatures

Prometei

botnet miner prometei_elf

Prometei_elf family

prometei_elf

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/na.elf N/A

Modifies hosts file

Description Indicator Process Target
File opened for modification /etc/hosts /tmp/na.elf N/A

Enumerates running processes

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /lib/systemd/system/uplugplay.service /tmp/na.elf N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/uplugplay /tmp/na.elf N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/2347/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/55/status /usr/bin/pgrep N/A
File opened for reading /proc/2353/stat /usr/bin/pgrep N/A
File opened for reading /proc/28/status /usr/bin/pgrep N/A
File opened for reading /proc/2565/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/186/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2591/ctty /usr/bin/pgrep N/A
File opened for reading /proc/34/stat /usr/bin/pgrep N/A
File opened for reading /proc/790/status /usr/bin/pgrep N/A
File opened for reading /proc/2345/cmdline /usr/bin/pidof N/A
File opened for reading /proc/52/stat /usr/bin/pgrep N/A
File opened for reading /proc/189/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2856/stat /usr/bin/pgrep N/A
File opened for reading /proc/23/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/191/status /usr/bin/pgrep N/A
File opened for reading /proc/274/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2495/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2366/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/192/status /usr/bin/pgrep N/A
File opened for reading /proc/2079/cmdline /usr/bin/pidof N/A
File opened for reading /proc/44/stat /usr/bin/pgrep N/A
File opened for reading /proc/1399/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2284/cmdline /usr/bin/pidof N/A
File opened for reading /proc/40/stat /usr/bin/pgrep N/A
File opened for reading /proc/180/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/4/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/439/status /usr/bin/pgrep N/A
File opened for reading /proc/44/stat /usr/bin/pidof N/A
File opened for reading /proc/55/cmdline /usr/bin/pidof N/A
File opened for reading /proc/235/stat /usr/bin/pidof N/A
File opened for reading /proc/63/stat /usr/bin/pidof N/A
File opened for reading /proc/1400/stat /usr/bin/pgrep N/A
File opened for reading /proc/2806/status /usr/bin/pgrep N/A
File opened for reading /proc/184/cmdline /usr/bin/pidof N/A
File opened for reading /proc/439/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2359/status /usr/bin/pgrep N/A
File opened for reading /proc/274/stat /usr/bin/pgrep N/A
File opened for reading /proc/513/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1061/ctty /usr/bin/pgrep N/A
File opened for reading /proc/197/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2585/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2169/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2247/status /usr/bin/pgrep N/A
File opened for reading /proc/39/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/884/stat /usr/bin/pgrep N/A
File opened for reading /proc/2585/status /usr/bin/pgrep N/A
File opened for reading /proc/2250/stat /usr/bin/pgrep N/A
File opened for reading /proc/2335/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1109/stat /usr/bin/pidof N/A
File opened for reading /proc/45/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2347/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/194/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/586/stat /usr/bin/pgrep N/A
File opened for reading /proc/2169/stat /usr/bin/pgrep N/A
File opened for reading /proc/586/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2346/stat /usr/bin/pidof N/A
File opened for reading /proc/2682/cmdline /usr/bin/pidof N/A
File opened for reading /proc/43/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/196/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/15/ctty /usr/bin/pgrep N/A
File opened for reading /proc/39/stat /usr/bin/pgrep N/A
File opened for reading /proc/512/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2621/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2677/stat /usr/bin/pgrep N/A

Processes

/tmp/na.elf

[/tmp/na.elf]

/bin/sh

[sh -c pgrep na.elf]

/usr/bin/pgrep

[pgrep na.elf]

/bin/sh

[sh -c pgrep uplugplay]

/usr/bin/pgrep

[pgrep uplugplay]

/bin/sh

[sh -c pidof uplugplay]

/usr/bin/pidof

[pidof uplugplay]

/bin/sh

[sh -c pgrep upnpsetup]

/usr/bin/pgrep

[pgrep upnpsetup]

/bin/sh

[sh -c pidof upnpsetup]

/usr/bin/pidof

[pidof upnpsetup]

/bin/sh

[sh -c systemctl daemon-reload]

/usr/bin/systemctl

[systemctl daemon-reload]

/bin/sh

[sh -c systemctl enable uplugplay.service]

/usr/bin/systemctl

[systemctl enable uplugplay.service]

/bin/sh

[sh -c systemctl start uplugplay.service]

/usr/bin/systemctl

[systemctl start uplugplay.service]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 p3.feefreepool.net udp
DE 88.198.246.242:80 p3.feefreepool.net tcp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
AU 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
AU 1.1.1.1:53 _http._tcp.se.archive.ubuntu.com udp
AU 1.1.1.1:53 se.archive.ubuntu.com udp
AU 1.1.1.1:53 security.ubuntu.com udp
AU 1.1.1.1:53 security.ubuntu.com udp
AU 1.1.1.1:53 se.archive.ubuntu.com udp
US 91.189.91.82:80 security.ubuntu.com tcp
SE 194.71.11.163:80 se.archive.ubuntu.com tcp

Files

memory/2869-1-0x0000000000400000-0x00000000015640f8-memory.dmp

/usr/sbin/uplugplay

MD5 aa7766de5d677468bf926cbc2a3ad3bc
SHA1 d6e470cc47d06028f627ea3b89c17492376077c6
SHA256 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476
SHA512 fbc1ddf9c5871e2afde50e4f4afd625616cb2ba0eb9f8370a92c9db5ca198dfe917ea5c1e5bf5bf201ff4f339a830d1962a4e2f74abbe175e63fe2bfcbc12a81

/usr/lib/systemd/system/uplugplay.service

MD5 8ca62d1f47880bce036c2956c9b7b272
SHA1 3bcc3a5c4fcc5b0d08c4524a59f6b8e113b62060
SHA256 c655d3d4e374fad38313ec4262207b2d7d68a870238f203ef3c33f85e66c8e32
SHA512 4cd2d9d67151fa25e833707dee2442c4a5f752053fc2c36ec73c0e2b734c66ca69c63fceb47714d9add5b9fe2eee1e45be5199e2cae7c26173e766b333877da6