Analysis Overview
SHA256
9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476
Threat Level: Known bad
The file na.elf was found to be: Known bad.
Malicious Activity Summary
Prometei
Prometei_elf family
Deletes itself
Modifies hosts file
Modifies systemd
Write file to user bin folder
Enumerates running processes
UPX packed file
Reads CPU attributes
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-21 16:02
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-21 16:02
Reported
2025-02-21 16:04
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
6s
Max time network
131s
Command Line
Signatures
Prometei
Prometei_elf family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/na.elf | N/A |
Modifies hosts file
| Description | Indicator | Process | Target |
| File opened for modification | /etc/hosts | /tmp/na.elf | N/A |
Enumerates running processes
Modifies systemd
| Description | Indicator | Process | Target |
| File opened for modification | /lib/systemd/system/uplugplay.service | /tmp/na.elf | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/sbin/uplugplay | /tmp/na.elf | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pgrep | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pgrep | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pgrep | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/node | /usr/bin/pgrep | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pgrep | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pgrep | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/2347/cgroup | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/55/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2353/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/28/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2565/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/186/cgroup | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2591/ctty | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/34/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/790/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2345/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/52/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/189/ctty | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2856/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/23/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/191/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/274/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2495/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2366/cgroup | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/192/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2079/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/44/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/1399/ctty | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2284/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/40/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/180/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/4/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/439/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/44/stat | /usr/bin/pidof | N/A |
| File opened for reading | /proc/55/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/235/stat | /usr/bin/pidof | N/A |
| File opened for reading | /proc/63/stat | /usr/bin/pidof | N/A |
| File opened for reading | /proc/1400/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2806/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/184/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/439/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/2359/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/274/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/513/cgroup | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/1061/ctty | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/197/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/2585/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/2169/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/2247/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/39/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/884/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2585/status | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2250/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2335/cgroup | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/1109/stat | /usr/bin/pidof | N/A |
| File opened for reading | /proc/45/ctty | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2347/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/194/cgroup | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/586/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2169/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/586/cgroup | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2346/stat | /usr/bin/pidof | N/A |
| File opened for reading | /proc/2682/cmdline | /usr/bin/pidof | N/A |
| File opened for reading | /proc/43/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/196/cgroup | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/15/ctty | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/39/stat | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/512/ctty | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2621/cmdline | /usr/bin/pgrep | N/A |
| File opened for reading | /proc/2677/stat | /usr/bin/pgrep | N/A |
Processes
/tmp/na.elf
[/tmp/na.elf]
/bin/sh
[sh -c pgrep na.elf]
/usr/bin/pgrep
[pgrep na.elf]
/bin/sh
[sh -c pgrep uplugplay]
/usr/bin/pgrep
[pgrep uplugplay]
/bin/sh
[sh -c pidof uplugplay]
/usr/bin/pidof
[pidof uplugplay]
/bin/sh
[sh -c pgrep upnpsetup]
/usr/bin/pgrep
[pgrep upnpsetup]
/bin/sh
[sh -c pidof upnpsetup]
/usr/bin/pidof
[pidof upnpsetup]
/bin/sh
[sh -c systemctl daemon-reload]
/usr/bin/systemctl
[systemctl daemon-reload]
/bin/sh
[sh -c systemctl enable uplugplay.service]
/usr/bin/systemctl
[systemctl enable uplugplay.service]
/bin/sh
[sh -c systemctl start uplugplay.service]
/usr/bin/systemctl
[systemctl start uplugplay.service]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | p3.feefreepool.net | udp |
| DE | 88.198.246.242:80 | p3.feefreepool.net | tcp |
| US | 8.8.8.8:53 | _http._tcp.se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | _http._tcp.security.ubuntu.com | udp |
| AU | 1.1.1.1:53 | _http._tcp.security.ubuntu.com | udp |
| AU | 1.1.1.1:53 | _http._tcp.se.archive.ubuntu.com | udp |
| AU | 1.1.1.1:53 | se.archive.ubuntu.com | udp |
| AU | 1.1.1.1:53 | security.ubuntu.com | udp |
| AU | 1.1.1.1:53 | security.ubuntu.com | udp |
| AU | 1.1.1.1:53 | se.archive.ubuntu.com | udp |
| US | 91.189.91.82:80 | security.ubuntu.com | tcp |
| SE | 194.71.11.163:80 | se.archive.ubuntu.com | tcp |
Files
memory/2869-1-0x0000000000400000-0x00000000015640f8-memory.dmp
/usr/sbin/uplugplay
| MD5 | aa7766de5d677468bf926cbc2a3ad3bc |
| SHA1 | d6e470cc47d06028f627ea3b89c17492376077c6 |
| SHA256 | 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476 |
| SHA512 | fbc1ddf9c5871e2afde50e4f4afd625616cb2ba0eb9f8370a92c9db5ca198dfe917ea5c1e5bf5bf201ff4f339a830d1962a4e2f74abbe175e63fe2bfcbc12a81 |
/usr/lib/systemd/system/uplugplay.service
| MD5 | 8ca62d1f47880bce036c2956c9b7b272 |
| SHA1 | 3bcc3a5c4fcc5b0d08c4524a59f6b8e113b62060 |
| SHA256 | c655d3d4e374fad38313ec4262207b2d7d68a870238f203ef3c33f85e66c8e32 |
| SHA512 | 4cd2d9d67151fa25e833707dee2442c4a5f752053fc2c36ec73c0e2b734c66ca69c63fceb47714d9add5b9fe2eee1e45be5199e2cae7c26173e766b333877da6 |