Malware Analysis Report

2025-06-16 02:03

Sample ID 250222-d6yjjaxpek
Target 57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf
SHA256 57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd
Tags
prometei_elf botnet discovery miner persistence privilege_escalation upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd

Threat Level: Known bad

The file 57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf was found to be: Known bad.

Malicious Activity Summary

prometei_elf botnet discovery miner persistence privilege_escalation upx

Prometei_elf family

Prometei

Deletes itself

Modifies hosts file

Enumerates running processes

Modifies systemd

Write file to user bin folder

UPX packed file

Reads CPU attributes

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-22 03:37

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-22 03:37

Reported

2025-02-22 03:40

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

7s

Max time network

128s

Command Line

[/tmp/57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf]

Signatures

Prometei

botnet miner prometei_elf

Prometei_elf family

prometei_elf

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf N/A

Modifies hosts file

Description Indicator Process Target
File opened for modification /etc/hosts /tmp/57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf N/A

Enumerates running processes

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /lib/systemd/system/uplugplay.service /tmp/57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/uplugplay /tmp/57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/197/ctty /usr/bin/pgrep N/A
File opened for reading /proc/783/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1059/status /usr/bin/pgrep N/A
File opened for reading /proc/7/ctty /usr/bin/pgrep N/A
File opened for reading /proc/189/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/786/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2468/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/55/stat /usr/bin/pidof N/A
File opened for reading /proc/33/stat /usr/bin/pidof N/A
File opened for reading /proc/584/status /usr/bin/pgrep N/A
File opened for reading /proc/2204/cmdline /usr/bin/pidof N/A
File opened for reading /proc/129/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1939/stat /usr/bin/pgrep N/A
File opened for reading /proc/199/stat /usr/bin/pidof N/A
File opened for reading /proc/11/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/69/cmdline /usr/bin/pidof N/A
File opened for reading /proc/385/cmdline /usr/bin/pidof N/A
File opened for reading /proc/721/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1956/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2177/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2476/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/457/stat /usr/bin/pgrep N/A
File opened for reading /proc/50/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1923/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/4/stat /usr/bin/pgrep N/A
File opened for reading /proc/189/status /usr/bin/pgrep N/A
File opened for reading /proc/1823/stat /usr/bin/pgrep N/A
File opened for reading /proc/1882/status /usr/bin/pgrep N/A
File opened for reading /proc/25/status /usr/bin/pgrep N/A
File opened for reading /proc/1912/stat /usr/bin/pidof N/A
File opened for reading /proc/436/status /usr/bin/pgrep N/A
File opened for reading /proc/198/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2470/stat /usr/bin/pgrep N/A
File opened for reading /proc/584/status /usr/bin/pgrep N/A
File opened for reading /proc/1896/status /usr/bin/pgrep N/A
File opened for reading /proc/760/status /usr/bin/pgrep N/A
File opened for reading /proc/1941/stat /usr/bin/pidof N/A
File opened for reading /proc/10/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/190/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/25/stat /usr/bin/pidof N/A
File opened for reading /proc/30/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/784/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1053/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2136/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2477/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/56/status /usr/bin/pgrep N/A
File opened for reading /proc/43/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1081/stat /usr/bin/pgrep N/A
File opened for reading /proc/2120/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/36/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1077/cmdline /usr/bin/pidof N/A
File opened for reading /proc/190/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1659/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2470/cmdline /usr/bin/pidof N/A
File opened for reading /proc/760/stat /usr/bin/pgrep N/A
File opened for reading /proc/1058/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1671/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/54/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1115/stat /usr/bin/pidof N/A
File opened for reading /proc/2118/stat /usr/bin/pgrep N/A
File opened for reading /proc/275/ctty /usr/bin/pgrep N/A
File opened for reading /proc/9/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/80/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/69/stat /usr/bin/pgrep N/A

Processes

/tmp/57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf

[/tmp/57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf]

/bin/sh

[sh -c pgrep 57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf]

/usr/bin/pgrep

[pgrep 57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf]

/bin/sh

[sh -c pidof 57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf]

/usr/bin/pidof

[pidof 57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd.elf]

/bin/sh

[sh -c pgrep uplugplay]

/usr/bin/pgrep

[pgrep uplugplay]

/bin/sh

[sh -c pidof uplugplay]

/usr/bin/pidof

[pidof uplugplay]

/bin/sh

[sh -c pgrep upnpsetup]

/usr/bin/pgrep

[pgrep upnpsetup]

/bin/sh

[sh -c pidof upnpsetup]

/usr/bin/pidof

[pidof upnpsetup]

/bin/sh

[sh -c systemctl daemon-reload]

/usr/bin/systemctl

[systemctl daemon-reload]

/bin/sh

[sh -c systemctl enable uplugplay.service]

/usr/bin/systemctl

[systemctl enable uplugplay.service]

/bin/sh

[sh -c systemctl start uplugplay.service]

/usr/bin/systemctl

[systemctl start uplugplay.service]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 p3.feefreepool.net udp
DE 88.198.246.242:80 p3.feefreepool.net tcp

Files

memory/2472-1-0x0000000000400000-0x00000000015640f8-memory.dmp

/usr/sbin/uplugplay

MD5 4e4edca28a7a79b6f6db2b91489e4ba8
SHA1 727798fd30fc4dd02c55d2be873df630ef986fee
SHA256 57407c524de7be7befcf10d9549db10128f94506d4717f164b0b072fada7aabd
SHA512 33834fb3815f1aadb954174e64cc35cad0a131f1f00dd3ec62b8d5eb494bffbdfc7d901c2fe64f249f9c0e606814e4dbe103245681ed1ad524527873d4af1aa2

/usr/lib/systemd/system/uplugplay.service

MD5 8ca62d1f47880bce036c2956c9b7b272
SHA1 3bcc3a5c4fcc5b0d08c4524a59f6b8e113b62060
SHA256 c655d3d4e374fad38313ec4262207b2d7d68a870238f203ef3c33f85e66c8e32
SHA512 4cd2d9d67151fa25e833707dee2442c4a5f752053fc2c36ec73c0e2b734c66ca69c63fceb47714d9add5b9fe2eee1e45be5199e2cae7c26173e766b333877da6