Malware Analysis Report

2025-06-16 02:03

Sample ID 250222-dbwrfsykz9
Target 25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf
SHA256 25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7
Tags
upx prometei_elf botnet discovery miner persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7

Threat Level: Known bad

The file 25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf was found to be: Known bad.

Malicious Activity Summary

upx prometei_elf botnet discovery miner persistence privilege_escalation

Prometei

Prometei_elf family

Deletes itself

Modifies hosts file

Enumerates running processes

Modifies systemd

Write file to user bin folder

UPX packed file

Reads CPU attributes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-22 02:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-22 02:50

Reported

2025-02-22 02:53

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

6s

Max time network

128s

Command Line

[/tmp/25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf]

Signatures

Prometei

botnet miner prometei_elf

Prometei_elf family

prometei_elf

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf N/A

Modifies hosts file

Description Indicator Process Target
File opened for modification /etc/hosts /tmp/25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf N/A

Enumerates running processes

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /lib/systemd/system/uplugplay.service /tmp/25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/uplugplay /tmp/25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/328/cmdline /bin/pidof N/A
File opened for reading /proc/727/stat /bin/pidof N/A
File opened for reading /proc/1077/status /usr/bin/pgrep N/A
File opened for reading /proc/1163/stat /bin/pidof N/A
File opened for reading /proc/115/cmdline /bin/pidof N/A
File opened for reading /proc/1196/cmdline /bin/pidof N/A
File opened for reading /proc/1520/stat /bin/pidof N/A
File opened for reading /proc/1523/cmdline /bin/pidof N/A
File opened for reading /proc/1153/status /usr/bin/pgrep N/A
File opened for reading /proc/1077/stat /bin/pidof N/A
File opened for reading /proc/684/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1194/status /usr/bin/pgrep N/A
File opened for reading /proc/1535/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1308/cmdline /bin/pidof N/A
File opened for reading /proc/186/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/13/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/703/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/8/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/170/status /usr/bin/pgrep N/A
File opened for reading /proc/613/status /usr/bin/pgrep N/A
File opened for reading /proc/28/stat /bin/pidof N/A
File opened for reading /proc/415/status /usr/bin/pgrep N/A
File opened for reading /proc/1539/cmdline /bin/pidof N/A
File opened for reading /proc/450/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1171/status /usr/bin/pgrep N/A
File opened for reading /proc/1267/cmdline /bin/pidof N/A
File opened for reading /proc/727/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/6/cmdline /bin/pidof N/A
File opened for reading /proc/83/stat /bin/pidof N/A
File opened for reading /proc/175/cmdline /bin/pidof N/A
File opened for reading /proc/20/status /usr/bin/pgrep N/A
File opened for reading /proc/6/cmdline /bin/pidof N/A
File opened for reading /proc/1074/stat /bin/pidof N/A
File opened for reading /proc/1119/status /usr/bin/pgrep N/A
File opened for reading /proc/36/cmdline /bin/pidof N/A
File opened for reading /proc/1080/cmdline /bin/pidof N/A
File opened for reading /proc/1171/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/174/status /usr/bin/pgrep N/A
File opened for reading /proc/175/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/971/stat /bin/pidof N/A
File opened for reading /proc/1193/status /usr/bin/pgrep N/A
File opened for reading /proc/24/stat /bin/pidof N/A
File opened for reading /proc/415/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1199/stat /bin/pidof N/A
File opened for reading /proc/169/status /usr/bin/pgrep N/A
File opened for reading /proc/214/stat /bin/pidof N/A
File opened for reading /proc/172/stat /bin/pidof N/A
File opened for reading /proc/1136/stat /bin/pidof N/A
File opened for reading /proc/467/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/214/status /usr/bin/pgrep N/A
File opened for reading /proc/1023/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1326/status /usr/bin/pgrep N/A
File opened for reading /proc/1321/stat /bin/pidof N/A
File opened for reading /proc/957/cmdline /bin/pidof N/A
File opened for reading /proc/576/status /usr/bin/pgrep N/A
File opened for reading /proc/175/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/450/status /usr/bin/pgrep N/A
File opened for reading /proc/429/stat /bin/pidof N/A
File opened for reading /proc/1136/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/17/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/135/stat /bin/pidof N/A
File opened for reading /proc/1128/cmdline /bin/pidof N/A
File opened for reading /proc/1/stat /bin/pidof N/A
File opened for reading /proc/1124/cmdline /bin/pidof N/A

Processes

/tmp/25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf

[/tmp/25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf]

/bin/sh

[sh -c pgrep 25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf]

/usr/bin/pgrep

[pgrep 25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf]

/bin/sh

[sh -c pidof 25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf]

/bin/pidof

[pidof 25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7.elf]

/bin/sh

[sh -c pgrep uplugplay]

/usr/bin/pgrep

[pgrep uplugplay]

/bin/sh

[sh -c pidof uplugplay]

/bin/pidof

[pidof uplugplay]

/bin/sh

[sh -c pgrep upnpsetup]

/usr/bin/pgrep

[pgrep upnpsetup]

/bin/sh

[sh -c pidof upnpsetup]

/bin/pidof

[pidof upnpsetup]

/bin/sh

[sh -c systemctl daemon-reload]

/bin/systemctl

[systemctl daemon-reload]

/bin/sh

[sh -c systemctl enable uplugplay.service]

/bin/systemctl

[systemctl enable uplugplay.service]

/bin/sh

[sh -c systemctl start uplugplay.service]

/bin/systemctl

[systemctl start uplugplay.service]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
GB 195.181.164.19:443 tcp
US 8.8.8.8:53 p3.feefreepool.net udp
DE 88.198.246.242:80 p3.feefreepool.net tcp

Files

memory/1520-1-0x0000000000400000-0x00000000015640f8-memory.dmp

/usr/sbin/uplugplay

MD5 86596bdf816a7fc80bf1fb79bb0ee281
SHA1 02cbdac44cf808248a8375013c405d493423e275
SHA256 25a2df1ddf0fa125702ac8e40acd44d5b7ca9e223cd99d3e7f9c05e7f02da4c7
SHA512 37082be2f3f130f31de7ed063162d53957d0ea8a6b296f41ff0c77e681a1aca02d5924fedd4288524919313c9ea57dbf5a47c706669932da3970410ea89aed59

/lib/systemd/system/uplugplay.service

MD5 8ca62d1f47880bce036c2956c9b7b272
SHA1 3bcc3a5c4fcc5b0d08c4524a59f6b8e113b62060
SHA256 c655d3d4e374fad38313ec4262207b2d7d68a870238f203ef3c33f85e66c8e32
SHA512 4cd2d9d67151fa25e833707dee2442c4a5f752053fc2c36ec73c0e2b734c66ca69c63fceb47714d9add5b9fe2eee1e45be5199e2cae7c26173e766b333877da6