Malware Analysis Report

2025-06-16 02:03

Sample ID 250222-dc4tfsxjck
Target 289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf
SHA256 289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da
Tags
prometei_elf botnet discovery miner persistence privilege_escalation stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da

Threat Level: Known bad

The file 289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf was found to be: Known bad.

Malicious Activity Summary

prometei_elf botnet discovery miner persistence privilege_escalation stealer upx

Prometei

Prometei_elf family

Deletes itself

Modifies hosts file

Reads EFI boot settings

Enumerates running processes

Modifies systemd

Write file to user bin folder

UPX packed file

Reads CPU attributes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-22 02:52

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-22 02:52

Reported

2025-02-22 02:55

Platform

ubuntu2004-amd64-20240729-en

Max time kernel

6s

Max time network

137s

Command Line

[/tmp/289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf]

Signatures

Prometei

botnet miner prometei_elf

Prometei_elf family

prometei_elf

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf N/A

Modifies hosts file

Description Indicator Process Target
File opened for modification /etc/hosts /tmp/289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf N/A

Reads EFI boot settings

stealer
Description Indicator Process Target
File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 /usr/bin/systemctl N/A
File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 /usr/bin/systemctl N/A
File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 /usr/bin/systemctl N/A

Enumerates running processes

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /lib/systemd/system/uplugplay.service /tmp/289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/uplugplay /tmp/289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1001/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1402/status /usr/bin/pgrep N/A
File opened for reading /proc/588/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1210/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1/stat /usr/bin/pidof N/A
File opened for reading /proc/13/status /usr/bin/pgrep N/A
File opened for reading /proc/8/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/803/cmdline /usr/bin/pidof N/A
File opened for reading /proc/5/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/73/stat /usr/bin/pidof N/A
File opened for reading /proc/161/cmdline /usr/bin/pidof N/A
File opened for reading /proc/998/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/201/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1351/status /usr/bin/pgrep N/A
File opened for reading /proc/515/stat /usr/bin/pidof N/A
File opened for reading /proc/89/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/489/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1349/cmdline /usr/bin/pidof N/A
File opened for reading /proc/584/status /usr/bin/pgrep N/A
File opened for reading /proc/201/cmdline /usr/bin/pidof N/A
File opened for reading /proc/481/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1122/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1097/status /usr/bin/pgrep N/A
File opened for reading /proc/1091/stat /usr/bin/pidof N/A
File opened for reading /proc/1404/status /usr/bin/pgrep N/A
File opened for reading /proc/607/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1343/cmdline /usr/bin/pidof N/A
File opened for reading /proc/967/stat /usr/bin/pidof N/A
File opened for reading /proc/16/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/82/status /usr/bin/pgrep N/A
File opened for reading /proc/1350/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1355/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1328/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1404/cmdline /usr/bin/pidof N/A
File opened for reading /proc/809/stat /usr/bin/pidof N/A
File opened for reading /proc/163/stat /usr/bin/pidof N/A
File opened for reading /proc/496/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/694/status /usr/bin/pgrep N/A
File opened for reading /proc/1091/cmdline /usr/bin/pidof N/A
File opened for reading /proc/79/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/81/stat /usr/bin/pidof N/A
File opened for reading /proc/79/status /usr/bin/pgrep N/A
File opened for reading /proc/163/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/75/stat /usr/bin/pidof N/A
File opened for reading /proc/933/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1091/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/18/stat /usr/bin/pidof N/A
File opened for reading /proc/170/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/484/stat /usr/bin/pidof N/A
File opened for reading /proc/1403/cmdline /usr/bin/pidof N/A
File opened for reading /proc/21/cmdline /usr/bin/pidof N/A
File opened for reading /proc/173/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1001/stat /usr/bin/pidof N/A
File opened for reading /proc/15/stat /usr/bin/pidof N/A
File opened for reading /proc/16/cmdline /usr/bin/pidof N/A
File opened for reading /proc/87/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1377/status /usr/bin/pgrep N/A
File opened for reading /proc/1358/stat /usr/bin/pidof N/A
File opened for reading /proc/1186/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/779/status /usr/bin/pgrep N/A
File opened for reading /proc/1074/status /usr/bin/pgrep N/A
File opened for reading /proc/455/stat /usr/bin/pidof N/A
File opened for reading /proc/784/stat /usr/bin/pidof N/A

Processes

/tmp/289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf

[/tmp/289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf]

/bin/sh

[sh -c pgrep 289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf]

/usr/bin/pgrep

[pgrep 289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf]

/bin/sh

[sh -c pidof 289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf]

/usr/bin/pidof

[pidof 289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da.elf]

/bin/sh

[sh -c pgrep uplugplay]

/usr/bin/pgrep

[pgrep uplugplay]

/bin/sh

[sh -c pidof uplugplay]

/usr/bin/pidof

[pidof uplugplay]

/bin/sh

[sh -c pgrep upnpsetup]

/usr/bin/pgrep

[pgrep upnpsetup]

/bin/sh

[sh -c pidof upnpsetup]

/usr/bin/pidof

[pidof upnpsetup]

/bin/sh

[sh -c systemctl daemon-reload]

/usr/bin/systemctl

[systemctl daemon-reload]

/bin/sh

[sh -c systemctl enable uplugplay.service]

/usr/bin/systemctl

[systemctl enable uplugplay.service]

/bin/sh

[sh -c systemctl start uplugplay.service]

/usr/bin/systemctl

[systemctl start uplugplay.service]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 8.8.8.8:53 p3.feefreepool.net udp
DE 88.198.246.242:80 p3.feefreepool.net tcp
AU 1.1.1.1:53 connectivity-check.ubuntu.com udp

Files

memory/1405-1-0x0000000000400000-0x00000000015640f8-memory.dmp

/usr/sbin/uplugplay

MD5 ed6a2efe9bb6c75b66ab82e9d4a65f3a
SHA1 6e9cef0deb9d63407016574e79652c2486f3a1ae
SHA256 289238096d8d59f01d7971355e2bccd759bd05759b9ce84c55be38c02e9c97da
SHA512 dc6ac7fc522a8036b63b49adf8ac65a905784a2062eaeb84fd5374d5ecefa377fba0ee80f8f32fa3ff19aa7bcbc1e1cb403a6bc42d6d8390f0f8d6e8d83966f5

/usr/lib/systemd/system/uplugplay.service

MD5 8ca62d1f47880bce036c2956c9b7b272
SHA1 3bcc3a5c4fcc5b0d08c4524a59f6b8e113b62060
SHA256 c655d3d4e374fad38313ec4262207b2d7d68a870238f203ef3c33f85e66c8e32
SHA512 4cd2d9d67151fa25e833707dee2442c4a5f752053fc2c36ec73c0e2b734c66ca69c63fceb47714d9add5b9fe2eee1e45be5199e2cae7c26173e766b333877da6