Analysis
-
max time kernel
7s -
max time network
131s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
22/02/2025, 03:26
Behavioral task
behavioral1
Sample
4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf
-
Size
418KB
-
MD5
148e8f56cacba9a4dbfca6b984af1f46
-
SHA1
7b4d74f30bb49b1391bdb33d511682aaacaf7af9
-
SHA256
4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734
-
SHA512
58d4c41f23eebbfcb0733f9a0edcc51533774d86496db4cb8a4d8045554e40428611fb0e4c6396f00f5627beaf5a6ee43b89b5129d85c919f4e7990ac7777205
-
SSDEEP
12288:6QIkwT+V+46MTuxN+qpMBUH5kAAxwWVtBeS8:W4/y+qaBUZJAdVtY
Malware Config
Signatures
-
Prometei
Prometei is a multiplatform botnet used to mine cryptocurrency.
-
Prometei_elf family
-
Deletes itself 1 IoCs
pid Process 1592 4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf -
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
description ioc Process File opened for modification /etc/hosts 4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /lib/systemd/system/uplugplay.service 4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf -
Write file to user bin folder 1 IoCs
description ioc Process File opened for modification /usr/sbin/uplugplay 4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf -
resource yara_rule behavioral1/files/fstream-1.dat upx -
Reads CPU attributes 1 TTPs 3 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pgrep -
description ioc Process File opened for reading /proc/1326/cmdline pgrep File opened for reading /proc/871/stat pidof File opened for reading /proc/75/cmdline pidof File opened for reading /proc/76/cmdline pidof File opened for reading /proc/99/cmdline pidof File opened for reading /proc/210/cmdline pidof File opened for reading /proc/410/status pgrep File opened for reading /proc/101/cmdline pgrep File opened for reading /proc/1299/status pgrep File opened for reading /proc/635/cmdline pidof File opened for reading /proc/308/status pgrep File opened for reading /proc/1052/cmdline pgrep File opened for reading /proc/1075/cmdline pgrep File opened for reading /proc/583/cmdline pidof File opened for reading /proc/737/stat pidof File opened for reading /proc/1254/stat pidof File opened for reading /proc/1143/cmdline pgrep File opened for reading /proc/1277/cmdline pgrep File opened for reading /proc/1398/cmdline pidof File opened for reading /proc/222/cmdline pidof File opened for reading /proc/1165/cmdline pidof File opened for reading /proc/631/stat pidof File opened for reading /proc/4/status pgrep File opened for reading /proc/22/cmdline pidof File opened for reading /proc/27/status pgrep File opened for reading /proc/1302/cmdline pgrep File opened for reading /proc/118/status pgrep File opened for reading /proc/756/cmdline pgrep File opened for reading /proc/12/cmdline pidof File opened for reading /proc/91/stat pidof File opened for reading /proc/757/status pgrep File opened for reading /proc/1162/status pgrep File opened for reading /proc/91/cmdline pgrep File opened for reading /proc/222/cmdline pgrep File opened for reading /proc/1408/stat pidof File opened for reading /proc/223/status pgrep File opened for reading /proc/1409/cmdline pidof File opened for reading /proc/1479/cmdline pidof File opened for reading /proc/26/stat pidof File opened for reading /proc/1134/stat pidof File opened for reading /proc/1014/cmdline pgrep File opened for reading /proc/7/stat pidof File opened for reading /proc/209/cmdline pidof File opened for reading /proc/404/stat pidof File opened for reading /proc/1184/stat pidof File opened for reading /proc/756/cmdline pidof File opened for reading /proc/26/cmdline pidof File opened for reading /proc/11/cmdline pgrep File opened for reading /proc/962/stat pidof File opened for reading /proc/5/cmdline pgrep File opened for reading /proc/645/stat pidof File opened for reading /proc/1040/cmdline pidof File opened for reading /proc/18/stat pidof File opened for reading /proc/1213/status pgrep File opened for reading /proc/209/cmdline pidof File opened for reading /proc/1254/stat pidof File opened for reading /proc/1164/status pgrep File opened for reading /proc/16/stat pidof File opened for reading /proc/78/cmdline pgrep File opened for reading /proc/112/stat pidof File opened for reading /proc/8/cmdline pgrep File opened for reading /proc/589/status pgrep File opened for reading /proc/88/cmdline pidof File opened for reading /proc/1127/stat pidof
Processes
-
/tmp/4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf/tmp/4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf1⤵
- Deletes itself
- Modifies hosts file
- Modifies systemd
- Write file to user bin folder
PID:1592 -
/bin/shsh -c "pgrep 4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf"2⤵PID:1599
-
/usr/bin/pgreppgrep 4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1600
-
-
-
/bin/shsh -c "pidof 4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf"2⤵PID:1621
-
/usr/bin/pidofpidof 4a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734.elf3⤵
- Reads runtime system information
PID:1622
-
-
-
/bin/shsh -c "pgrep uplugplay"2⤵PID:1625
-
/usr/bin/pgreppgrep uplugplay3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1626
-
-
-
/bin/shsh -c "pidof uplugplay"2⤵PID:1629
-
/usr/bin/pidofpidof uplugplay3⤵
- Reads runtime system information
PID:1630
-
-
-
/bin/shsh -c "pgrep upnpsetup"2⤵PID:1633
-
/usr/bin/pgreppgrep upnpsetup3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1634
-
-
-
/bin/shsh -c "pidof upnpsetup"2⤵PID:1637
-
/usr/bin/pidofpidof upnpsetup3⤵
- Reads runtime system information
PID:1638
-
-
-
/bin/shsh -c "systemctl daemon-reload"2⤵PID:1645
-
/usr/bin/systemctlsystemctl daemon-reload3⤵PID:1646
-
-
-
/bin/shsh -c "systemctl enable uplugplay.service"2⤵PID:1680
-
/usr/bin/systemctlsystemctl enable uplugplay.service3⤵PID:1681
-
-
-
/bin/shsh -c "systemctl start uplugplay.service"2⤵PID:1717
-
/usr/bin/systemctlsystemctl start uplugplay.service3⤵PID:1718
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD58ca62d1f47880bce036c2956c9b7b272
SHA13bcc3a5c4fcc5b0d08c4524a59f6b8e113b62060
SHA256c655d3d4e374fad38313ec4262207b2d7d68a870238f203ef3c33f85e66c8e32
SHA5124cd2d9d67151fa25e833707dee2442c4a5f752053fc2c36ec73c0e2b734c66ca69c63fceb47714d9add5b9fe2eee1e45be5199e2cae7c26173e766b333877da6
-
Filesize
418KB
MD5148e8f56cacba9a4dbfca6b984af1f46
SHA17b4d74f30bb49b1391bdb33d511682aaacaf7af9
SHA2564a88a4d1ff3359e9323a1f6d6cf9949fbd0e65153dbe162c85ef886c852f1734
SHA51258d4c41f23eebbfcb0733f9a0edcc51533774d86496db4cb8a4d8045554e40428611fb0e4c6396f00f5627beaf5a6ee43b89b5129d85c919f4e7990ac7777205