Analysis
-
max time kernel
8s -
max time network
132s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
22/02/2025, 04:48
Behavioral task
behavioral1
Sample
9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf
-
Size
418KB
-
MD5
aa7766de5d677468bf926cbc2a3ad3bc
-
SHA1
d6e470cc47d06028f627ea3b89c17492376077c6
-
SHA256
9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476
-
SHA512
fbc1ddf9c5871e2afde50e4f4afd625616cb2ba0eb9f8370a92c9db5ca198dfe917ea5c1e5bf5bf201ff4f339a830d1962a4e2f74abbe175e63fe2bfcbc12a81
-
SSDEEP
12288:6QIkwT+V+46MTuxN+qpMBUH5kAAxwWVtBeSD:W4/y+qaBUZJAdVtX
Malware Config
Signatures
-
Prometei
Prometei is a multiplatform botnet used to mine cryptocurrency.
-
Prometei_elf family
-
Deletes itself 1 IoCs
pid Process 2869 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf -
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
description ioc Process File opened for modification /etc/hosts 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /lib/systemd/system/uplugplay.service 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf -
Write file to user bin folder 1 IoCs
description ioc Process File opened for modification /usr/sbin/uplugplay 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf -
resource yara_rule behavioral1/files/fstream-1.dat upx -
Reads CPU attributes 1 TTPs 3 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/possible pgrep File opened for reading /sys/devices/system/cpu/possible pgrep File opened for reading /sys/devices/system/cpu/possible pgrep -
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/system/node pgrep File opened for reading /sys/devices/system/node pgrep File opened for reading /sys/devices/system/node pgrep -
description ioc Process File opened for reading /proc/2154/cgroup pgrep File opened for reading /proc/26/cmdline pgrep File opened for reading /proc/581/status pgrep File opened for reading /proc/2069/cmdline pgrep File opened for reading /proc/2597/status pgrep File opened for reading /proc/26/cmdline pidof File opened for reading /proc/30/status pgrep File opened for reading /proc/43/cmdline pidof File opened for reading /proc/14/status pgrep File opened for reading /proc/2554/stat pidof File opened for reading /proc/2189/stat pgrep File opened for reading /proc/2639/ctty pgrep File opened for reading /proc/275/stat pidof File opened for reading /proc/2628/cgroup pgrep File opened for reading /proc/46/cmdline pidof File opened for reading /proc/51/cmdline pgrep File opened for reading /proc/48/stat pidof File opened for reading /proc/783/cmdline pidof File opened for reading /proc/55/stat pidof File opened for reading /proc/2353/cgroup pgrep File opened for reading /proc/1768/cmdline pgrep File opened for reading /proc/2525/stat pidof File opened for reading /proc/3/cmdline pidof File opened for reading /proc/63/stat pgrep File opened for reading /proc/2069/cmdline pgrep File opened for reading /proc/2079/cmdline pgrep File opened for reading /proc/2347/ctty pgrep File opened for reading /proc/790/cmdline pgrep File opened for reading /proc/25/ctty pgrep File opened for reading /proc/43/status pgrep File opened for reading /proc/52/ctty pgrep File opened for reading /proc/53/ctty pgrep File opened for reading /proc/418/cmdline pgrep File opened for reading /proc/1080/cgroup pgrep File opened for reading /proc/2523/stat pgrep File opened for reading /proc/2869/ctty pgrep File opened for reading /proc/2896/cmdline pidof File opened for reading /proc/186/stat pgrep File opened for reading /proc/201/cgroup pgrep File opened for reading /proc/1053/stat pgrep File opened for reading /proc/1113/cmdline pidof File opened for reading /proc/2356/cmdline pidof File opened for reading /proc/9/stat pgrep File opened for reading /proc/2369/stat pidof File opened for reading /proc/49/status pgrep File opened for reading /proc/768/cmdline pidof File opened for reading /proc/21/stat pgrep File opened for reading /proc/52/ctty pgrep File opened for reading /proc/65/stat pidof File opened for reading /proc/15/cmdline pidof File opened for reading /proc/884/cmdline pidof File opened for reading /proc/728/stat pgrep File opened for reading /proc/2368/ctty pgrep File opened for reading /proc/2161/status pgrep File opened for reading /proc/53/status pgrep File opened for reading /proc/2390/ctty pgrep File opened for reading /proc/29/cmdline pidof File opened for reading /proc/3/status pgrep File opened for reading /proc/70/cgroup pgrep File opened for reading /proc/793/ctty pgrep File opened for reading /proc/10/status pgrep File opened for reading /proc/2270/ctty pgrep File opened for reading /proc/2367/status pgrep File opened for reading /proc/2621/stat pgrep
Processes
-
/tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf/tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf1⤵
- Deletes itself
- Modifies hosts file
- Modifies systemd
- Write file to user bin folder
PID:2869 -
/bin/shsh -c "pgrep 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf"2⤵PID:2873
-
/usr/bin/pgreppgrep 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2874
-
-
-
/bin/shsh -c "pidof 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf"2⤵PID:2880
-
/usr/bin/pidofpidof 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf3⤵
- Reads runtime system information
PID:2881
-
-
-
/bin/shsh -c "pgrep uplugplay"2⤵PID:2884
-
/usr/bin/pgreppgrep uplugplay3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2885
-
-
-
/bin/shsh -c "pidof uplugplay"2⤵PID:2888
-
/usr/bin/pidofpidof uplugplay3⤵
- Reads runtime system information
PID:2889
-
-
-
/bin/shsh -c "pgrep upnpsetup"2⤵PID:2892
-
/usr/bin/pgreppgrep upnpsetup3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2893
-
-
-
/bin/shsh -c "pidof upnpsetup"2⤵PID:2896
-
/usr/bin/pidofpidof upnpsetup3⤵
- Reads runtime system information
PID:2897
-
-
-
/bin/shsh -c "systemctl daemon-reload"2⤵PID:2898
-
/usr/bin/systemctlsystemctl daemon-reload3⤵PID:2899
-
-
-
/bin/shsh -c "systemctl enable uplugplay.service"2⤵PID:3023
-
/usr/bin/systemctlsystemctl enable uplugplay.service3⤵PID:3024
-
-
-
/bin/shsh -c "systemctl start uplugplay.service"2⤵PID:3148
-
/usr/bin/systemctlsystemctl start uplugplay.service3⤵PID:3149
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD58ca62d1f47880bce036c2956c9b7b272
SHA13bcc3a5c4fcc5b0d08c4524a59f6b8e113b62060
SHA256c655d3d4e374fad38313ec4262207b2d7d68a870238f203ef3c33f85e66c8e32
SHA5124cd2d9d67151fa25e833707dee2442c4a5f752053fc2c36ec73c0e2b734c66ca69c63fceb47714d9add5b9fe2eee1e45be5199e2cae7c26173e766b333877da6
-
Filesize
418KB
MD5aa7766de5d677468bf926cbc2a3ad3bc
SHA1d6e470cc47d06028f627ea3b89c17492376077c6
SHA2569740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476
SHA512fbc1ddf9c5871e2afde50e4f4afd625616cb2ba0eb9f8370a92c9db5ca198dfe917ea5c1e5bf5bf201ff4f339a830d1962a4e2f74abbe175e63fe2bfcbc12a81