Analysis

  • max time kernel
    8s
  • max time network
    132s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    22/02/2025, 04:48

General

  • Target

    9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf

  • Size

    418KB

  • MD5

    aa7766de5d677468bf926cbc2a3ad3bc

  • SHA1

    d6e470cc47d06028f627ea3b89c17492376077c6

  • SHA256

    9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476

  • SHA512

    fbc1ddf9c5871e2afde50e4f4afd625616cb2ba0eb9f8370a92c9db5ca198dfe917ea5c1e5bf5bf201ff4f339a830d1962a4e2f74abbe175e63fe2bfcbc12a81

  • SSDEEP

    12288:6QIkwT+V+46MTuxN+qpMBUH5kAAxwWVtBeSD:W4/y+qaBUZJAdVtX

Malware Config

Signatures

  • Prometei

    Prometei is a multiplatform botnet used to mine cryptocurrency.

  • Prometei_elf family
  • Deletes itself 1 IoCs
  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Write file to user bin folder 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads CPU attributes 1 TTPs 3 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf
    /tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf
    1⤵
    • Deletes itself
    • Modifies hosts file
    • Modifies systemd
    • Write file to user bin folder
    PID:2869
    • /bin/sh
      sh -c "pgrep 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf"
      2⤵
        PID:2873
        • /usr/bin/pgrep
          pgrep 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf
          3⤵
          • Reads CPU attributes
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:2874
      • /bin/sh
        sh -c "pidof 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf"
        2⤵
          PID:2880
          • /usr/bin/pidof
            pidof 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf
            3⤵
            • Reads runtime system information
            PID:2881
        • /bin/sh
          sh -c "pgrep uplugplay"
          2⤵
            PID:2884
            • /usr/bin/pgrep
              pgrep uplugplay
              3⤵
              • Reads CPU attributes
              • Enumerates kernel/hardware configuration
              • Reads runtime system information
              PID:2885
          • /bin/sh
            sh -c "pidof uplugplay"
            2⤵
              PID:2888
              • /usr/bin/pidof
                pidof uplugplay
                3⤵
                • Reads runtime system information
                PID:2889
            • /bin/sh
              sh -c "pgrep upnpsetup"
              2⤵
                PID:2892
                • /usr/bin/pgrep
                  pgrep upnpsetup
                  3⤵
                  • Reads CPU attributes
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:2893
              • /bin/sh
                sh -c "pidof upnpsetup"
                2⤵
                  PID:2896
                  • /usr/bin/pidof
                    pidof upnpsetup
                    3⤵
                    • Reads runtime system information
                    PID:2897
                • /bin/sh
                  sh -c "systemctl daemon-reload"
                  2⤵
                    PID:2898
                    • /usr/bin/systemctl
                      systemctl daemon-reload
                      3⤵
                        PID:2899
                    • /bin/sh
                      sh -c "systemctl enable uplugplay.service"
                      2⤵
                        PID:3023
                        • /usr/bin/systemctl
                          systemctl enable uplugplay.service
                          3⤵
                            PID:3024
                        • /bin/sh
                          sh -c "systemctl start uplugplay.service"
                          2⤵
                            PID:3148
                            • /usr/bin/systemctl
                              systemctl start uplugplay.service
                              3⤵
                                PID:3149

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • /usr/lib/systemd/system/uplugplay.service

                                  Filesize

                                  145B

                                  MD5

                                  8ca62d1f47880bce036c2956c9b7b272

                                  SHA1

                                  3bcc3a5c4fcc5b0d08c4524a59f6b8e113b62060

                                  SHA256

                                  c655d3d4e374fad38313ec4262207b2d7d68a870238f203ef3c33f85e66c8e32

                                  SHA512

                                  4cd2d9d67151fa25e833707dee2442c4a5f752053fc2c36ec73c0e2b734c66ca69c63fceb47714d9add5b9fe2eee1e45be5199e2cae7c26173e766b333877da6

                                • /usr/sbin/uplugplay

                                  Filesize

                                  418KB

                                  MD5

                                  aa7766de5d677468bf926cbc2a3ad3bc

                                  SHA1

                                  d6e470cc47d06028f627ea3b89c17492376077c6

                                  SHA256

                                  9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476

                                  SHA512

                                  fbc1ddf9c5871e2afde50e4f4afd625616cb2ba0eb9f8370a92c9db5ca198dfe917ea5c1e5bf5bf201ff4f339a830d1962a4e2f74abbe175e63fe2bfcbc12a81