Malware Analysis Report

2025-06-16 02:03

Sample ID 250222-ffd4baxrbw
Target 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf
SHA256 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476
Tags
prometei_elf botnet discovery miner persistence privilege_escalation upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476

Threat Level: Known bad

The file 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf was found to be: Known bad.

Malicious Activity Summary

prometei_elf botnet discovery miner persistence privilege_escalation upx

Prometei

Prometei_elf family

Deletes itself

Modifies hosts file

Modifies systemd

Write file to user bin folder

Enumerates running processes

UPX packed file

Reads CPU attributes

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-22 04:48

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-22 04:48

Reported

2025-02-22 04:51

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

8s

Max time network

132s

Command Line

[/tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf]

Signatures

Prometei

botnet miner prometei_elf

Prometei_elf family

prometei_elf

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf N/A

Modifies hosts file

Description Indicator Process Target
File opened for modification /etc/hosts /tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf N/A

Enumerates running processes

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /lib/systemd/system/uplugplay.service /tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/uplugplay /tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/2154/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/26/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/581/status /usr/bin/pgrep N/A
File opened for reading /proc/2069/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2597/status /usr/bin/pgrep N/A
File opened for reading /proc/26/cmdline /usr/bin/pidof N/A
File opened for reading /proc/30/status /usr/bin/pgrep N/A
File opened for reading /proc/43/cmdline /usr/bin/pidof N/A
File opened for reading /proc/14/status /usr/bin/pgrep N/A
File opened for reading /proc/2554/stat /usr/bin/pidof N/A
File opened for reading /proc/2189/stat /usr/bin/pgrep N/A
File opened for reading /proc/2639/ctty /usr/bin/pgrep N/A
File opened for reading /proc/275/stat /usr/bin/pidof N/A
File opened for reading /proc/2628/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/46/cmdline /usr/bin/pidof N/A
File opened for reading /proc/51/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/48/stat /usr/bin/pidof N/A
File opened for reading /proc/783/cmdline /usr/bin/pidof N/A
File opened for reading /proc/55/stat /usr/bin/pidof N/A
File opened for reading /proc/2353/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1768/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2525/stat /usr/bin/pidof N/A
File opened for reading /proc/3/cmdline /usr/bin/pidof N/A
File opened for reading /proc/63/stat /usr/bin/pgrep N/A
File opened for reading /proc/2069/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2079/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2347/ctty /usr/bin/pgrep N/A
File opened for reading /proc/790/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/25/ctty /usr/bin/pgrep N/A
File opened for reading /proc/43/status /usr/bin/pgrep N/A
File opened for reading /proc/52/ctty /usr/bin/pgrep N/A
File opened for reading /proc/53/ctty /usr/bin/pgrep N/A
File opened for reading /proc/418/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1080/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2523/stat /usr/bin/pgrep N/A
File opened for reading /proc/2869/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2896/cmdline /usr/bin/pidof N/A
File opened for reading /proc/186/stat /usr/bin/pgrep N/A
File opened for reading /proc/201/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1053/stat /usr/bin/pgrep N/A
File opened for reading /proc/1113/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2356/cmdline /usr/bin/pidof N/A
File opened for reading /proc/9/stat /usr/bin/pgrep N/A
File opened for reading /proc/2369/stat /usr/bin/pidof N/A
File opened for reading /proc/49/status /usr/bin/pgrep N/A
File opened for reading /proc/768/cmdline /usr/bin/pidof N/A
File opened for reading /proc/21/stat /usr/bin/pgrep N/A
File opened for reading /proc/52/ctty /usr/bin/pgrep N/A
File opened for reading /proc/65/stat /usr/bin/pidof N/A
File opened for reading /proc/15/cmdline /usr/bin/pidof N/A
File opened for reading /proc/884/cmdline /usr/bin/pidof N/A
File opened for reading /proc/728/stat /usr/bin/pgrep N/A
File opened for reading /proc/2368/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2161/status /usr/bin/pgrep N/A
File opened for reading /proc/53/status /usr/bin/pgrep N/A
File opened for reading /proc/2390/ctty /usr/bin/pgrep N/A
File opened for reading /proc/29/cmdline /usr/bin/pidof N/A
File opened for reading /proc/3/status /usr/bin/pgrep N/A
File opened for reading /proc/70/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/793/ctty /usr/bin/pgrep N/A
File opened for reading /proc/10/status /usr/bin/pgrep N/A
File opened for reading /proc/2270/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2367/status /usr/bin/pgrep N/A
File opened for reading /proc/2621/stat /usr/bin/pgrep N/A

Processes

/tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf

[/tmp/9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf]

/bin/sh

[sh -c pgrep 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf]

/usr/bin/pgrep

[pgrep 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf]

/bin/sh

[sh -c pidof 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf]

/usr/bin/pidof

[pidof 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476.elf]

/bin/sh

[sh -c pgrep uplugplay]

/usr/bin/pgrep

[pgrep uplugplay]

/bin/sh

[sh -c pidof uplugplay]

/usr/bin/pidof

[pidof uplugplay]

/bin/sh

[sh -c pgrep upnpsetup]

/usr/bin/pgrep

[pgrep upnpsetup]

/bin/sh

[sh -c pidof upnpsetup]

/usr/bin/pidof

[pidof upnpsetup]

/bin/sh

[sh -c systemctl daemon-reload]

/usr/bin/systemctl

[systemctl daemon-reload]

/bin/sh

[sh -c systemctl enable uplugplay.service]

/usr/bin/systemctl

[systemctl enable uplugplay.service]

/bin/sh

[sh -c systemctl start uplugplay.service]

/usr/bin/systemctl

[systemctl start uplugplay.service]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 p3.feefreepool.net udp
DE 88.198.246.242:80 p3.feefreepool.net tcp

Files

memory/2869-1-0x0000000000400000-0x00000000015640f8-memory.dmp

/usr/sbin/uplugplay

MD5 aa7766de5d677468bf926cbc2a3ad3bc
SHA1 d6e470cc47d06028f627ea3b89c17492376077c6
SHA256 9740689e49050d9c90ef853e94424bff73457df1bc37fe416ca576a491a8a476
SHA512 fbc1ddf9c5871e2afde50e4f4afd625616cb2ba0eb9f8370a92c9db5ca198dfe917ea5c1e5bf5bf201ff4f339a830d1962a4e2f74abbe175e63fe2bfcbc12a81

/usr/lib/systemd/system/uplugplay.service

MD5 8ca62d1f47880bce036c2956c9b7b272
SHA1 3bcc3a5c4fcc5b0d08c4524a59f6b8e113b62060
SHA256 c655d3d4e374fad38313ec4262207b2d7d68a870238f203ef3c33f85e66c8e32
SHA512 4cd2d9d67151fa25e833707dee2442c4a5f752053fc2c36ec73c0e2b734c66ca69c63fceb47714d9add5b9fe2eee1e45be5199e2cae7c26173e766b333877da6