gamut.md

ID	X0006
Type	Bot/Botnet (spambot)
Aliases	Bobax
Platforms	Windows
Year	2014
Associated ATT&CK Software	None

Gamut

Gamut is a spamming botnet.

ATT&CK Techniques

Name	Use
Command and Control::Application Layer Protocol::Web Protocols (T1071.001)	The malware uses HTTP for command and control. [1]
Defense Evasion::File and Directory Permissions Modification (T1222)	Gamut sets file attributes. [3]
Execution::Shared Modules (T1129)	Gamut links functions at runtime on Windows. [3]

Enhanced ATT&CK Techniques

Name	Use
Defense Evasion::Modify Registry (E1112)	The malware adds a registry key. [1]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02)	Gamut encodes data using XOR. [3]
Discovery::Application Window Discovery::Window Text (E1010.m01)	Gamut gets a graphical window text. [3]
Command and Control::Ingress Tool Transfer (E1105)	The malware receives files from C2. [1]
Discovery::File and Directory Discovery (E1083)	Gamut gets common file paths. [3]
Discovery::System Information Discovery (E1082)	Gamut queries environment variables. [3]
Execution::Command and Scripting Interpreter (E1059)	Gamut accepts command line arguments. [3]

MBC Behaviors

Name	Use
Execution::Send Email (B0020)	Gamut probes the infected system's SMTP port 25 by sending a test SMTP transaction to mail.ru and hotmail.com. If port 25 is open, the bot requests the spam template and email list, which it uses to send spam. [1]
Anti-Behavioral-Analysis::Debugger Detection::Interruption (B0001.006)	The malware detects debuggers using an INT 03h trap. [1]
Anti-Behavioral-Analysis::Debugger Detection::IsDebuggerPresent (B0001.008)	The malware detects debuggers using IsDebuggerPresent. [1]
Command and Control::C2 Communication::Receive Data (B0030.002)	The malware receives data from C2. [1]
Command and Control::C2 Communication::Server to Client File Transfer (B0030.003)	The malware receives files from C2. [1]
Impact::Spamming (B0039)	If port 25 is open, the bot uses a spam template and email list to send spam. [1]
Data::Checksum::CRC32 (C0032.001)	Gamut hashes data with CRC32. [3]
Data::Encode Data::XOR (C0026.002)	Gamut encodes data using XOR. [3]
Discovery::Code Discovery::Enumerate PE Sections (B0046.001)	Enumerate PE sections (This capa rule had 1 match) [3]
Execution::Install Additional Program (B0023)	Gamut contains an embedded PE file. [3]
File System::Create Directory (C0046)	Gamut creates directories. [3]
File System::Delete Directory (C0048)	Gamut deletes directories. [3]
File System::Delete File (C0047)	Gamut deletes file. [3]
File System::Get File Attributes (C0049)	Gamut gets file attributes. [3]
File System::Move File (C0063)	Gamut moves files. [3]
File System::Read File (C0051)	Gamut reads files on Windows. [3]
File System::Set File Attributes (C0050)	Gamut sets file attributes. [3]
File System::Write File (C0052)	Gamut writes files on Windows. [3]
Operating System::Registry::Delete Registry Key (C0036.002)	Gamut deletes registry keys. [3]
Operating System::Registry::Delete Registry Value (C0036.007)	Gamut deletes registry values. [3]
Operating System::Registry::Query Registry Key (C0036.005)	Gamut queries or enumerates registry keys. [3]
Operating System::Registry::Query Registry Value (C0036.006)	Gamut queries or enumerates registry values. [3]
Operating System::Registry::Set Registry Key (C0036.001)	Gamut sets registry values. [3]
Process::Create Process (C0017)	Gamut creates processes on Windows. [3]
Process::Set Thread Local Storage Value (C0041)	Gamut sets thread local storage values. [3]

Indicators of Compromise

SHA256 Hashes

• a56162bc623841102301df8e5c918f27fe8c2a58ae049d81c838fcf256654932
• 1a9c4807500d25e83c456185a6b4571108e0f00c45667b520725ca8ae6f34fa4

References

[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/

[2] https://any.run/report/a56162bc623841102301df8e5c918f27fe8c2a58ae049d81c838fcf256654932/1a6f6db3-83d5-442e-8f0d-42cfab2e0d34

[3] capa v4.0, analyzed at MITRE on 10/12/2022