GAMYBEAR Propose Change

GAMYBEAR

A software tool developed using the Go programming language. Its main functionality is to receive (“listener”), execute (‘executor’) commands, and send (“sender”) results to the control server in BASE64-encoded form using the HTTP protocol.

When launched, it generates a unique identifier (UUID), receives basic information about the computer (“whoami”, “wmic nicconfig where IPEnabled=true get IPAddress”), creates a helper file %APPDATA%\ updater.json, where the URL of the control server is stored in JSON format (key “update_server”), as well as other listed data in BASE64-encoded form (keys: “uuid”, ‘hostname’, “ip”, respectively).

During operation, the software regularly sends requests to the control server (URI: “/c2/get_commands/”) and waits for a response in JSON format with the ‘command’ and “arguments” fields. If the “Nop” command is received, a 15-second pause is initiated. After the commands are executed, the result and other data are encoded using BASE64, stored in a JSON structure (keys: “uuid”, “command”, ‘output’) and sent to the control server with a request to the URI “/c2/command_out/”.

The consistency of the launch is ensured by another program (script) at the stage of the initial infection of the computer by creating a key in the “Run” branch of the operating system registry.

References

There is no Yara-Signature yet.