{"id":12301,"date":"2025-03-25T12:02:43","date_gmt":"2025-03-25T12:02:43","guid":{"rendered":"\/cybersecurity-blog\/?p=12301"},"modified":"2025-04-02T05:51:25","modified_gmt":"2025-04-02T05:51:25","slug":"gorillabot-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/","title":{"rendered":"GorillaBot: Technical Analysis and Code Similarities with Mirai"},"content":{"rendered":"\n<p><strong><em>Editor\u2019s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on <\/em><\/strong><a href=\"https:\/\/x.com\/BlueEye46572843\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>X<\/em><\/strong><\/a><strong><em> and <\/em><\/strong><a href=\"https:\/\/www.linkedin.com\/in\/mohamed-talaat-049349198\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>LinkedIn<\/em><\/strong><\/a><strong><em>.<\/em><\/strong>&nbsp;<\/p>\n\n\n\n<p>In this article, we\u2019re diving into <strong>GorillaBot<\/strong>, a newly discovered botnet built on <a href=\"https:\/\/any.run\/malware-trends\/mirai\" target=\"_blank\" rel=\"noreferrer noopener\">Mirai\u2019s code<\/a>. It\u2019s been spotted launching hundreds of thousands of attacks across the globe, and it\u2019s got some interesting tricks up its sleeve.&nbsp;&nbsp;<\/p>\n\n\n\n<p>We\u2019ll walk through how it talks to its command-and-control (C2) servers, how it receives instructions, and the methods it uses to carry out attacks.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overview&nbsp;<\/h2>\n\n\n\n<p><strong>\u201cGorillaBot\u201d<\/strong> is a newly discovered Mirai-based botnet that has been actively targeting systems in over 100 countries. According to the NSFOCUS Global Threat Hunting team, the botnet issued more than 300,000 attack commands between September 4 and September 27.&nbsp;<\/p>\n\n\n\n<p>This malware variant poses a serious cyber threat, affecting a wide range of industries \u2014 including telecommunications, financial institutions, and even the education sector \u2014 prompting an urgent need for response and mitigation.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GorillaBot is a Mirai-based botnet that reuses core logic while adding custom encryption and evasion techniques.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It targets a wide range of industries and has launched over 300,000 attacks across more than 100 countries.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The botnet uses raw TCP sockets and a custom XTEA-like cipher for secure C2 communication.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GorillaBot includes anti-debugging and anti-analysis checks, exiting immediately in containerized or honeypot environments.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The malware authenticates to its C2 server using a SHA-256-based token generated from a hardcoded array and server-provided value.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attack commands are encoded and hashed, then passed to a Mirai-style attack_parse function for execution.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Technical Analysis&nbsp;&nbsp;<\/h2>\n\n\n\n<p>In this section, we will examine the technical details of GorillaBot, focusing on its C2 communication protocol and how it receives information about its targets and the attack methods it\u2019s instructed to use.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Anti-Debugging&nbsp;&nbsp;<\/h2>\n\n\n\n<p>Before proceeding with its main activity, GorillaBot performs checks to detect the presence of debugging tools. One of its first actions is to read the \/proc\/self\/status file and inspect the TracerPid field. This field indicates whether the process is being traced &#8211; a value of 0 means it\u2019s not, while a non-zero value suggests a debugger is attached.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about evasion in malware<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"422\" height=\"299\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-2.png\" alt=\"\" class=\"wp-image-12312\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-2.png 422w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-2-300x213.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-2-370x262.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-2-270x191.png 270w\" sizes=\"(max-width: 422px) 100vw, 422px\" \/><figcaption class=\"wp-element-caption\"><em>The process of reading the \/proc\/self\/status file and inspect the TracerPid field<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Another technique that \u201cGorillaBot\u201d uses to detect debuggers is to register a callback function that will pause and then exit upon receiving a SIGTRAP signal.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"36\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-4-1024x36.png\" alt=\"\" class=\"wp-image-12313\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-4-1024x36.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-4-300x11.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-4-768x27.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-4-370x13.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-4-270x10.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-4-740x26.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-4.png 1221w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Detection of debuggers by Gorillabot<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Environment check&nbsp;&nbsp;<\/h2>\n\n\n\n<p><strong>GorillaBot<\/strong> is highly selective about the environment it runs in. It first ensures that it is operating on a legitimate target machine rather than inside a honeypot or container. To do this, it performs several checks for system-level artifacts that may not be present in those scenarios.&nbsp;<\/p>\n\n\n\n<p>The code shows that it initially checks for access to the \u201c\/proc\u201d file system &#8211; a virtual file system that provides user-space processes with information about the kernel and running processes.&nbsp;&nbsp;<\/p>\n\n\n\n<p>In a typical Linux environment, the presence of the \u201c\/proc\u201d file system is expected. If it\u2019s missing, GorillaBot assumes it is being analyzed in a honeypot and exits immediately.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"750\" height=\"76\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-2.png\" alt=\"\" class=\"wp-image-12315\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-2.png 750w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-2-300x30.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-2-370x37.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-2-270x27.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-2-740x75.png 740w\" sizes=\"(max-width: 750px) 100vw, 750px\" \/><figcaption class=\"wp-element-caption\"><em>\/proc check to detect non-standard environments<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>GorillaBot uses another check to detect Kubernetes containerization by examining a specific file in the &#8220;\/proc&#8221; directory, namely &#8220;\/proc\/1\/cgroup.&#8221; It looks for the string &#8220;kubepods.&#8221; If this string is found, GorillaBot recognizes that it is running in a container and terminates its execution to avoid detection.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"534\" height=\"195\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-2.png\" alt=\"\" class=\"wp-image-12316\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-2.png 534w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-2-300x110.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-2-370x135.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-2-270x99.png 270w\" sizes=\"(max-width: 534px) 100vw, 534px\" \/><figcaption class=\"wp-element-caption\"><em>Containerization checks by GorillaBot<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Encryption &amp; Decryption Algorithms&nbsp;&nbsp;<\/h2>\n\n\n\n<p>One of the more intriguing features of this Mirai-based botnet is its use of <a href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">encryption<\/a> and decryption techniques to obscure key strings and hide internal configuration data.<\/p>\n\n\n\n<p>Researchers observed that GorillaBot uses a simple Caesar cipher with a shift of 3 to decrypt specific strings. In addition, it employs a custom block cipher &#8211; which we\u2019ll examine later in this article &#8211; to decrypt more complex internal configurations. These methods help the malware avoid static detection and make reverse engineering more difficult.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"515\" height=\"63\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-2.png\" alt=\"\" class=\"wp-image-12318\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-2.png 515w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-2-300x37.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-2-370x45.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-2-270x33.png 270w\" sizes=\"(max-width: 515px) 100vw, 515px\" \/><figcaption class=\"wp-element-caption\"><em>The use of Caesar cipher by GorillaBot<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Network Communication&nbsp;&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Initial C2 Communication&nbsp;&nbsp;<\/strong><\/h3>\n\n\n\n<p>Like many other Mirai-based botnets, GorillaBot uses raw TCP sockets for command-and-control (C2) communication, rather than higher-level protocols like HTTP or HTTPS.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-analyze-malicious-network-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\">Learn to analyze malware&#8217;s network traffic<\/a><\/p>\n\n\n\n<p>The process begins with the malware establishing a connection to its C2 server &#8211; the server&#8217;s IP address is decrypted at runtime using what appears to be a custom implementation of the XTEA (Extended Tiny Encryption Algorithm).&nbsp;&nbsp;<\/p>\n\n\n\n<p>The cipher closely resembles TEA or XTEA, employing a 128-bit (16-byte) hardcoded key for both encryption and decryption.&nbsp;<\/p>\n\n\n\n<p>During each iteration of the algorithm, a delta value is subtracted from the sum.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"414\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-2-1024x414.png\" alt=\"\" class=\"wp-image-12320\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-2-1024x414.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-2-300x121.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-2-768x310.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-2-370x150.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-2-270x109.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-2-740x299.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-2.png 1264w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Decryption of C2 IP using custom XTEA-like algorithm<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The function begins by calculating the length of the provided data. It does this by iterating until it encounters the first NULL character.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Once the length is known, it proceeds to pack the key. Since the key is given as a serialized sequence of bytes, it must be organized into an array of four 32-bit words before the function can perform either encryption or decryption.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"468\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-2-1024x468.png\" alt=\"\" class=\"wp-image-12322\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-2-1024x468.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-2-300x137.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-2-768x351.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-2-370x169.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-2-270x123.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-2-740x338.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-2.png 1066w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Key packing and data length calculation before encryption\/decryption<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After the key is prepared and the data length calculated, the function checks a mode parameter to decide whether to encrypt or decrypt. It then enters a loop to iterate over the data for either process.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1015\" height=\"396\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-2.png\" alt=\"\" class=\"wp-image-12324\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-2.png 1015w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-2-300x117.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-2-768x300.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-2-370x144.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-2-270x105.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-2-740x289.png 740w\" sizes=\"(max-width: 1015px) 100vw, 1015px\" \/><figcaption class=\"wp-element-caption\"><em>Mode parameter check<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>GorillaBot authentication mechanism with the C2 server&nbsp;&nbsp;&nbsp;<\/strong><\/h3>\n\n\n\n<p>After successfully connecting to the C2 server, the malware initiates the authentication process to identify itself to the server.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This process begins with the malware sending a 1-byte TCP probe packet to the C2 server. In response, the server replies with a 4-byte TCP packet that includes a &#8220;magic&#8221; 4-byte value. This value is then used to generate the bot ID for the authentication process.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/f980c665-1a5a-4fd8-93a2-08c28bd8545c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=gorillabot_analysis&amp;utm_term=250325&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis in ANY.RUN&#8217;s Interactive Sandbox<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"738\" height=\"559\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-1.png\" alt=\"\" class=\"wp-image-12326\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-1.png 738w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-1-300x227.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-1-370x280.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-1-270x205.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-1-80x60.png 80w\" sizes=\"(max-width: 738px) 100vw, 738px\" \/><figcaption class=\"wp-element-caption\"><em>C2 communication shown in ANY.RUN&#8217;s Interactive Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The process begins with a returned 4-byte magic value, which is combined with a 32-byte encrypted array to generate the bot ID or authentication token.&nbsp;&nbsp;<\/p>\n\n\n\n<p>A key aspect of this process is the method used to combine the 32-byte array with the 4-byte magic value to create the token.&nbsp;&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSubmit suspicious files and URLs to <span class=\"highlight\">ANY.RUN<\/span> <br>for proactive analysis of threats targeting your company&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=gorillabot_analysis&#038;utm_term=250325&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The same cipher previously described is applied to decrypt the 32-byte hardcoded array. Once decrypted, the data is copied into a separate buffer and concatenated with the 4-byte magic value.&nbsp;<\/p>\n\n\n\n<p>The combined data is then hashed using <strong>SHA-256<\/strong> before being sent back to the command and control (C2) server as the identification token.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"542\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1-1024x542.png\" alt=\"\" class=\"wp-image-12328\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1-1024x542.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1-768x406.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1-270x143.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1-740x391.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1.png 1055w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Decrypted array and magic value combined, then hashed with SHA-256<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In the screenshot below, you can see the generated SHA-256 token, which is created by combining the 4-byte magic value received from the C2 server with the decrypted 32-byte hardcoded array.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"500\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/cyberchef_sha256_tkn-1024x500.png\" alt=\"\" class=\"wp-image-12329\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/cyberchef_sha256_tkn-1024x500.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/cyberchef_sha256_tkn-300x146.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/cyberchef_sha256_tkn-768x375.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/cyberchef_sha256_tkn-370x181.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/cyberchef_sha256_tkn-270x132.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/cyberchef_sha256_tkn-740x361.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/cyberchef_sha256_tkn.png 1527w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The generated SHA-256 token<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The C2 (Command and Control) communication process continues after the C2 server authenticates the botnet.&nbsp;&nbsp;<\/p>\n\n\n\n<p>In response, the server sends a packet that appears to be a flag, labeled \u201c01,\u201d to confirm the bot&#8217;s authenticity. On the C2 server side, most likely a list of hashes representing botnet IDs, such as SHA-256, is maintained. This list is used to verify the received ID, ensuring that the connection is from a legitimate bot instance rather than an unauthorized source attempting to interact with the C2 infrastructure.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"172\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1-1024x172.png\" alt=\"\" class=\"wp-image-12331\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1-1024x172.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1-300x50.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1-768x129.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1-370x62.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1-270x45.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1-740x124.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1.png 1082w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>C2 server responds with&nbsp;0x01&nbsp;flag to confirm bot authentication<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In the screenshot above, after successfully sending the SHA-256 hash (bot ID), the bot receives a 1-byte response. This response is checked against \u201c01,\u201d which indicates successful authentication. Following this, the bot replies with a 4-byte packet containing the bytes \u201c00 00 00 01.\u201d This is likely the bot acknowledging receipt of the flag packet.&nbsp;<\/p>\n\n\n\n<p>After, GorillaBot exhibits behavior similar to the original Mirai bot. The malware calculates the length of a provided 32-byte ID buffer and sends this length to the command and control (C2) server. Once the length is successfully sent, the malware transmits the actual ID buffer to the server.<em><\/em>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"586\" height=\"168\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/id_buf.png\" alt=\"\" class=\"wp-image-12333\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/id_buf.png 586w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/id_buf-300x86.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/id_buf-370x106.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/id_buf-270x77.png 270w\" sizes=\"(max-width: 586px) 100vw, 586px\" \/><figcaption class=\"wp-element-caption\"><em>Mirai code snippet<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The code snippet above is taken from the leaked Mirai <a href=\"https:\/\/github.com\/jgamblin\/Mirai-Source-Code\/blob\/3273043e1ef9c0bb41bd9fcdc5317f7b797a2a94\/mirai\/bot\/main.c#L121\" target=\"_blank\" rel=\"noreferrer noopener\">source<\/a> and includes a check for the number of arguments. If a second argument is provided, it is copied to &#8220;id_buf,&#8221; which has a length of exactly 32 bytes.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This behavior is consistent with that observed in the Mirai-based variant &#8220;GorillaBot.&#8221; During its initial communication with the command-and-control (C2) server, GorillaBot first sends the length of the buffer, followed by the buffer itself &#8211; mirroring the original Mirai implementation.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"995\" height=\"511\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2025-01-28_13-24.png\" alt=\"\" class=\"wp-image-12334\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2025-01-28_13-24.png 995w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2025-01-28_13-24-300x154.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2025-01-28_13-24-768x394.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2025-01-28_13-24-370x190.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2025-01-28_13-24-270x139.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2025-01-28_13-24-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2025-01-28_13-24-740x380.png 740w\" sizes=\"(max-width: 995px) 100vw, 995px\" \/><figcaption class=\"wp-element-caption\"><em>GorillaBot mimics Mirai by sending buffer length, then the buffer<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The screenshot below summarizes the initial C2 communication, validating the connection to ensure it comes from the intended source. This is crucial so that only authenticated connections receive attack commands.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"491\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1-1024x491.jpg\" alt=\"\" class=\"wp-image-12337\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1-1024x491.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1-300x144.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1-768x368.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1-1536x737.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1-2048x982.jpg 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1-370x177.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1-270x129.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1-740x355.jpg 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Summary of initial C2 communication<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Processing Attack Commands&nbsp;&nbsp;<\/strong><\/h3>\n\n\n\n<p>Once the bot has been authenticated, the next stage in the C2 communication process involves receiving a packet containing attack target information &#8211; essentially, instructions to initiate an attack.&nbsp;<\/p>\n\n\n\n<p>In the example screenshot below, we can see that the first step taken is to read the length of the packet. This confirms the malware&#8217;s ability to retrieve data over the socket from the command and control (C2) server.&nbsp;&nbsp;<\/p>\n\n\n\n<p>After successfully reading the length, the malware proceeds with execution. It reads the expected length of the attack packet, then uses that length to read the corresponding number of bytes from the C2 server, which constitutes the attack packet.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"353\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image16-1024x353.png\" alt=\"\" class=\"wp-image-12339\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image16-1024x353.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image16-300x103.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image16-768x265.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image16-370x128.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image16-270x93.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image16-740x255.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image16.png 1053w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Reading packet length from C2 server to begin data retrieval<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Attack Command packet structure&nbsp;&nbsp;<\/strong><\/h3>\n\n\n\n<p>Below is the structure of the received attack packet along with the corresponding packet capture bytes. The time gap in receiving the length of the entire packet (highlighted in red in the capture) and the actual attack packet is minimal. As a result, it may seem as if they were concatenated into one packet and received simultaneously; however, they were actually received separately.&nbsp;<\/p>\n\n\n\n<p>The packet structure is quite simple. First, there is a 32-byte hash of the entire received packet, referred to as SHA-256 (highlighted in yellow). Following this, the encoded bytes represent the attack command (highlighted in blue), which will be decoded using the same Caesar shift cipher mentioned earlier before being parsed.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Struct attack_pkt {&nbsp;\n\nuint16_t expected_pkt_length;&nbsp;\n\nchar encoded_cmd_sha256_hash&#91;SHA256_BLOCK_SIZE];&nbsp;\n\nchar encoded_cmd&#91;ENCODED_CMD_LENGTH];&nbsp;\n\n};<\/code><\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"347\" height=\"61\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/attack_pkt.jpg\" alt=\"\" class=\"wp-image-12341\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/attack_pkt.jpg 347w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/attack_pkt-300x53.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/attack_pkt-270x47.jpg 270w\" sizes=\"(max-width: 347px) 100vw, 347px\" \/><figcaption class=\"wp-element-caption\">Attack packet<\/figcaption><\/figure><\/div>\n\n\n<p>Once the integrity of the encoded attack command is verified, it is decoded and passed to \u201cattack_parse.\u201d This function is responsible for extracting target information, determining the specific attack method, and then handing off control to the appropriate attack function for execution.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"704\" height=\"122\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-1.png\" alt=\"\" class=\"wp-image-12342\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-1.png 704w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-1-300x52.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-1-370x64.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-1-270x47.png 270w\" sizes=\"(max-width: 704px) 100vw, 704px\" \/><figcaption class=\"wp-element-caption\"><em>Decoded attack command passed to attack_parse<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The \u201cattack_parse\u201d function closely resembles the original Mirai code, as it processes the provided buffer containing the attack command in a similar manner. Notably, it supports attack commands both with and without options, just like the original Mirai.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"491\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-1024x491.jpg\" alt=\"\" class=\"wp-image-12344\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-1024x491.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-300x144.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-768x368.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-1536x737.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-2048x982.jpg 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-370x177.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-270x129.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-740x355.jpg 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Mirai vs. GorillaBot <\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>GorillaBot may not reinvent the wheel, but it\u2019s a strong reminder that old code can still pack a punch when reused in clever ways. By building on Mirai\u2019s foundation and adding its own tweaks to communication, encryption, and evasion techniques, GorillaBot proves that legacy malware lives on and evolves.&nbsp;<\/p>\n\n\n\n<p>To better understand threats like GorillaBot, the use of malware analysis tools like ANY.RUN&#8217;s Interactive Sandbox is important. It lets you dive into live malware behavior: from unpacking encrypted payloads to monitoring C2 communication in real time.&nbsp;<\/p>\n\n\n\n<p>Curious to see it in action? <a href=\"https:\/\/app.any.run\/\" target=\"_blank\" rel=\"noreferrer noopener\">Try ANY.RUN now<\/a> to explore malware samples like GorillaBot hands-on and uncover the tactics they use during attacks to strengthen your defenses.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=gorillabot_analysis&amp;utm_term=250325&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=gorillabot_analysis&amp;utm_term=250325&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial of ANY.RUN&#8217;s services \u2192<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators Of Compromise&nbsp;&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Hashes&nbsp;<\/h3>\n\n\n\n<p>b482c95223df33f43b7cfd6a0d95a44cc25698bf752c4e716acbc1ac54195b55 (<a href=\"https:\/\/app.any.run\/tasks\/f980c665-1a5a-4fd8-93a2-08c28bd8545c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=gorillabot_analysis&amp;utm_term=250325&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox analysis<\/a>)&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IP Addresses and Domains&nbsp;&nbsp;<\/h3>\n\n\n\n<p>http:\/\/193[.]143[.]1[.]70 (C2 server)&nbsp;<\/p>\n\n\n\n<p>193[.]143[.]1[.]59 (C2 server)&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on X and LinkedIn.&nbsp; In this article, we\u2019re diving into GorillaBot, a newly discovered botnet built on Mirai\u2019s code. It\u2019s been spotted launching hundreds of thousands of attacks across the globe, and it\u2019s got some [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":12355,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-12301","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>GorillaBot: Technical Analysis and Code Similarities with Mirai - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Discover technical analysis of GorillaBot, a new malware variant based on the original code of the Mirai botnet.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mohamed Talaat\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/\"},\"author\":{\"name\":\"Mohamed Talaat\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"GorillaBot: Technical Analysis and Code Similarities with Mirai\",\"datePublished\":\"2025-03-25T12:02:43+00:00\",\"dateModified\":\"2025-04-02T05:51:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/\"},\"wordCount\":2152,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/\",\"name\":\"GorillaBot: Technical Analysis and Code Similarities with Mirai - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-03-25T12:02:43+00:00\",\"dateModified\":\"2025-04-02T05:51:25+00:00\",\"description\":\"Discover technical analysis of GorillaBot, a new malware variant based on the original code of the Mirai botnet.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"GorillaBot: Technical Analysis and Code Similarities with Mirai\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mohamed Talaat\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/mohamed.png.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/mohamed.png.jpeg\",\"caption\":\"Mohamed Talaat\"},\"description\":\"Mohamed Talaat is a Computer Engineer with a Bachelor in Computer Engineering from Suez Canal University (Ismailia, Egypt). Despite not having a strong cybersecurity background, he took it upon himself to establish a career in cybersecurity. \u041de found himself a better fit in Blue Teaming and malware analysis. Engaging in malware analysis and the development of TTPs, he also writes detection rules as part of his daily routine. Mohamed on LinkedIn.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"GorillaBot: Technical Analysis and Code Similarities with Mirai - ANY.RUN&#039;s Cybersecurity Blog","description":"Discover technical analysis of GorillaBot, a new malware variant based on the original code of the Mirai botnet.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/","twitter_misc":{"Written by":"Mohamed Talaat","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/"},"author":{"name":"Mohamed Talaat","@id":"https:\/\/any.run\/"},"headline":"GorillaBot: Technical Analysis and Code Similarities with Mirai","datePublished":"2025-03-25T12:02:43+00:00","dateModified":"2025-04-02T05:51:25+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/"},"wordCount":2152,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/","name":"GorillaBot: Technical Analysis and Code Similarities with Mirai - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-03-25T12:02:43+00:00","dateModified":"2025-04-02T05:51:25+00:00","description":"Discover technical analysis of GorillaBot, a new malware variant based on the original code of the Mirai botnet.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/gorillabot-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"GorillaBot: Technical Analysis and Code Similarities with Mirai"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mohamed Talaat","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/mohamed.png.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/mohamed.png.jpeg","caption":"Mohamed Talaat"},"description":"Mohamed Talaat is a Computer Engineer with a Bachelor in Computer Engineering from Suez Canal University (Ismailia, Egypt). Despite not having a strong cybersecurity background, he took it upon himself to establish a career in cybersecurity. \u041de found himself a better fit in Blue Teaming and malware analysis. Engaging in malware analysis and the development of TTPs, he also writes detection rules as part of his daily routine. Mohamed on LinkedIn.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12301"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=12301"}],"version-history":[{"count":37,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12301\/revisions"}],"predecessor-version":[{"id":12527,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12301\/revisions\/12527"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/12355"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=12301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=12301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=12301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}