Bagle
December 21, 2023 ยท View on GitHub
| ID | X0001 |
| Type | Worm |
| Aliases | None |
| Platforms | Windows |
| Year | 2004 |
| Associated ATT&CK Software | None |
Bagle
A mass-mailing computer worm affecting Microsoft Windows. [1]
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Persistence::Registry Run Keys / Startup Folder (F0012) | Malware adds registry keys to enable its automatic execution at every system startup. [1] |
MBC Behaviors
| Name | Use |
|---|---|
| Execution::Prevent Concurrent Execution (B0024) | Some Bagle variants look for an unnamed mutex to ensure only one copy of itself is running on a system. [1] |
| Execution::Send Email (B0020) | Bagle uses its own SMTP engine to mass-mail itself as an attachment from an infected computer. [2] |
| Data::Decompress Data::aPLib (C0025.003) | Bagle decompresses data using aPLib. [4] |
Indicators of Compromise
SHA256 Hashes
- a1b08bc8fd95d6f7415a9394bf76abed3e7860a5eda380cb863ab2d5fc6b65a5
- e3711dc2049c37e14449066450da86ca1c9a96fecdadbb3ed9d594564b5a829e
References
[1] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/WORM_BAGLE.U/
[2] https://en.wikipedia.org/wiki/Bagle_(computer_worm)
[3] https://www.joesandbox.com/analysis/561298/0/html
[4] capa v4.0, analyzed at MITRE on 10/12/2022