Benjamin

Category: trojan_generic · Aliases: None known · Sample count (EMBER 2018): 153 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Worm:Win32/Benjamin is a classic, highly disruptive network worm specifically engineered to propagate wildly across Peer-to-Peer (P2P) file-sharing networks by masquerading as highly desirable software or media files.

Understanding Benjamin
To the average user utilizing legacy P2P networks (like Kazaa, Limewire, or eMule), Benjamin appears to be a successful download of a popular movie, crack, or application. For incident responders, Benjamin represents a severe bandwidth and storage consumption threat. Its primary objective is aggressive self-replication, turning the infected endpoint into a massive distribution hub for the worm.

Execution and Evasion Strategies
The infection cycle begins when a user downloads and executes a file named something enticing (e.g., Photoshop_Crack.exe) from a P2P network. Upon execution, the Benjamin worm drops its core payload into the Windows System directory and establishes persistence via the Registry Run keys. It then actively searches the endpoint for the shared folders utilized by installed P2P applications. Once located, Benjamin rapidly copies itself hundreds of times into these shared folders, dynamically renaming the copies to match the most frequently searched terms on the P2P network at that time.

Indicators of Compromise & Impact
The immediate impact is massive hard drive consumption and severe network congestion as other P2P users download the thousands of fake files now hosted by the victim. Incident responders will notice the P2P shared folders suddenly filled with hundreds of identically sized executable files (.exe) masquerading as .mp3s, .avis, or .zips. EDR tools will flag the rapid, automated creation of executables within specific directory paths.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1091Replication Through Removable MediaLateral Movement
T1036.004Masquerading: Keep Original File NameDefense Evasion
T1498Network Denial of ServiceImpact
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence
T1204.002User Execution: Malicious FileExecution

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_BENJAMIN {
    meta:
        description = "Detects Benjamin (trojan_generic)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "benjamin" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Benjamin Activity
id: 5d9f71b71b207b9e665820c0dce67bdb
status: experimental
description: Detects generic indicators of the benjamin malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*benjamin*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Instantly isolate the endpoint from the network to halt the massive outbound bandwidth consumption caused by P2P uploads.
  2. Identify and completely uninstall the P2P file-sharing application (e.g., Kazaa, eMule, BitTorrent clients) that facilitated the infection.
  3. Locate the P2P shared directory and permanently delete the hundreds of fake, replicated executable files generated by the worm.
  4. Utilize a full EDR sweep to locate and remove the core Benjamin executable running from the Windows System directory and its associated Run keys.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not simply delete the fake files in the shared folder without killing the core process; the worm will recreate them instantly.
  2. Avoid allowing P2P file-sharing applications on corporate networks; they are a massive vector for worms, malware, and data leakage.

References & External Analysis

Related Families (Category: trojan_generic)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/benjamin.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.