Worm:Win32/Benjamin is a classic, highly disruptive network worm specifically engineered to propagate wildly across Peer-to-Peer (P2P) file-sharing networks by masquerading as highly desirable software or media files.
Understanding Benjamin
To the average user utilizing legacy P2P networks (like Kazaa, Limewire, or eMule), Benjamin appears to be a successful download of a popular movie, crack, or application. For incident responders, Benjamin represents a severe bandwidth and storage consumption threat. Its primary objective is aggressive self-replication, turning the infected endpoint into a massive distribution hub for the worm.
Execution and Evasion Strategies
The infection cycle begins when a user downloads and executes a file named something enticing (e.g., Photoshop_Crack.exe) from a P2P network. Upon execution, the Benjamin worm drops its core payload into the Windows System directory and establishes persistence via the Registry Run keys. It then actively searches the endpoint for the shared folders utilized by installed P2P applications. Once located, Benjamin rapidly copies itself hundreds of times into these shared folders, dynamically renaming the copies to match the most frequently searched terms on the P2P network at that time.
Indicators of Compromise & Impact
The immediate impact is massive hard drive consumption and severe network congestion as other P2P users download the thousands of fake files now hosted by the victim. Incident responders will notice the P2P shared folders suddenly filled with hundreds of identically sized executable files (.exe) masquerading as .mp3s, .avis, or .zips. EDR tools will flag the rapid, automated creation of executables within specific directory paths.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1091 | Replication Through Removable Media | Lateral Movement |
T1036.004 | Masquerading: Keep Original File Name | Defense Evasion |
T1498 | Network Denial of Service | Impact |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence |
T1204.002 | User Execution: Malicious File | Execution |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_BENJAMIN {
meta:
description = "Detects Benjamin (trojan_generic)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "benjamin" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Benjamin Activity
id: 5d9f71b71b207b9e665820c0dce67bdb
status: experimental
description: Detects generic indicators of the benjamin malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*benjamin*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/benjamin.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.