Skip to content

Hide Navigation Hide TOC

GLOOXMAIL (a379f09b-5cec-4bdb-9735-125cef2de073)

GLOOXMAIL communicates with Google's Jabber/XMPP servers and authenticates with a hard-coded username and password. The malware can accept commands over XMPP that includes file upload and download, provide a remote shell, sending process listings, and terminating specified processes. The malware makes extensive use of the open source gloox library (http://camaya.net/gloox/, version 0.9.9.12) to communicate using the Jabber/XMPP protocol. All communications with the Google XMPP server are encrypted.

Cluster A Galaxy A Cluster B Galaxy B Level
GlooxMail (18208674-fe8c-447f-9e1d-9ff9a64b2370) Malpedia GLOOXMAIL (a379f09b-5cec-4bdb-9735-125cef2de073) Tool 1
GLOOXMAIL - S0026 (f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2) Malware GLOOXMAIL (a379f09b-5cec-4bdb-9735-125cef2de073) Tool 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern GLOOXMAIL - S0026 (f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2) Malware 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 3