Delphi based bot with DDoS capabilities

March 15, 2013

Dell SonicWALL Threats Research team came across a Delphi based bot with DDoS capabilities along with support to execute multiple commands from the Command & Control (C&C) server. The author appears to refer this Malware as AyaBot.

Infection Cycle

Upon execution the Malware drops the following file on the system:

  • %USERPROFILE%Local SettingsTempregdrv.exe (Copy of itself)

The Malware adds the following keys to the registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunRegistry Driver "%USERPROFILE%Local SettingsTempregdrv.exe"

It makes the following changes to the registry in order to bypass firewalls:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapProxyBypass="1"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapIntranetName="1"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapUNCAsIntranet="1"

The following additions to the registry in HKEY_CURRENT_USERSoftwareRegDataData indicates the name AyaBot used by the creator:

During our analysis we observed AyaBot trying to access removable drives. AyaBot communicates with the server through Base64 encoded HTTP request and response, during our analysis we observed the following 3 phases of communication:

We observed a number of commands in the code, a few of them are listed below:

  • update
  • runexe
  • config
  • opensite
  • openurl
  • icmp
  • pcdata

The AyaBot sample we received contains the following hardcoded URLs:


During our analysis we observed AyaBot successfully communicating with the following URL:

  • is one of the sites the bot tries to communicate with. This site provides DDoS attack services for a nominal fee as shown by their price chart below.

Similarities in the name of this site and the bot ( suggests that this bot may be part of the site's DDoS network, once a victim machine is infected it may play a role in a targeted DDoS attack as part of their services.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Delf.OEJ_2 (Trojan)