Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.

Re: Malware collection

Postby EP_X0FF » Mon Jun 20, 2016 6:56 pm

xors wrote:Found from a dropper

I think that it is Andromeda. Can anyone confirm ?


You're right, sort of Andromeda, http://vms.drweb.com/virus/?_is=1&i=7974964&lng=en Maybe it's Chtonic (Andromeda clone) new variant.

r u n a s c m d . e x e / c % s % l u
Test - OK /test yahoo.com google.com bing.com update.microsoft.com microsoft.com 80 C o n t e n t - T y p e : a p p l i c a t i o n / o c t e t - s t r e a m

C o n n e c t i o n : c l o s e P O S T C o n n e c t i o n : c l o s e K B % 0 8 l u . e x e % T E M P % \ % T M P % \ {"id":%lu,"tid":%lu,"err":%lu,"w32":%lu} \ s y s t e m 3 2 \ m s i e x e c . e x e \ S y s W O W 6 4 \ m s i e x e c . e x e M o z i l l a / 4 . 0 ntdll.dll      @ Ђ      @ As o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ p o l i c i e s \ s y s t e m E n a b l e L U A s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ R u n s o f t w a r e \ m i c r o s o f t \ w i n d o w s n t \ c u r r e n t v e r s i o n \ W i n d o w s s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ P o l i c i e s \ E x p l o r e r \ R u n U S E R P R O F I L E A P P D A T A A L L U S E R S P R O F I L E L o a d D:(A;;KA;;;WD) D:(A;;KRWD;;;WD) : Z o n e . I d e n t i f i e r m s % s . e x e \ % l u H i d d e n s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ e x p l o r e r \ a d v a n c e d S h o w S u p e r H i d d e n pool.ntp.org africa.pool.ntp.org oceania.pool.ntp.org asia.pool.ntp.org south-america.pool.ntp.org north-america.pool.ntp.org europe.pool.ntp.org 123 aReport aUpdate DllRegisterServer aStart \ c d o % l u . d l l T E M P T M P \ s y s t e m 3 2 \ c d o s y s . d l l \ S y s W O W 6 4 \ c d o s y s . d l l c d o % l u . d l l : % l u NtMapViewOfSection cdosys.dll software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe Debugger WinDefend MpsSvc SharedAccess wuauserv wscsvc H i d e S C A H e a l t h T a s k b a r N o N o t i f i c a t i o n s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ p o l i c i e s \ E x p l o r e r s o f t w a r e \ p o l i c i e s i s _ n o t _ v m 1 2 7 . 0 . 0 . 1 GetAddrInfoW ws2_32.dll


Please next time use password for archives. Posts moved.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Malware collection

Postby ikolor » Thu Sep 08, 2016 3:38 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 264
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby EP_X0FF » Sun Oct 16, 2016 7:38 am


Andromeda.

Code: Select all
S-1-5-32-544    SeDebugPrivilege    ObtainUserAgentString   urlmon.dll  }   {"id":%lu,"bid":%lu,"os":%lu,"la":%lu,"rg":%lu,"bb":%lu Shell_TrayWnd   r u n a s   c m d . e x e   / c   % s   % l u   
 Test - OK /test   yahoo.com   google.com  bing.com    update.microsoft.com    microsoft.com   80  C o n t e n t - T y p e :   a p p l i c a t i o n / o c t e t - s t r e a m
 
 C o n n e c t i o n :   c l o s e   P O S T     C o n n e c t i o n :   c l o s e   K B % 0 8 l u . e x e   % T E M P % \   % T M P % \     {"id":%lu,"tid":%lu,"err":%lu,"w32":%lu}    \ s y s t e m 3 2 \ m s i e x e c . e x e   \ S y s W O W 6 4 \ m s i e x e c . e x e   M o z i l l a / 4 . 0                       ntdll.dll                      @   Ђ                       @     As o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ p o l i c i e s \ s y s t e m   E n a b l e L U A   s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ R u n       s o f t w a r e \ m i c r o s o f t \ w i n d o w s   n t \ c u r r e n t v e r s i o n \ W i n d o w s         s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ P o l i c i e s \ E x p l o r e r \ R u n   U S E R P R O F I L E   A P P D A T A   A L L U S E R S P R O F I L E   L o a d         D:(A;;KA;;;WD)  D:(A;;KRWD;;;WD)    : Z o n e . I d e n t i f i e r     m s % s . e x e     \ % l u     H i d d e n     s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ e x p l o r e r \ a d v a n c e d   S h o w S u p e r H i d d e n   pool.ntp.org    africa.pool.ntp.org oceania.pool.ntp.org    asia.pool.ntp.org   south-america.pool.ntp.org  north-america.pool.ntp.org  europe.pool.ntp.org 123 aReport aUpdate DllRegisterServer   aStart  \ c d o % l u . d l l   T E M P     T M P   \ s y s t e m 3 2 \ c d o s y s . d l l     \ S y s W O W 6 4 \ c d o s y s . d l l     c d o % l u . d l l     : % l u     NtMapViewOfSection  cdosys.dll      software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe   Debugger    WinDefend   MpsSvc  SharedAccess    wuauserv    wscsvc  H i d e S C A H e a l t h   T a s k b a r N o N o t i f i c a t i o n       s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ p o l i c i e s \ E x p l o r e r   s o f t w a r e \ p o l i c i e s   i s _ n o t _ v m   1 2 7 . 0 . 0 . 1   GetAddrInfoW    ws2_32.dll
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Malware collection

Postby EP_X0FF » Mon Oct 17, 2016 7:08 am

Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Postby xors » Tue Dec 05, 2017 7:47 pm

@xorsthings
User avatar
xors
 
Posts: 135
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Postby Xylitol » Wed Dec 06, 2017 2:22 am

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda) ~ https://blogs.technet.microsoft.com/mmp ... andromeda/
Mastermind behind sophisticated, massive botnet outs himself ~ https://arstechnica.com/tech-policy/201 ... ppy-opsec/

Ar3s profile on exploit.in magically vanished from board :)
Code: Select all
Damagelab - Ar3s Последняя активность:Ноября 22, 2017, 09:58:57 pm
Exploit.in - Ar3s Последнее посещение 20.11.2017 - 22:15
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Postby EP_X0FF » Wed Dec 06, 2017 10:08 am

Was he is a direct owner of damagelab? Thoughts that this board is now a local branch of FBI/Interpol etc, rofl.

p.s.
oh I figured out they lost control over dlab.im
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Postby R136a1 » Wed Dec 06, 2017 11:27 am

User avatar
R136a1
 
Posts: 216
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Postby rkhunter » Wed Dec 06, 2017 2:33 pm

User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Previous

Return to Malware

Who is online

Users browsing this forum: No registered users and 14 guests