Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.

Backdoor Andromeda (waahoo, alias Gamarue)

Postby p4r4n0id » Wed Dec 14, 2011 8:50 am

Hi Guys,

I am looking for a relatively new sample (AFAIK :)) - Andromeda bot. Anyone?

Thx,

p4r4n0id
Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/
p4r4n0id
 
Posts: 126
Joined: Thu Sep 22, 2011 11:36 am
Location: Israel
Reputation point: 30

Re: Malware Requests

Postby dcmorton » Wed Dec 14, 2011 9:36 am

p4r4n0id wrote:Hi Guys,

I am looking for a relatively new sample (AFAIK :)) - Andromeda bot. Anyone?

Thx,

p4r4n0id


Well here's the best I can do with an incredibly vague request IMO. Might be what you're looking for, might not be

Google is your friend btw.. I went from vague name "Andromeda bot" to actual name "Worm:Win32/Gamarue.A/B" to VirusTotal result with MD5 to finding a sample of the MD5 using nothing but Google.

Thanks to Kobayashi from vxheavens for the sample as well

Edit:
The sample in the attach is Gamarue.B. MD5 for a Gamarue.A sample is 4a64dd57fbfe0acdf700709b38bd8e69
You do not have the required permissions to view the files attached to this post.
dcmorton
 
Posts: 30
Joined: Tue Nov 16, 2010 4:56 pm
Location: United States
Reputation point: 13

Re: Malware Requests

Postby p4r4n0id » Wed Dec 14, 2011 11:04 am

Hi dcmorton,

First thx for your fast replay and sorry for the vague request.

I will try to explain my self better :)

Andromeda is a bot (AFAIK it is similar to Zeus and Spyeye, also a modularized program which can be functionally developed and supported using plug-ins.) that one of his final payloads is the sample you have sent me.

http://www.maikmorgenstern.de/wordpress/?tag=botnets

Check the attached SC - the bot webpanel.

1.JPG



BTW, I think I have heard about google somewhere :) - he returned nothing interesting regarding this sample.






dcmorton wrote:
p4r4n0id wrote:Hi Guys,

I am looking for a relatively new sample (AFAIK :)) - Andromeda bot. Anyone?

Thx,

p4r4n0id


Well here's the best I can do with an incredibly vague request IMO. Might be what you're looking for, might not be

Google is your friend btw.. I went from vague name "Andromeda bot" to actual name "Worm:Win32/Gamarue.A/B" to VirusTotal result with MD5 to finding a sample of the MD5 using nothing but Google.

Thanks to Kobayashi from vxheavens for the sample as well

Edit:
The sample in the attach is Gamarue.B. MD5 for a Gamarue.A sample is 4a64dd57fbfe0acdf700709b38bd8e69
You do not have the required permissions to view the files attached to this post.
Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/
p4r4n0id
 
Posts: 126
Joined: Thu Sep 22, 2011 11:36 am
Location: Israel
Reputation point: 30

Re: Malware Requests

Postby leeno » Thu May 10, 2012 9:25 pm

Request for sample

Andromeda bot
for details : http://cyb3rsleuth.blogspot.in/2012/02/ ... a-bot.html
leeno
 
Posts: 43
Joined: Wed Apr 11, 2012 10:19 am
Reputation point: 7

Backdoor.Andromeda

Postby Xylitol » Sat May 26, 2012 1:30 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Backdoor Andromeda (alias Gamarue)

Postby hx1997 » Sun May 27, 2012 5:29 pm

Hi,

is this an Andromeda bot?
Dr.Web identified it as BackDoor.Andromeda.22
You do not have the required permissions to view the files attached to this post.
User avatar
hx1997
 
Posts: 101
Joined: Sat Apr 07, 2012 12:16 am
Reputation point: 24

Re: Backdoor Andromeda (alias Gamarue)

Postby thisisu » Sun May 27, 2012 7:13 pm

Pretty sure this is another one.
MD5: 1592ea251ea1a81244f4487276506f8f
https://www.virustotal.com/file/3f57a21 ... /analysis/
Some notes I was able to gather:

Creates a bad value under this key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Value = SunJavaUpdateSched
File path = c:\documents and settings\all users\svchost.exe (same MD5)
Opens this port: 53382
Interesting string from process (no clue what it means)
Code: Select all
hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Backdoor Andromeda (alias Gamarue)

Postby rkhunter » Mon May 28, 2012 7:00 am

Gamarue/Andromeda from my collection.

Worm:Win32/Gamarue.B
MD5: b2a537545dafd9d32c92c38d6091afb4

Worm:Win32/Gamarue.F
MD5: 3eb121fa5647244a8ee15870348aa782
MD5: b07f32cf40a39272d5e0bd597ee11be8
MD5: e13578369bc48a3fbda95335a337cd20
MD5: 6482dfa77d942a2506bb72f2b0edf2d4
MD5: bad248a697c9530b26062ab7ecbfa2ec
MD5: d54c067b972f9ba284bd52d659911b3c
MD5: e0c057d0973841cbbbb739426f2ea572
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Backdoor Andromeda (alias Gamarue)

Postby EP_X0FF » Mon May 28, 2012 7:35 am

hx1997 wrote:Hi,

is this an Andromeda bot?
Dr.Web identified it as BackDoor.Andromeda.22


Yes, Gamarue.F variant, written on assembler.

hxxp://smoxserv10.in/smox3/image.php
hxxp://smoxserv20.in/smox5/image.php
hxxp://smoxserv30.in/smox7/image.php
hxxp://smoxserv40.in/smox9/image.php
hxxp://smoxserv50.in/smox9/image.php
hxxp://smoxserv60.in/smox11/image.php


%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched


Payload injected into zombified wuauclt.exe process.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Backdoor Andromeda (alias Gamarue)

Postby rkhunter » Mon May 28, 2012 12:04 pm

Worm:Win32/Gamarue.F
MD5: 3eb121fa5647244a8ee15870348aa782

Copies itself to
Code: Select all
C:\Documents and Settings\All Users\Local Settings\Temp\msdubmn.bat

Runs from
Code: Select all
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\XXXX


Starts wuauclt.exe and patches it in memory, after it, died.
Sets special permissions for Run key for complicates deletion. After permissions was changed, it deletes fine.
Image
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests