Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.
Userbased
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm

Re: Backdoor Andromeda (alias Gamarue)

Post by Userbased » Sun Jan 20, 2013 7:23 pm

The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Backdoor Andromeda (alias Gamarue)

Post by unixfreaxjp » Mon Jan 21, 2013 12:27 pm

Userbased wrote:The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.
Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.

Userbased
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm

Re: Backdoor Andromeda (alias Gamarue)

Post by Userbased » Mon Jan 21, 2013 4:14 pm

unixfreaxjp wrote:
Userbased wrote:The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.
Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.
I have attached a pcap of the connection. I also included in the archive a program that will prevent Andromeda VM detection.
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Backdoor Andromeda (alias Gamarue)

Post by unixfreaxjp » Fri Jan 25, 2013 9:20 pm

Userbased wrote:
unixfreaxjp wrote:
Userbased wrote:The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.
Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.
I have attached a pcap of the connection. I also included in the archive a program that will prevent Andromeda VM detection.
May I use this for shutdown purpose?

Userbased
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm

Re: Backdoor Andromeda (alias Gamarue)

Post by Userbased » Sat Jan 26, 2013 3:44 am

unixfreaxjp wrote:
Userbased wrote:
unixfreaxjp wrote: Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.
I have attached a pcap of the connection. I also included in the archive a program that will prevent Andromeda VM detection.
May I use this for shutdown purpose?
Go right ahead. That's why I posted it.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Backdoor Andromeda (alias Gamarue)

Post by bsteo » Wed Jan 30, 2013 8:19 am

Wondering if anybody saw in the wild latest Andromeda "update" binaries, latest version: v07 (sic!)

Image

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

New USB Exploit malware

Post by TwinHeadedEagle » Sat Feb 16, 2013 5:55 pm

I need malware with the following SHA256

8685bfe336556303a87715fdc2b4aa8a0293c36b1e3d94fda7019e0df0432a11

It's fresh, MCShield cleaned it...

https://www.virustotal.com/en/file/8685 ... 361029122/

Thanks

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: New USB Exploit malware

Post by Xylitol » Sat Feb 16, 2013 7:09 pm

attached
You do not have the required permissions to view the files attached to this post.

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Desktop.ini

Post by TwinHeadedEagle » Tue Feb 19, 2013 6:19 pm

Need desktop.ini with this sha26

c7bd252296272693d8ad658295de6ca89c6c0dd42c054ebb58f571aad1d8cc1f

and this Md5

d80c46bac5f9df7eb83f46d3f30bf426

https://www.virustotal.com/en/file/c7bd ... /analysis/

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Desktop.ini

Post by Xylitol » Wed Feb 20, 2013 2:48 am

and why do you need this ?

Post Reply