Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.

Re: Backdoor Andromeda (alias Gamarue)

Postby EP_X0FF » Tue Mar 12, 2013 12:07 pm

Andromeda.

https://www.virustotal.com/ru/file/f203 ... /analysis/

%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched cmd.exe


Credits to markusg.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Backdoor Andromeda (alias Gamarue)

Postby r3shl4k1sh » Tue Mar 12, 2013 6:39 pm

EP_X0FF wrote:Andromeda.

https://www.virustotal.com/ru/file/f203 ... /analysis/

%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched cmd.exe


Credits to markusg.


This bot uses IRC to connect (AFAIK Andromeda usually uses other type of connection).

server:
206.41.117.126:2201
User avatar
r3shl4k1sh
 
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Reputation point: 41

Re: Backdoor Andromeda (alias Gamarue)

Postby EP_X0FF » Wed Mar 13, 2013 1:15 am

r3shl4k1sh wrote:
EP_X0FF wrote:Andromeda.

https://www.virustotal.com/ru/file/f203 ... /analysis/

%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched cmd.exe


Credits to markusg.


This bot uses IRC to connect (AFAIK Andromeda usually uses other type of connection).

server:
206.41.117.126:2201



That's an old or different build of Andromeda, variant "I". In this thread mostly attached "F" variant. Analyze code, not how and where it connects.

Usual Andromeda encrypted strings related to AntiVM/SandboxIE.

Code: Select all
Ќ…ЊюяяPяuґяUр…А…pяяяяuґяUмhdll hdll.hsbie‹ДPяUьѓД …А…©  З…|юяя    j h.dllhpi32hadva‹ДPяUи‰EАѓД…А„Y  hѕ<л‡яuАимъяя‰EФ…А„A  hG1ћяuАиФъяя‰EР…А„)  hRzСҐяuАијъяя‰EМ…А„  hnum hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst


This

Code: Select all
Uии    sbiedll.dllя^юF VяUШюN …А…b  и
   advapi32.dllя^юF VяUм‰EДюN …А„  hУz:БяuДиЮщяя‰EФ…А„я   hю­9°яuДиЖщяя‰EР…А„з   h5)©яuДи®щяя‰EМ…А„П   и,   system\currentcontrolset\services\disk\enum


And many other similarities.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Backdoor Andromeda (alias Gamarue)

Postby Blaze » Mon Mar 18, 2013 11:05 am

Another one. Story here:
https://www.abuse.ch/?p=5227

Value created:
Code: Select all
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Run     SunJavaUpdateSched     C:\​Documents and Settings\​All Users\​svchost.exe 
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Backdoor Andromeda (alias Gamarue)

Postby rough_spear » Tue Mar 19, 2013 12:55 pm

Hi All, :D

Here are two more samples.low detection.

44ff2421bbd7918c6ad68da4fa276e02

VT link - https://www.virustotal.com/en/file/8909 ... /analysis/

5 / 45

bc76bd7b332aa8f6aedbb8e11b7ba9b6

VT link - https://www.virustotal.com/en/file/9535 ... /analysis/

1 / 45

Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.
rough_spear
 
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India
Reputation point: 61

Re: Backdoor Andromeda (alias Gamarue)

Postby aaSSfxxx » Wed Mar 20, 2013 7:00 pm

EP_X0FF wrote:That's an old or different build of Andromeda, variant "I". In this thread mostly attached "F" variant. Analyze code, not how and where it connects.

Usual Andromeda encrypted strings related to AntiVM/SandboxIE.

Code: Select all
Ќ…ЊюяяPяuґяUр…А…pяяяяuґяUмhdll hdll.hsbie‹ДPяUьѓД …А…©  З…|юяя    j h.dllhpi32hadva‹ДPяUи‰EАѓД…А„Y  hѕ<л‡яuАимъяя‰EФ…А„A  hG1ћяuАиФъяя‰EР…А„)  hRzСҐяuАијъяя‰EМ…А„  hnum hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst


This

Code: Select all
Uии    sbiedll.dllя^юF VяUШюN …А…b  и
   advapi32.dllя^юF VяUм‰EДюN …А„  hУz:БяuДиЮщяя‰EФ…А„я   hю­9°яuДиЖщяя‰EР…А„з   h5)©яuДи®щяя‰EМ…А„П   и,   system\currentcontrolset\services\disk\enum


And many other similarities.


I had a look on this sample, and I guess this is the new version of andromeda: this sample has some anti-debug/disassembly tricks that were not present in the "usual" sample, and the code which launches the injector is in a SEH handler (triggered by the "or word ptr [eax+46h], 80h"). To get the real payload (not the loader), start the malware in ollydbg, and set EIP to 00401AA2

Then, there are some differences in the compressed payload: the RC4 decryption key is now before the payload size and memory size, but compression is still done with jCalg1 (variant of aplib), and API calls in the payload are obfuscated to make the malware more difficult to reverse (the malware copies the first instruction into its memory space and then jumps to API+next_instruction to fuck up OllyDBG).

Finally, communication with the C&C also changed in this sample :] (I'll have to continue my analysis and write something about this in my blog :)). And there are more anti-debug tricks, which makes me to believe it's a new version of andromeda instead of an older one.
User avatar
aaSSfxxx
 
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm
Reputation point: 7

Re: Backdoor Andromeda (alias Gamarue)

Postby r3shl4k1sh » Thu Mar 21, 2013 12:36 pm

aaSSfxxx wrote:
Finally, communication with the C&C also changed in this sample :] (I'll have to continue my analysis and write something about this in my blog :)). And there are more anti-debug tricks, which makes me to believe it's a new version of andromeda instead of an older one.


I thing you are right in your assumption that this sample is actually a new version.

when i wrote that:

r3shl4k1sh wrote:
This bot uses IRC to connect (AFAIK Andromeda usually uses other type of connection).

server:
206.41.117.126:2201


I have had a problem in my cuckoosandbox, it didn't shutdown itself right in a previous analysis and the results of the previous analysis merged with the analysis of this sample, hence i thought that this bot uses IRC.
User avatar
r3shl4k1sh
 
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Reputation point: 41

Re: Backdoor Andromeda (alias Gamarue)

Postby aaSSfxxx » Tue Mar 26, 2013 6:57 pm

As promised, I wrote an article about this sample (which is really a andromeda 2.07 sample) which you can read here: http://aassfxxx.infos.st/article22/andr ... 7-analysis (feel free to ask me question here on in comments about this article ;) ).

In this version, nothing really new, just some funny anti-reversring tricks added by the malware author :).
User avatar
aaSSfxxx
 
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm
Reputation point: 7

Re: Backdoor Andromeda (alias Gamarue)

Postby EP_X0FF » Wed Mar 27, 2013 2:43 am

One more Andromeda, found in VT trash.

SHA256: 078e0e8b3e98103a77d0e1b8dbe984d69ed05e4c22d2d82cec3891b73ee34aa9
SHA1: 9b1950ced92dd4226c19bc5c5f2afd22e8b42c17
MD5: 0ffda65e7a0f3b4b50ba3b8c78fc8726

https://www.virustotal.com/en/file/078e0e8b3e98103a77d0e1b8dbe984d69ed05e4c22d2d82cec3891b73ee34aa9/analysis/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Backdoor Andromeda (alias Gamarue)

Postby ebfe » Sat Mar 30, 2013 9:58 pm

Hi, I analyzed sample from this post:
http://www.kernelmode.info/forum/viewtopic.php?p=18497#p18497

And made some blog post about it, if you are interested please read it here: http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/
User avatar
ebfe
 
Posts: 6
Joined: Fri Mar 29, 2013 10:24 am
Reputation point: 5

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests