Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.
Post Reply
User avatar
EP_X0FF
Global Moderator
Posts: 4792
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Tue Mar 12, 2013 12:07 pm

Andromeda.

https://www.virustotal.com/ru/file/f203 ... /analysis/
%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched cmd.exe
Credits to markusg.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by r3shl4k1sh » Tue Mar 12, 2013 6:39 pm

EP_X0FF wrote:Andromeda.

https://www.virustotal.com/ru/file/f203 ... /analysis/
%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched cmd.exe
Credits to markusg.
This bot uses IRC to connect (AFAIK Andromeda usually uses other type of connection).

server:
206.41.117.126:2201

User avatar
EP_X0FF
Global Moderator
Posts: 4792
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Wed Mar 13, 2013 1:15 am

r3shl4k1sh wrote:
EP_X0FF wrote:Andromeda.

https://www.virustotal.com/ru/file/f203 ... /analysis/
%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched cmd.exe
Credits to markusg.
This bot uses IRC to connect (AFAIK Andromeda usually uses other type of connection).

server:
206.41.117.126:2201

That's an old or different build of Andromeda, variant "I". In this thread mostly attached "F" variant. Analyze code, not how and where it connects.

Usual Andromeda encrypted strings related to AntiVM/SandboxIE.

Code: Select all

Ќ…ЊюяяPяuґяUр…А…pяяяяuґяUмhdll hdll.hsbie‹ДPяUьѓД…А…©  З…|юяя    j h.dllhpi32hadva‹ДPяUи‰EАѓД…А„Y  hѕ<л‡яuАимъяя‰EФ…А„A  hG1ћяuАиФъяя‰EР…А„)  hRzСҐяuАијъяя‰EМ…А„  hnum hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst
This

Code: Select all

Uии   sbiedll.dllя^юFVяUШюN…А…b  и
   advapi32.dllя^юFVяUм‰EДюN…А„  hУz:БяuДиЮщяя‰EФ…А„я   hю­9°яuДиЖщяя‰EР…А„з   h5)©яuДи®щяя‰EМ…А„П   и,   system\currentcontrolset\services\disk\enum
And many other similarities.
Ring0 - the source of inspiration

User avatar
Blaze
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by Blaze » Mon Mar 18, 2013 11:05 am

Another one. Story here:
https://www.abuse.ch/?p=5227

Value created:

Code: Select all

HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Run  	SunJavaUpdateSched  	C:\​Documents and Settings\​All Users\​svchost.exe  
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Backdoor Andromeda (alias Gamarue)

Post by rough_spear » Tue Mar 19, 2013 12:55 pm

Hi All, :D

Here are two more samples.low detection.

44ff2421bbd7918c6ad68da4fa276e02

VT link - https://www.virustotal.com/en/file/8909 ... /analysis/

5 / 45

bc76bd7b332aa8f6aedbb8e11b7ba9b6

VT link - https://www.virustotal.com/en/file/9535 ... /analysis/

1 / 45

Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.

User avatar
aaSSfxxx
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm

Re: Backdoor Andromeda (alias Gamarue)

Post by aaSSfxxx » Wed Mar 20, 2013 7:00 pm

EP_X0FF wrote: That's an old or different build of Andromeda, variant "I". In this thread mostly attached "F" variant. Analyze code, not how and where it connects.

Usual Andromeda encrypted strings related to AntiVM/SandboxIE.

Code: Select all

Ќ…ЊюяяPяuґяUр…А…pяяяяuґяUмhdll hdll.hsbie‹ДPяUьѓД…А…©  З…|юяя    j h.dllhpi32hadva‹ДPяUи‰EАѓД…А„Y  hѕ<л‡яuАимъяя‰EФ…А„A  hG1ћяuАиФъяя‰EР…А„)  hRzСҐяuАијъяя‰EМ…А„  hnum hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst
This

Code: Select all

Uии   sbiedll.dllя^юFVяUШюN…А…b  и
   advapi32.dllя^юFVяUм‰EДюN…А„  hУz:БяuДиЮщяя‰EФ…А„я   hю­9°яuДиЖщяя‰EР…А„з   h5)©яuДи®щяя‰EМ…А„П   и,   system\currentcontrolset\services\disk\enum
And many other similarities.
I had a look on this sample, and I guess this is the new version of andromeda: this sample has some anti-debug/disassembly tricks that were not present in the "usual" sample, and the code which launches the injector is in a SEH handler (triggered by the "or word ptr [eax+46h], 80h"). To get the real payload (not the loader), start the malware in ollydbg, and set EIP to 00401AA2

Then, there are some differences in the compressed payload: the RC4 decryption key is now before the payload size and memory size, but compression is still done with jCalg1 (variant of aplib), and API calls in the payload are obfuscated to make the malware more difficult to reverse (the malware copies the first instruction into its memory space and then jumps to API+next_instruction to fuck up OllyDBG).

Finally, communication with the C&C also changed in this sample :] (I'll have to continue my analysis and write something about this in my blog :)). And there are more anti-debug tricks, which makes me to believe it's a new version of andromeda instead of an older one.

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by r3shl4k1sh » Thu Mar 21, 2013 12:36 pm

aaSSfxxx wrote:
Finally, communication with the C&C also changed in this sample :] (I'll have to continue my analysis and write something about this in my blog :)). And there are more anti-debug tricks, which makes me to believe it's a new version of andromeda instead of an older one.
I thing you are right in your assumption that this sample is actually a new version.

when i wrote that:
r3shl4k1sh wrote:
This bot uses IRC to connect (AFAIK Andromeda usually uses other type of connection).

server:
206.41.117.126:2201
I have had a problem in my cuckoosandbox, it didn't shutdown itself right in a previous analysis and the results of the previous analysis merged with the analysis of this sample, hence i thought that this bot uses IRC.

User avatar
aaSSfxxx
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm

Re: Backdoor Andromeda (alias Gamarue)

Post by aaSSfxxx » Tue Mar 26, 2013 6:57 pm

As promised, I wrote an article about this sample (which is really a andromeda 2.07 sample) which you can read here: http://aassfxxx.infos.st/article22/andr ... 7-analysis (feel free to ask me question here on in comments about this article ;) ).

In this version, nothing really new, just some funny anti-reversring tricks added by the malware author :).

User avatar
EP_X0FF
Global Moderator
Posts: 4792
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Wed Mar 27, 2013 2:43 am

One more Andromeda, found in VT trash.

SHA256: 078e0e8b3e98103a77d0e1b8dbe984d69ed05e4c22d2d82cec3891b73ee34aa9
SHA1: 9b1950ced92dd4226c19bc5c5f2afd22e8b42c17
MD5: 0ffda65e7a0f3b4b50ba3b8c78fc8726

https://www.virustotal.com/en/file/078e ... /analysis/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
ebfe
Posts: 6
Joined: Fri Mar 29, 2013 10:24 am
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by ebfe » Sat Mar 30, 2013 9:58 pm

Hi, I analyzed sample from this post:
http://www.kernelmode.info/forum/viewto ... 497#p18497

And made some blog post about it, if you are interested please read it here: http://www.0xebfe.net/blog/2013/03/30/f ... andromeda/

Post Reply