Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.
Post Reply
rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Backdoor Andromeda (alias Gamarue)

Post by rough_spear » Wed Apr 03, 2013 8:18 am

Hi All,

one more sample in the wild.

Dropper. Low detection.

MD5 - A11B7DEC0A997DFB0FE63979C2FEF639

VT link - https://www.virustotal.com/en/file/160d ... /analysis/

8 / 44

Dropped file md5 list.

F3BD9F6300AB86B917A308BEC5EF9FC3
A30E86828A5A724E0D471C98140ED1E3
EC2ECBACC7645942CC18FCEEF506A9DD

Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Backdoor Andromeda (alias Gamarue)

Post by rough_spear » Mon Apr 08, 2013 6:43 pm

Hi All,

Bunch of Gamarue samples.

list of MD5

3B84A54AF86CE34C01C566E0598890DD
8B1FE210134BC965E85D3923DB1F8DB4
9AE4F2B681420AF3681E780F22FDFC9F
AB981DF9F4CF57FEB4DC35FA5A3AC473
B0F61529EBF6B83B99900E91BB752EF0

Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by TwinHeadedEagle » Sun Apr 14, 2013 9:17 pm

I cannot find Gamarue that is spreading via removable drives, can you provide me the sample...

Thanks :)

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Tue Apr 16, 2013 3:02 pm

MAXS wrote:I cannot find Gamarue that is spreading via removable drives, can you provide me the sample...

Thanks :)
It is multicomponent IIRC: dll (~$wb.usbdrv), shortcut (invokes usbdrv via rundll32), shellcode (desktop.ini), trojan dropper (thumbs.db), serving Gamarue.I as payload. Next few days I will be proceeding 20-30 gigabytes of VT trash, so I can collect and attach here all Andromeda's I can find/identify if you need.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Wed Apr 17, 2013 6:34 am

@MAXS

Check them out, 120 Andromeda droppers.

SHA1

Code: Select all

b4d5a2fed83058453d0b2ae53385dd9a36163cc4
ded3ab479327e81913a94b2aeb963864d6998d5b
093c8b27e5acb6be5cdf69954e4b2150aa82b3a6
e946ef0154f574ff27be7020a34d07c284c23ff9
f83803cb961803e73b2bb78e770eaeed68020352
ab3c1a974505f1195bbf37a91fb94aa55ceb6e1d
377702eef31fbd47f31c5d66abd3850fbe4b5338
f14425cfb6cad40f8c2553b573e3c51400804434
0344e105d75d3e455723446563cec9e442945d4b
81429320ae15bbba1c419ac4e8244fe3c4513ee8
135d905cf776d880e8e6b7634e03d5c80b10e4e2
7a25e70c458ab81ba397f49f5d4430a40d8a48a2
a1ccb3950e8503eeeaf52f9c99f6b7b9035194f0
e041e02e42a67658ad0013ab1c6243cd47c46f6f
8b4c34d9b3b99eaf692303226033001cf068d1ad
5aae873cf5d5be4a24a148615d5e152a4fb07455
1fe8b00c1c28520e76107a2212637aff96922db0
cd432f3d4b955748cc826992e14f0670c06551b3
ed79a16fdc7660a718e5fe23477559968a4cee9b
57d804150cdfc71d434aaa3eb8136217bd61190d
87ded7f466c92b8b84148161efe4b607097b7f6c
16c44751ca4cb0c6cca4d2647704f9a24e88f8c7
f4cbcc90edfde151955fd43951b784e2b6e7476e
6d60c71adf096ef59b1c374f262dfd8e2877be70
96d2eb258cb7b98d0365d52cfd7b80eddbbe5985
c3767b114cfba9cc05b619a7fa35967d167a7018
785c9916de3f11f6e6126a127ab766618fb53241
f908ba5acb99b63506578db553c1e18cc8e80136
c6e9b71e3a9aa961208afc28fc590bd629fa276d
0c871c83fa5098cc42da041d30f24defedf138cd
959e3d991dc1ad93e60c6e7be5fd1c072c0f8437
7303eb76cb77c9ac47dae9711658fd41508c7d1c
b77247930b7e6d44e3a72356df05907dc8f6edd9
02f0b940523d349bb48a25c89dd6ec1d4ec72084
0ff278969484ee617baa91efb92553e5de7cfc7d
9b7e4be0b64ca5721815ea0d11d7a986d348a2e5
48fbbcbd9f19e7e2fff3c4d04ecaf57e103e05a2
8efc6dca5c5c63054804b9f8eee15fa093f6e89b
fe49e388d42b9923770336c5ae2bb149579d1b88
c98eb88330c3637386bc46621ba8d7c5f11b144b
12721ae63c8aa132d12bac9f30e398cb35a72caa
b83b399502432894072f4b8581f998f81f0b5b85
1c6b89b4471b7cdcf57ae2be9a3521eceb2b70ae
b194155864a2b9fa4f39e285ad69b4ac95db390f
e15a8645d7fc41d768142ca28906c62d27958edb
6137eb6f97555b1ca2cbc1fae8603c063e2cc09f
4c410ecee684867c55281d9e28b1ff4843378a26
d8475db2094694b936af98f5647a303c61e30daa
4bb19f33983d35522dfd1e884c6a2f9c0570eab3
7af7b7c4780f1a6ff29134a605ffadde7a5a784e
2b1a6778ee6276405929f401e274b65364c885cc
de53ff22e11e76507bb5b3b8ea2cd00645c8395c
2527a28544eb1e838bed1ff4535baa23e637b30e
6dc15f05e54a39597b194c0cf2f124b38e77bcc4
4a4308817ae52f2067a88dff13fcfbd031481098
25214209a8989f58b0e231c6894b7d676b93c1f2
c62399d92da474e5d31be6c170621404fb5c2cf5
e5194c0330398ce8b47a3f707b88151b212ed848
e6c0c6836c77bd40d21fe5bd0e6a023cc8599b6d
a9c2841def72a6f55e59f4e9d36f6bc2d9fc8fab
7320bb94cc33375d85a5a7b81db9b975a99e7c6c
81c298848f3e9ffe034b428dcad5624a34fb166f
5f460452ce1fea9da78f52c9474440e861ac21ad
a020b2f1eadd277851d2675dc95c8a105e54017b
481b11830f3d4fb7fa15263c91cc242cd5e53a68
01986d9e32b214bfb37266792881a17d9ecf1bf1
876569694ac08436efcf240bfb7b94db474eec3b
fd5896b118ea1721cee3daea382e27e14baa5283
4937a8eefb1b4b7159b78e19fc1df830e4076a0b
ec0e16ed2111e9fdd6712c728f1cd03626f2facf
1382ed8f491eadf09f0fe3bbd664613e566c8cad
3476f44483a9fe802128a1ce487f5c67c4af5d33
d1fb8f0ca06eddca8613308d4cf6e9dcbc948801
e0efb3b4a71dd351c4c514cdffadbe6934c6de5c
0365515a6188144dba7ff934950c05a81c55a22f
2c8cd4bda786f914836fbc9b52a69f2a9438fa1b
1a39054d9592ad84f2d9350bdf8b8875bab58f25
a64fb398764dc2a6e5a1e2b542112d63b0817201
0187d1dd7213dafbabe4bc7e3f1572f7e9130212
452cd53377c2a8f8b54b31eb5a2c09e718183c31
9da9b834dea2a7264594df45816c34e3398038a8
836cd451460473dad23032689ccedfc7588e0bab
1b7edecb98cd6be1f3585a63e006f5b42ff93e4e
af12c409cc1a4756e762e140c345c53f30d541e2
0d9e753e24bae6399cd20a4f678d86d444da20e9
8652596ff6111325d032c12548abca84cf500490
992244cd43e916676697ebcd5215a585b6ceec44
675740f4059d9d771cf4a36233d0af7f780211a1
0b1daef7dc4c01165f575d69fd125ecc2beeb340
b5bc89b899e7e2cf6281a7ff50113af98abfbbac
2af376c58c8c47a901bd5c1b79437662417df18c
075973f8db055781f8fb288b7acbc11f81645619
54e53faae72fa8381c57c59d70d9120351157074
5b332d6e5618f0d8e8825494ef6fed95c1035d7f
0eb0bf66730962a9146eb0ab00327c9222e27dd2
82ec6778f742d12533a8c057e79480e0a38875f6
56ad703a89e9e92238c1a7642591b295f824b25b
128ec51754980e6e7f50d2c1c9245ca46907af63
629067c0f55997b76f58828f8e8917d332ec71d7
4151bf4206866b8d6f4d57a6925a9a4fa1cfb773
8cab2104f150077554244b8241fa8782132fdef8
2eac1f94d40b0878bc4a794274eb0275e317c039
4f9010acd8eff6b8101f01d8c05bd6e7c1ef783c
00b69e1f0e2f53cdd456f15995650a7e77f4b6d3
638edbe66549052637dde50b76d1a662ee93d490
888c22e23c5772b6726e273e257b2c14839195fe
03aba589546a163230faa1ebfa90111ce33ba1dc
950208e4c1bc81d0f786a41333b3b2c0b9f94e21
31c3fa9f7c5fb5642089eeea93838afb24d85725
2a239acb3c5111fa48a8749a0de18cdf8867ede4
2a23684393e142e4e5b81052b3ce7ef7223e66d5
2a03de4af9a43d4e3407c69c5d7fab05a604d417
9f39129dcb2b171dd358f14178ed2c84c83b7603
15da6ad181fdbb4b3c7b5db1950d52e0ab30058c
27f58ac8c6231d4ab31c4886f210b25fbdd54b59
23fa42e860c9dd7127eaabb186379ce5da29f397
05446526f46e11b865a2a276de2b20fd1a38e998
20648d45b4bf1ad0966fffd9888c81b39026d97e
0026e8e5656d2f55c91ad6fa0156ff5efaf38834
0c71b6d5d6eb12f82c58c0ce1da8d0c3b1b318b9
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by TwinHeadedEagle » Wed Apr 17, 2013 6:35 am

Ok, thanks, will check them now :)

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by TwinHeadedEagle » Wed Apr 17, 2013 12:49 pm

I tried majority of these samples, Infection is present on system.. but cannot get it to spread via USB...

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by r3shl4k1sh » Wed Apr 17, 2013 3:26 pm

MAXS wrote:I tried majority of these samples, Infection is present on system.. but cannot get it to spread via USB...
It seems that you are looking to a sample like the one in this MS MPC article: http://blogs.technet.com/b/mmpc/archive ... ation.aspx

From what i can see in the article the component that actually performs the removeable drive infection is named: Worm:Win32/Gamarue.N
http://www.microsoft.com/security/porta ... /Gamarue.N

sorry no md5.

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by TwinHeadedEagle » Thu Apr 18, 2013 11:21 am

Yes, infection that EP_XOFF mentioned. I helped two users to remove this infection, but didn't get the samples...

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Sun Apr 21, 2013 3:23 pm

Andromeda droppers.

SHA1

Code: Select all

b210af10e9b73ca815b11abab783f1b70ca55d88
cab38e6ef21781bda3e70c40dfb0fa8eaf214842
305218538db65e9e7aaccd3346fe6ca7092f5ecd
b09af3d0d4ff0fce2b86d3c442c9f72dd68a303e
dcc32cca980925eda4a9fa878f1a8a4948a675bd
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

Post Reply