Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Sun Jun 30, 2013 6:55 am

MAXS wrote:Gamarue has code Anti-Emulation and Anti-VM to detect the presence of Virtual machine, I was able to execute it on patched VM, but can you tell me does it have technique to disable USB spreading when it detects VM...
It won't start if VM detected.
Ring0 - the source of inspiration

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by TwinHeadedEagle » Sun Jun 30, 2013 7:05 am

I suppose you thought about spreading. Then how I got to execute malware on VM?

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Sun Jun 30, 2013 7:09 am

MAXS wrote:I suppose you thought about spreading. Then how I got to execute malware on VM?
Prepare VM for malware analysis, what is the problem?
Ring0 - the source of inspiration

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by TwinHeadedEagle » Sun Jun 30, 2013 7:42 am

We didn't understand each other, I was able to start Gamarue under VM, but when I plug in USB, nothing happens, no spreading...

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Sun Jun 30, 2013 7:47 am

MAXS wrote:We didn't understand each other, I was able to start Gamarue under VM, but when I plug in USB, nothing happens, no spreading...
Then your particular sample does not have this USB spreading feature.
Ring0 - the source of inspiration

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Gamarue

Post by TwinHeadedEagle » Sun Jun 30, 2013 8:06 am

I was able to find hashes for Gamarue that should spread via removable drives

cc9bfaa5b6d6201bf6ccad0ddda29d782b5e46deea94c0a0376e945456fda614
68146d831b73e9e372d7de2897788b83506386bca6d69d7dd230d4f8f565a874
e6cbcfbfbd8cf3e40d31408ea004b8b267b9fab14c69304a1fb6506264f825c4
184957150e0dc89fcc4f1944cfc6413d1d4940dc3affff8cac35af155ca9d960

I need all four, thanks :)

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Gamarue

Post by R136a1 » Sun Jun 30, 2013 9:44 am

Attached.
You do not have the required permissions to view the files attached to this post.

dumb110
Posts: 107
Joined: Tue Jun 05, 2012 1:29 pm

Re: Backdoor Andromeda (alias Gamarue)

Post by dumb110 » Wed Jul 03, 2013 11:19 am

Some interesting Gamarue Samples from USB.It uses LNK vulnerbility too.You need to unhide the hidden files.
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Backdoor Andromeda (alias Gamarue)

Post by rough_spear » Fri Jul 05, 2013 3:56 pm

Hi All, :D

15 sample files of Andromeda.

List of MD5 :
  • 09FE6259BCD918AC54B8C6CC7CCF3C96
    0D1D347D1A063985451B20295A8A25F1
    232DFCE76EB1F86A6C3960BF40FD8014
    48E29119B03641499492336695C29FFD
    6499A9B9E4AC5EE7A6B45A1E2E2F0648
    790458B3C8CAA22E65B251F6BCE0AB40
    79F7519035B9923B9F7D4D2DC50CE23C
    8B3D5C921B87E6926B1D70F992CF76D1
    9036B228EEF3BC0F0A785D1C91F4D5B3
    ABD9C787547E4994CB12903DDFF18822
    C00EBF839E8728DB2EE132B60DEA8F6C
    DE1B8A9943ABA93DDCB0841BD8F982A3
    F3BD9F6300AB86B917A308BEC5EF9FC3
    F9A79E80AD49748A60C9AB67DAD9DF10
    FE80E55F494EA5368F6BC41622C12BEA
Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (alias Gamarue)

Post by EP_X0FF » Sun Jul 07, 2013 4:17 am

Andromeda USB infection control flow.

As example we are taking dumb110 sample.

1) LNK triggers first loader. In our case it is ~$WQXIND.FAT32 (internally named dll_down_exec.dll) is MSVC compiled loader packed with UPX which purpose - execute next stage;

2) Loader reads contents of desktop.ini file, which is actually 32 bit code and executes it;

3) desktop.ini code performs several actions - it decrypts main dropper body from file Thumbs.db and saves it on disk in temp folder as TrustedInstaller.exe and then executes it;

4) TrustedInstaller is a core component of infection.(https://www.virustotal.com/en/file/8cc8 ... 373170005/). It is complex another stage Andromeda loader (T:\ldr\CUSTOM\local\local\Release\ADropper.pdb). Purpose - install actual payload (https://www.virustotal.com/en/file/5848 ... /analysis/) and USB infection dll (T:\ldr\CUSTOM\local\Worm65.DLL.PnP\Release\Worm65.DLL.pdb) which is stored as encrypted key in registry - HKCU\Software under key ImageBase. Worm65.dll contains inside loader from first stage and all required data for USB infection

Code: Select all

h t t p : / / s u c k m y c o c k l a m e a v i n d u s t r y . i n /   IsWow64Process  k e r n e l 3 2         S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x p l o r e r \ A d v a n c e d   S h o w S u p e r H i d d e n   H i d d e n     S h e l l _ T r a y W n d       0   S o f t w a r e     I m a g e B a s e   . e x e     . b a t     . v b s     . p i f     . c m d     % s \ *     .   . .     % s \ % s   B a c k u p .   % s . e x e     % s % s         ~ $ W   . L N K     . I N F     . I N I     T h u m b s . d b   L a u n c h U 3 . e x e     \ *     \   d e s k t o p . i n i   a u t o r u n . i n f   NtQuerySystemInformation    n t d l l   NtQueryObject   % s \   GetDiskFreeSpaceExW k e r n e l 3 2 . d l l     % s \ D C I M   % s \ W i n d o w s     % s \       % s \ d e s k t o p . i n i     % s \ ~ $ W % s . F A T 3 2     % s \ T h u m b s . d b         ~ $ W % s . F A T 3 2 , _ l d r @ 1 6   d e s k t o p . i n i   R E T   T L S   "   "   % s \ M y   R e m o v a b l e   D e v i c e   ( % I 6 4 u G B ) . l n k     s h e l l 3 2 . d l l   r u n d l l 3 2     % s \ % s   ( % I 6 4 u G B ) . l n k   ABCDEFGHIJKLMNOPQRSTUVWXYZ  % c : \     % s a u t o r u n . i n f 
note the message to the AV industry in Andromeda from script-kiddie author, maybe wahoo, idgaf anyway;

5) The end of cycle - if removable drive is found, it is infected/reinfected with the encrypted data read from the registry and written to the file "thumbs.db", and the binary file with 32bit code is written to "desktop.ini", together with the loader DLL and a shortcut.

@borgir

Now find here "rdtsc", "sandbox" and other BS you posted previously.
Your posts has been removed as they have no sense. Furthermore stay away from posting BS just because you want to look cool while you actually look like an idiot.
Ring0 - the source of inspiration

Post Reply