Page 4 of 13

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Sun Jan 20, 2013 7:23 pm
by Userbased
The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Mon Jan 21, 2013 12:27 pm
by unixfreaxjp
Userbased wrote:The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.
Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Mon Jan 21, 2013 4:14 pm
by Userbased
unixfreaxjp wrote:
Userbased wrote:The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.
Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.
I have attached a pcap of the connection. I also included in the archive a program that will prevent Andromeda VM detection.

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Fri Jan 25, 2013 9:20 pm
by unixfreaxjp
Userbased wrote:
unixfreaxjp wrote:
Userbased wrote:The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.
Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.
I have attached a pcap of the connection. I also included in the archive a program that will prevent Andromeda VM detection.
May I use this for shutdown purpose?

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Sat Jan 26, 2013 3:44 am
by Userbased
unixfreaxjp wrote:
Userbased wrote:
unixfreaxjp wrote: Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.
I have attached a pcap of the connection. I also included in the archive a program that will prevent Andromeda VM detection.
May I use this for shutdown purpose?
Go right ahead. That's why I posted it.

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Wed Jan 30, 2013 8:19 am
by bsteo
Wondering if anybody saw in the wild latest Andromeda "update" binaries, latest version: v07 (sic!)

Image

New USB Exploit malware

PostPosted:Sat Feb 16, 2013 5:55 pm
by TwinHeadedEagle
I need malware with the following SHA256

8685bfe336556303a87715fdc2b4aa8a0293c36b1e3d94fda7019e0df0432a11

It's fresh, MCShield cleaned it...

https://www.virustotal.com/en/file/8685 ... 361029122/

Thanks

Re: New USB Exploit malware

PostPosted:Sat Feb 16, 2013 7:09 pm
by Xylitol
attached

Desktop.ini

PostPosted:Tue Feb 19, 2013 6:19 pm
by TwinHeadedEagle
Need desktop.ini with this sha26

c7bd252296272693d8ad658295de6ca89c6c0dd42c054ebb58f571aad1d8cc1f

and this Md5

d80c46bac5f9df7eb83f46d3f30bf426

https://www.virustotal.com/en/file/c7bd ... /analysis/

Re: Desktop.ini

PostPosted:Wed Feb 20, 2013 2:48 am
by Xylitol
and why do you need this ?