Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.
Post Reply
TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Wed Feb 20, 2013 11:08 am

As I know Desktop.ini is config file, and I need to look in it's content to find out where it refers to...
Cassiel
Posts: 13
Joined: Mon Dec 17, 2012 12:03 pm

Wed Feb 20, 2013 2:15 pm

i have the file you wanted but no additional information about it.
if you find something let us know
You do not have the required permissions to view the files attached to this post.
TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Wed Feb 20, 2013 3:11 pm

OK, I cleaned computer of user that opened the thread about this malware

Malware drops at following location

Code: Select all

c:\progra~2\locals~1\temp\msoppo.exe
Creating following reg key

Code: Select all

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 
"0"="c:\progra~2\locals~1\temp\msoppo.exe"
Here is the VT report

https://www.virustotal.com/en/file/21b0 ... 361372494/

Attaching sample
You do not have the required permissions to view the files attached to this post.
Userbased
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm

Wed Feb 20, 2013 4:58 pm

msoppo.exe attempts to connect to the following domains:

Code: Select all

xdqzpbcgrvkj.ru 
anam0rph.su 
orzdwjtvmein.in 
ygiudewsqhct.in 
bdcrqgonzmwuehky.nl 
somicrososoft.ru
The only one that currently resolves is somicrososoft.ru, where it connects to /in.php. It is a sample of andromeda 2.06. PCAP file is attached.
You do not have the required permissions to view the files attached to this post.
User avatar
aaSSfxxx
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm

Thu Feb 21, 2013 10:01 am

I think pcap traffic is a little bit useless for andromeda, since the bot traffic is encrypted (with the bot key).

The bot key is stored with url list, and I wrote some tools (in python 2) which allow to extract andromeda config from an unpacked sample and query c&c co get stuff dropped by andromeda (in attach).

I also attached unpacked andromeda sample for people who doesn't want to fight against XPXAXCXK.

Virustotal (unpacked): https://www.virustotal.com/fr/file/d37d ... /analysis/

Virustotal (msoppo.exe): https://www.virustotal.com/fr/file/21b0 ... /analysis/
You do not have the required permissions to view the files attached to this post.
grum
Posts: 38
Joined: Tue Nov 06, 2012 12:16 pm

Sat Feb 23, 2013 4:12 pm

:) maybe help me code tools for brute force C&C server login and pass very fast, real try with THydra but bad and can't crack it's

i need tools code in php or asm or perl maybe python or ruby, hope all can help!
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Sun Feb 24, 2013 9:13 am

grum wrote::) maybe help me code tools for brute force C&C server login and pass very fast, real try with THydra but bad and can't crack it's

i need tools code in php or asm or perl maybe python or ruby, hope all can help!
hydra can do it, you just don't know how to use it.
grum
Posts: 38
Joined: Tue Nov 06, 2012 12:16 pm

Thu Mar 07, 2013 5:52 am

THydra last and bruteforce can help?
User avatar
EP_X0FF
Global Moderator
Posts: 4905
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Thu Mar 07, 2013 6:06 am

grum wrote:THydra last and bruteforce can help?
What kind of answer do you expect?

Yes, bruteforce can do it. No, we don't do it for you - do it yourself.
Ring0 - the source of inspiration
Post Reply