A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19877  by EP_X0FF
 Sun Jun 30, 2013 6:55 am
MAXS wrote:Gamarue has code Anti-Emulation and Anti-VM to detect the presence of Virtual machine, I was able to execute it on patched VM, but can you tell me does it have technique to disable USB spreading when it detects VM...
It won't start if VM detected.
 #19880  by EP_X0FF
 Sun Jun 30, 2013 7:09 am
MAXS wrote:I suppose you thought about spreading. Then how I got to execute malware on VM?
Prepare VM for malware analysis, what is the problem?
 #19882  by EP_X0FF
 Sun Jun 30, 2013 7:47 am
MAXS wrote:We didn't understand each other, I was able to start Gamarue under VM, but when I plug in USB, nothing happens, no spreading...
Then your particular sample does not have this USB spreading feature.
 #19883  by TwinHeadedEagle
 Sun Jun 30, 2013 8:06 am
I was able to find hashes for Gamarue that should spread via removable drives


I need all four, thanks :)
 #19931  by dumb110
 Wed Jul 03, 2013 11:19 am
Some interesting Gamarue Samples from USB.It uses LNK vulnerbility too.You need to unhide the hidden files.
You do not have the required permissions to view the files attached to this post.
 #19978  by rough_spear
 Fri Jul 05, 2013 3:56 pm
Hi All, :D

15 sample files of Andromeda.

List of MD5 :
  • 09FE6259BCD918AC54B8C6CC7CCF3C96

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.
 #19998  by EP_X0FF
 Sun Jul 07, 2013 4:17 am
Andromeda USB infection control flow.

As example we are taking dumb110 sample.

1) LNK triggers first loader. In our case it is ~$WQXIND.FAT32 (internally named dll_down_exec.dll) is MSVC compiled loader packed with UPX which purpose - execute next stage;

2) Loader reads contents of desktop.ini file, which is actually 32 bit code and executes it;

3) desktop.ini code performs several actions - it decrypts main dropper body from file Thumbs.db and saves it on disk in temp folder as TrustedInstaller.exe and then executes it;

4) TrustedInstaller is a core component of infection.(https://www.virustotal.com/en/file/8cc8 ... 373170005/). It is complex another stage Andromeda loader (T:\ldr\CUSTOM\local\local\Release\ADropper.pdb). Purpose - install actual payload (https://www.virustotal.com/en/file/5848 ... /analysis/) and USB infection dll (T:\ldr\CUSTOM\local\Worm65.DLL.PnP\Release\Worm65.DLL.pdb) which is stored as encrypted key in registry - HKCU\Software under key ImageBase. Worm65.dll contains inside loader from first stage and all required data for USB infection
Code: Select all
h t t p : / / s u c k m y c o c k l a m e a v i n d u s t r y . i n /   IsWow64Process  k e r n e l 3 2         S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x p l o r e r \ A d v a n c e d   S h o w S u p e r H i d d e n   H i d d e n     S h e l l _ T r a y W n d       0   S o f t w a r e     I m a g e B a s e   . e x e     . b a t     . v b s     . p i f     . c m d     % s \ *     .   . .     % s \ % s   B a c k u p .   % s . e x e     % s % s         ~ $ W   . L N K     . I N F     . I N I     T h u m b s . d b   L a u n c h U 3 . e x e     \ *     \   d e s k t o p . i n i   a u t o r u n . i n f   NtQuerySystemInformation    n t d l l   NtQueryObject   % s \   GetDiskFreeSpaceExW k e r n e l 3 2 . d l l     % s \ D C I M   % s \ W i n d o w s     % s \       % s \ d e s k t o p . i n i     % s \ ~ $ W % s . F A T 3 2     % s \ T h u m b s . d b         ~ $ W % s . F A T 3 2 , _ l d r @ 1 6   d e s k t o p . i n i   R E T   T L S   "   "   % s \ M y   R e m o v a b l e   D e v i c e   ( % I 6 4 u G B ) . l n k     s h e l l 3 2 . d l l   r u n d l l 3 2     % s \ % s   ( % I 6 4 u G B ) . l n k   ABCDEFGHIJKLMNOPQRSTUVWXYZ  % c : \     % s a u t o r u n . i n f 
note the message to the AV industry in Andromeda from script-kiddie author, maybe wahoo, idgaf anyway;

5) The end of cycle - if removable drive is found, it is infected/reinfected with the encrypted data read from the registry and written to the file "thumbs.db", and the binary file with 32bit code is written to "desktop.ini", together with the loader DLL and a shortcut.


Now find here "rdtsc", "sandbox" and other BS you posted previously.
Your posts has been removed as they have no sense. Furthermore stay away from posting BS just because you want to look cool while you actually look like an idiot.
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 13