andromeda | 0685205a9d2da4318b1f53ebe2f5927af25ada33d8581018735727253b35ccd6 | Triage

Submit
Reports

Overview

overview

Static

static

3

bb84026383...18.exe

windows7-x64

bb84026383...18.exe

windows10-2004-x64

Sharing

General

Target

bb8402638335a9a0178f179503663416_JaffaCakes118
Size

40KB
Sample

240823-nfyfystdjm
MD5

bb8402638335a9a0178f179503663416
SHA1

313d63d81057681cc84d3d6f39b983cd326a3abd
SHA256

0685205a9d2da4318b1f53ebe2f5927af25ada33d8581018735727253b35ccd6
SHA512

c3d98919eba03169296d11f03d18022c02ee99597217fc43ccbe5647a413103d7cdd95ec6db08db4f263eebab21eed2d2e5f818cbecdd228989a0b21dba9dc94
SSDEEP

384:i04Vfdj9JT9uxRgZGz0glhPuDWWx3f+ZexbiOSRxMJ3XJoY/RPz6LrVp64NSNqtV:wdfTIvAxbiOexoWYkP6J8b/tjW2Pb

Score

10^/10

andromeda backdoor botnet discovery persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bb8402638335a9a0178f179503663416_JaffaCakes118.exe

Resource

win7-20240704-en

andromeda backdoor botnet discovery persistence

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

bb8402638335a9a0178f179503663416_JaffaCakes118.exe

Resource

win10v2004-20240802-en

andromeda backdoor botnet discovery persistence

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  bb8402638335a9a0178f179503663416_JaffaCakes118
- Size
  
  40KB
- MD5
  
  bb8402638335a9a0178f179503663416
- SHA1
  
  313d63d81057681cc84d3d6f39b983cd326a3abd
- SHA256
  
  0685205a9d2da4318b1f53ebe2f5927af25ada33d8581018735727253b35ccd6
- SHA512
  
  c3d98919eba03169296d11f03d18022c02ee99597217fc43ccbe5647a413103d7cdd95ec6db08db4f263eebab21eed2d2e5f818cbecdd228989a0b21dba9dc94
- SSDEEP
  
  384:i04Vfdj9JT9uxRgZGz0glhPuDWWx3f+ZexbiOSRxMJ3XJoY/RPz6LrVp64NSNqtV:wdfTIvAxbiOexoWYkP6J8b/tjW2Pb
Score

10^/10

andromeda backdoor botnet discovery persistence
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Adds policy Run key to start application
  persistence
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

andromedabackdoorbotnetdiscoverypersistence

behavioral2

andromedabackdoorbotnetdiscoverypersistence

© 2018-2024

Terms | Privacy