andromeda | c551dfb6a7681d8566d2949b5db6047dda5b7ccf2022121e0b4c6b3190976691 | Triage

Submit
Reports

Overview

overview

Static

static

3

fd7b1f4820...18.exe

windows7-x64

fd7b1f4820...18.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

fd7b1f482021ca804cb2be1f012478de_JaffaCakes118
Size

13KB
Sample

240929-a7vx9awdrc
MD5

fd7b1f482021ca804cb2be1f012478de
SHA1

368eead9c77c6236c6bc3e44ee5c22f73cc12f08
SHA256

c551dfb6a7681d8566d2949b5db6047dda5b7ccf2022121e0b4c6b3190976691
SHA512

900d4761a53fd38eccd4a414c58a5a1965c7e9fa1d508d4a986680db5fb386e9dedcb90c20a8ee5728f5ca78f96d24ac9894553939e44a9719b3d2351dcefe1a
SSDEEP

192:byEh4bJlnNdEIv1J/b9i7s4pwrARgZd1SrMksXgUdBOvAUPuDtwFWx3f/:204Vfdj9JT9uxRgZGz0glhPuDWWx3f

Score

10^/10

andromeda backdoor botnet discovery persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fd7b1f482021ca804cb2be1f012478de_JaffaCakes118.exe

Resource

win7-20240903-en

andromeda backdoor botnet discovery persistence

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

fd7b1f482021ca804cb2be1f012478de_JaffaCakes118.exe

Resource

win10v2004-20240802-en

andromeda backdoor botnet discovery persistence

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  fd7b1f482021ca804cb2be1f012478de_JaffaCakes118
- Size
  
  13KB
- MD5
  
  fd7b1f482021ca804cb2be1f012478de
- SHA1
  
  368eead9c77c6236c6bc3e44ee5c22f73cc12f08
- SHA256
  
  c551dfb6a7681d8566d2949b5db6047dda5b7ccf2022121e0b4c6b3190976691
- SHA512
  
  900d4761a53fd38eccd4a414c58a5a1965c7e9fa1d508d4a986680db5fb386e9dedcb90c20a8ee5728f5ca78f96d24ac9894553939e44a9719b3d2351dcefe1a
- SSDEEP
  
  192:byEh4bJlnNdEIv1J/b9i7s4pwrARgZd1SrMksXgUdBOvAUPuDtwFWx3f/:204Vfdj9JT9uxRgZGz0glhPuDWWx3f
Score

10^/10

andromeda backdoor botnet discovery persistence
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Adds policy Run key to start application
  persistence
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

andromedabackdoorbotnetdiscoverypersistence

behavioral2

andromedabackdoorbotnetdiscoverypersistence

© 2018-2025

Terms | Privacy