andromeda | db5461c2d422e67dfa063eea8657ae8beb6050a8683750aa1ed3da733a3fb31c | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

20833a0796...18.exe

windows7-x64

20833a0796...18.exe

windows10-2004-x64

Sharing

General

Target

20833a0796c378f7ac1f2e01565f1f7a_JaffaCakes118
Size

61KB
Sample

241008-j5zm4a1aph
MD5

20833a0796c378f7ac1f2e01565f1f7a
SHA1

ca6234824f3d7cea7c6f38ae7628cbda9001f305
SHA256

db5461c2d422e67dfa063eea8657ae8beb6050a8683750aa1ed3da733a3fb31c
SHA512

fe2351a0a77c73add5ce5947a884a61f35ef2c636e95eb8d47f2c40bc3e2c0d21af08f756d8923946611d9a84e56751eb8fbccc2a0ec87d02700c03400643b17
SSDEEP

1536:0E9dE6rTKjdJVV0rxooc5K9RUdOeeeeeeMeeeeeeGk0Bls:0Z6KjzmaoEiUdig

Score

10^/10

andromeda backdoor botnet discovery persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

20833a0796c378f7ac1f2e01565f1f7a_JaffaCakes118.exe

Resource

win7-20240708-en

andromeda backdoor botnet discovery persistence

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

20833a0796c378f7ac1f2e01565f1f7a_JaffaCakes118.exe

Resource

win10v2004-20241007-en

andromeda backdoor botnet discovery persistence

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  20833a0796c378f7ac1f2e01565f1f7a_JaffaCakes118
- Size
  
  61KB
- MD5
  
  20833a0796c378f7ac1f2e01565f1f7a
- SHA1
  
  ca6234824f3d7cea7c6f38ae7628cbda9001f305
- SHA256
  
  db5461c2d422e67dfa063eea8657ae8beb6050a8683750aa1ed3da733a3fb31c
- SHA512
  
  fe2351a0a77c73add5ce5947a884a61f35ef2c636e95eb8d47f2c40bc3e2c0d21af08f756d8923946611d9a84e56751eb8fbccc2a0ec87d02700c03400643b17
- SSDEEP
  
  1536:0E9dE6rTKjdJVV0rxooc5K9RUdOeeeeeeMeeeeeeGk0Bls:0Z6KjzmaoEiUdig
Score

10^/10

andromeda backdoor botnet discovery persistence
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Adds policy Run key to start application
  persistence
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

andromedabackdoorbotnetdiscoverypersistence

behavioral2

andromedabackdoorbotnetdiscoverypersistence

© 2018-2025

Terms | Privacy