andromeda | e85850e72c5f41f6eec1b1ba20c146e2cc8c1634f033af5e841436e294e351a7 | Triage

Submit
Reports

Overview

overview

Static

static

3

339be31dd6...18.exe

windows7-x64

339be31dd6...18.exe

windows10-2004-x64

Sharing

General

Target

339be31dd6d19b35614639b131f2f71f_JaffaCakes118
Size

162KB
Sample

241011-gzw9nsvamp
MD5

339be31dd6d19b35614639b131f2f71f
SHA1

c82b4f4902510f695a610eebdfde53ed82fa5813
SHA256

e85850e72c5f41f6eec1b1ba20c146e2cc8c1634f033af5e841436e294e351a7
SHA512

6028fa7d9b4ed3b8b805472f75cfa8518cf68169a264ecf3b36091b34cb90e21be0e76f4d2c518198cde0dd253586b82642cd63c041d44dc1b4e16b076b06cee
SSDEEP

3072:dnJRlMMGYJ+ipesjoccP9r5l2z3ScxI10HZKYHOQBYWiuhdPn9w:dJhjqPpOWcxI10Hiuhd/6

Score

10^/10

andromeda backdoor botnet discovery persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

339be31dd6d19b35614639b131f2f71f_JaffaCakes118.exe

Resource

win7-20240903-en

andromeda backdoor botnet discovery persistence

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

339be31dd6d19b35614639b131f2f71f_JaffaCakes118.exe

Resource

win10v2004-20241007-en

andromeda backdoor botnet discovery persistence

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  339be31dd6d19b35614639b131f2f71f_JaffaCakes118
- Size
  
  162KB
- MD5
  
  339be31dd6d19b35614639b131f2f71f
- SHA1
  
  c82b4f4902510f695a610eebdfde53ed82fa5813
- SHA256
  
  e85850e72c5f41f6eec1b1ba20c146e2cc8c1634f033af5e841436e294e351a7
- SHA512
  
  6028fa7d9b4ed3b8b805472f75cfa8518cf68169a264ecf3b36091b34cb90e21be0e76f4d2c518198cde0dd253586b82642cd63c041d44dc1b4e16b076b06cee
- SSDEEP
  
  3072:dnJRlMMGYJ+ipesjoccP9r5l2z3ScxI10HZKYHOQBYWiuhdPn9w:dJhjqPpOWcxI10Hiuhd/6
Score

10^/10

andromeda backdoor botnet discovery persistence
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

andromedabackdoorbotnetdiscoverypersistence

behavioral2

andromedabackdoorbotnetdiscoverypersistence

© 2018-2024

Terms | Privacy