andromeda | c657ae4e1fe2082dd10a16886923a0494cb1da7a77b178815081e204ce4e297f

Sharing

Copy URL

Twitter E-mail

General

Target

4db6e1f8a90b0e5735632e0478a996fe_JaffaCakes118
Size

73KB
Sample

241016-td51xaxhqa
MD5

4db6e1f8a90b0e5735632e0478a996fe
SHA1

6aaaa7dfc470a5d441d5c8a55c32d5c3e1f63198
SHA256

c657ae4e1fe2082dd10a16886923a0494cb1da7a77b178815081e204ce4e297f
SHA512

dfb29e09d4936f084b4144a50f65bed786dc4068b3cdc46b475df9309f5cf6d8b57ece684dbce25e38d8da64d3758e478735b6febf3974d5c45c853bce845574
SSDEEP

1536:OpgpHzb9dZVX9fHMvG0D3XJA9IMv+jS1BtXGZTcpqMfvx4++tOvBFxb:UgXdZt9P6D3XJAiMvaw/WKpqM3atOvBj

Score

10^/10

Malware Config

Targets

- Target
  
  4db6e1f8a90b0e5735632e0478a996fe_JaffaCakes118
- Size
  
  73KB
- MD5
  
  4db6e1f8a90b0e5735632e0478a996fe
- SHA1
  
  6aaaa7dfc470a5d441d5c8a55c32d5c3e1f63198
- SHA256
  
  c657ae4e1fe2082dd10a16886923a0494cb1da7a77b178815081e204ce4e297f
- SHA512
  
  dfb29e09d4936f084b4144a50f65bed786dc4068b3cdc46b475df9309f5cf6d8b57ece684dbce25e38d8da64d3758e478735b6febf3974d5c45c853bce845574
- SSDEEP
  
  1536:OpgpHzb9dZVX9fHMvG0D3XJA9IMv+jS1BtXGZTcpqMfvx4++tOvBFxb:UgXdZt9P6D3XJAiMvaw/WKpqM3atOvBj
Score

10^/10

andromeda backdoor botnet discovery persistence
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Adds policy Run key to start application
  persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $TEMP/TcQoltNqJAb.dll
- Size
  
  4KB
- MD5
  
  c556fac47933a7805b6e0ee5810e98eb
- SHA1
  
  3d6eeafe85cfe3ac874d776ea2a4fb0d2e0539a6
- SHA256
  
  c64d08223e6dfa9a2a6647e47e59dea86fb58fbe2040cd11fe08272fa569fdc9
- SHA512
  
  9067edeb0e0c3e6dfe8337e1cb5e8488c84c3350d3dfda32a7cbfa702e0eba0300b285e0bd51f400818d9900a5975c918b7fe94dccb760dc6380c246f481dcac
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $TEMP/eCGSHOUuESLX.dll
- Size
  
  3KB
- MD5
  
  01bc9e105089fe365720eddab42df33b
- SHA1
  
  d7b94e25f9a77cccdce7f68bcdc230c14b5be351
- SHA256
  
  8683bd9514562fc86a379f4299fc90015c3e1780b1749ccfa6158c94f687690f
- SHA512
  
  cdd8c52175eb84b9f1f3aad5bd013aecbaa589f1aa4e65b089399ee8fd8bed86e0bb1205477c737cbe0c540f8bc214c3c55afc7a129db3d0c7acaad2da95d42e
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $TEMP/lYjPjidj.dll
- Size
  
  3KB
- MD5
  
  42e7dd6d69813c7726727cea1c2c0315
- SHA1
  
  bcecbf815043ed897e491ea83852bdd80ff381c7
- SHA256
  
  7165a082e106e2952b8e4e8a34cf479a7e08d7bab22c5457289d45a19a509a3a
- SHA512
  
  e007b040c981b44fcbd3ffd64210e76210313c5f2744862a7227a451af576fe72203ad452ee501be1ba7263d29a1532ed2318a42eb3f3fdda92882fbd29ac257
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $TEMP/qlALHNXEUox.exe
- Size
  
  28KB
- MD5
  
  3840843ee5e53ee0bacbc9a0de7ff3cd
- SHA1
  
  3f8fcd8e4a7db6cac5dba89c56b67020e439e739
- SHA256
  
  d2c8e0a549d9f02bc6bec719353ff9945d22f550c849577eb511764fd18e48ee
- SHA512
  
  24b81a10db6b72769bc7ce7eabefa4f6c55102daecc02c0e0521ca1c348621045292d9491c91fa8ccc1cd70b26ef0b18ab626bb0715a919bdf0d171192db65b6
- SSDEEP
  
  192:s/uRHGHqPuP1oynHzEd+MWC5T+H2gC3B9ryrry6AT8:s/Gm11ECSICqrrrA8
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Andromeda, Gamarue

Detects Andromeda payload.

Adds policy Run key to start application

Deletes itself

Executes dropped EXE

Loads dropped DLL

Maps connected drives based on registry

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10