andromeda | f30fbadea20f8ae93e7db667640fe57be52f068389f11f4399ae9e990d8e065a | Triage

Sharing

General

Target

5c2f8f3169f6aa13b23cbcac0b2530b3_JaffaCakes118
Size

181KB
Sample

241019-mhsg2stbnn
MD5

5c2f8f3169f6aa13b23cbcac0b2530b3
SHA1

bd1b8216d05ea7b9e283f5ed295d054ecddc40f5
SHA256

f30fbadea20f8ae93e7db667640fe57be52f068389f11f4399ae9e990d8e065a
SHA512

726ab3f5c29235b0b74348deb24314989e15e6523f82602ef9027497888696b583aea8c0474aa567559f57bc62893c1220d4b178d72db9c70e448e6e895388e9
SSDEEP

3072:koqC0GPbSSXj58Bijd59KjjfU1YI2JKjrdJhIAbl8KWbDbD8ZXBx0bRZrxSNO:koqCBu24jM1RTV3l8KWbvDSXBabh+

Score

10^/10

andromeda backdoor botnet defense_evasion discovery evasion persistence

Malware Config

Targets

- Target
  
  5c2f8f3169f6aa13b23cbcac0b2530b3_JaffaCakes118
- Size
  
  181KB
- MD5
  
  5c2f8f3169f6aa13b23cbcac0b2530b3
- SHA1
  
  bd1b8216d05ea7b9e283f5ed295d054ecddc40f5
- SHA256
  
  f30fbadea20f8ae93e7db667640fe57be52f068389f11f4399ae9e990d8e065a
- SHA512
  
  726ab3f5c29235b0b74348deb24314989e15e6523f82602ef9027497888696b583aea8c0474aa567559f57bc62893c1220d4b178d72db9c70e448e6e895388e9
- SSDEEP
  
  3072:koqC0GPbSSXj58Bijd59KjjfU1YI2JKjrdJhIAbl8KWbDbD8ZXBx0bRZrxSNO:koqCBu24jM1RTV3l8KWbvDSXBabh+
Score

10^/10

andromeda backdoor botnet defense_evasion discovery evasion persistence
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Modifies visibility of file extensions in Explorer
  evasion
- Adds policy Run key to start application
  persistence
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

andromedabackdoorbotnetdefense_evasiondiscoveryevasionpersistence

behavioral2

andromedabackdoorbotnetdefense_evasiondiscoveryevasionpersistence