andromeda | 7384eeb77614edb477be24e3b91d93b30bcf092f3fe0a4b5b1a8096c8b6a54eb | Triage

Submit
Reports

Overview

overview

Static

static

5

5f9c73fe96...18.exe

windows7-x64

5f9c73fe96...18.exe

windows10-2004-x64

Sharing

General

Target

5f9c73fe96d37486d0e375c1fa90435b_JaffaCakes118
Size

58KB
Sample

241020-bd9d8a1gmp
MD5

5f9c73fe96d37486d0e375c1fa90435b
SHA1

bfd201874003777d21b266aea0e2c0a58b95b136
SHA256

7384eeb77614edb477be24e3b91d93b30bcf092f3fe0a4b5b1a8096c8b6a54eb
SHA512

bb7f26a191d2d384e30d62a7ae38d835f662899066dd3970ea33f220be5e320ac977c3780a0597e0eef5340b0d5dd5460f1e4ae718c6a109a3f4f12c647a9b65
SSDEEP

1536:ouHT3E14wt7nouy804KAfWkZAPIhf0fjKwIt:ouz3ECOjout04KmWsAPIhMfuwIt

Score

10^/10

andromeda backdoor botnet discovery persistence upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

5f9c73fe96d37486d0e375c1fa90435b_JaffaCakes118.exe

Resource

win7-20240708-en

andromeda backdoor botnet discovery persistence upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

5f9c73fe96d37486d0e375c1fa90435b_JaffaCakes118.exe

Resource

win10v2004-20241007-en

andromeda backdoor botnet discovery persistence upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  5f9c73fe96d37486d0e375c1fa90435b_JaffaCakes118
- Size
  
  58KB
- MD5
  
  5f9c73fe96d37486d0e375c1fa90435b
- SHA1
  
  bfd201874003777d21b266aea0e2c0a58b95b136
- SHA256
  
  7384eeb77614edb477be24e3b91d93b30bcf092f3fe0a4b5b1a8096c8b6a54eb
- SHA512
  
  bb7f26a191d2d384e30d62a7ae38d835f662899066dd3970ea33f220be5e320ac977c3780a0597e0eef5340b0d5dd5460f1e4ae718c6a109a3f4f12c647a9b65
- SSDEEP
  
  1536:ouHT3E14wt7nouy804KAfWkZAPIhf0fjKwIt:ouz3ECOjout04KmWsAPIhMfuwIt
Score

10^/10

andromeda backdoor botnet discovery persistence upx
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Adds policy Run key to start application
  persistence
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

andromedabackdoorbotnetdiscoverypersistenceupx

behavioral2

andromedabackdoorbotnetdiscoverypersistenceupx

© 2018-2024

Terms | Privacy