andromeda | f61b5c1c425d49a70487f13f500b96384bd058af7005f977a12e6d7bb31a4ba0 | Triage

Submit
Reports

Overview

overview

Static

static

5

82397e61d9...18.exe

windows7-x64

82397e61d9...18.exe

windows10-2004-x64

Sharing

General

Target

82397e61d9b5eda38cebb93da544a9da_JaffaCakes118
Size

43KB
Sample

241031-h5c9es1qdy
MD5

82397e61d9b5eda38cebb93da544a9da
SHA1

5534c45b28462525d23dd3829793a93bb52a5eae
SHA256

f61b5c1c425d49a70487f13f500b96384bd058af7005f977a12e6d7bb31a4ba0
SHA512

e74abfe0a749d7fd4ef5fdb727177498522c0e58d9bee5c87f084ad3fed1e538b45a4917b44bf85933ad6f93081b3957b8d712de59c6269b52896e8cc60d258e
SSDEEP

768:SRoS5Gcu6KDBZGvXVoc7vwFrbxazHs1W498cIOEDAF54:SRPMNGfVoevwlbxEs1WRcIjf

Score

10^/10

andromeda backdoor botnet discovery persistence upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

82397e61d9b5eda38cebb93da544a9da_JaffaCakes118.exe

Resource

win7-20241010-en

andromeda backdoor botnet discovery persistence upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

82397e61d9b5eda38cebb93da544a9da_JaffaCakes118.exe

Resource

win10v2004-20241007-en

andromeda backdoor botnet discovery persistence upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  82397e61d9b5eda38cebb93da544a9da_JaffaCakes118
- Size
  
  43KB
- MD5
  
  82397e61d9b5eda38cebb93da544a9da
- SHA1
  
  5534c45b28462525d23dd3829793a93bb52a5eae
- SHA256
  
  f61b5c1c425d49a70487f13f500b96384bd058af7005f977a12e6d7bb31a4ba0
- SHA512
  
  e74abfe0a749d7fd4ef5fdb727177498522c0e58d9bee5c87f084ad3fed1e538b45a4917b44bf85933ad6f93081b3957b8d712de59c6269b52896e8cc60d258e
- SSDEEP
  
  768:SRoS5Gcu6KDBZGvXVoc7vwFrbxazHs1W498cIOEDAF54:SRPMNGfVoevwlbxEs1WRcIjf
Score

10^/10

andromeda backdoor botnet discovery persistence upx
- Andromeda family
  andromeda
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Adds policy Run key to start application
  persistence
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

andromedabackdoorbotnetdiscoverypersistenceupx

behavioral2

andromedabackdoorbotnetdiscoverypersistenceupx

© 2018-2024

Terms | Privacy