andromeda | 41db276d5cbc34f14c9e6e3e62f6d5c29a729ebddabdef81a4560d81621027c8

General

Target

JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe
Size

113KB
MD5

6a06edf7220feef981bdf792639423cf
SHA1

f5264fbec2a6d25985cfd45791cc6782d60a80f2
SHA256

41db276d5cbc34f14c9e6e3e62f6d5c29a729ebddabdef81a4560d81621027c8
SHA512

ccba736de8953e270a428dfddb6d8ac1ea61d625047567ec932c47f96876cb7fc0ec72d1407263a6b4d1a94d1e931d341994ebac4eeb1b19a27eaa89aaea9838
SSDEEP

3072:hbVemShTk0mhkk8X7ANVu7HNUIXbM44UusJ4MLklJ:mzhRNFgDE8

Score

10^/10

andromeda backdoor botnet discovery persistence

Malware Config

Signatures

Andromeda family
andromeda
Andromeda, Gamarue
Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
botnet backdoor andromeda

Detects Andromeda payload. 2 IoCs

resource	yara_rule
behavioral2/memory/5004-15-0x0000000000DF0000-0x0000000000DF5000-memory.dmp	family_andromeda
behavioral2/memory/5004-19-0x0000000000DF0000-0x0000000000DF5000-memory.dmp	family_andromeda

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\52410 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mszaww.exe"	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	vbc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 3824	2360	JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe	99

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\mszaww.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3824	vbc.exe
3824	vbc.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3824	vbc.exe
3824	vbc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3824	2360	JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe	99
PID 2360 wrote to memory of 3824	2360	JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe	99
PID 2360 wrote to memory of 3824	2360	JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe	99
PID 2360 wrote to memory of 3824	2360	JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe	99
PID 2360 wrote to memory of 3824	2360	JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe	99
PID 2360 wrote to memory of 3824	2360	JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe	99
PID 3824 wrote to memory of 5004	3824	vbc.exe	100
PID 3824 wrote to memory of 5004	3824	vbc.exe	100
PID 3824 wrote to memory of 5004	3824	vbc.exe	100

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a06edf7220feef981bdf792639423cf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-7-0x0000000074D82000-0x0000000074D83000-memory.dmp

Filesize
4KB

Download
memory/2360-1-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2360-2-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2360-3-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2360-6-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2360-0-0x0000000074D82000-0x0000000074D83000-memory.dmp

Filesize
4KB

Download
memory/2360-8-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3824-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3824-9-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/5004-13-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download
memory/5004-11-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download
memory/5004-15-0x0000000000DF0000-0x0000000000DF5000-memory.dmp

Filesize
20KB

Download
memory/5004-19-0x0000000000DF0000-0x0000000000DF5000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads