A forum for reverse engineering, OS internals and malware analysis 

Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 #27066  by sysopfb
 Tue Oct 27, 2015 8:07 pm
Word doc macro downloads:
hxxp://91.229.79.231:8080/cfab2e3d.jpg


Can be decoded using the following script:
Code: Select all
array = [x for x in xrange(0,256)]
arg1 = open('cfab2e3d.jpg','rb').read()
arg2 = "abc123"
arg1 = bytearray(arg1)
arg2 = bytearray(arg2)

arg1_len = len(arg1)
arg2_len = len(arg2)


for i in xrange(256,286):
	array.append(i ^ 256)
for i in xrange(1,6):
	array[i+249] = arg2[arg2_len-i-1]
	array[i-1] = arg2[i-1] ^ (255 - arg2[arg2_len-i-1])

meh = 0
ces = 0
peej = False
for i in xrange(0,len(arg1)):
	if meh > len(arg2)-1:
		meh = 0
	if ces > 285 and peej == False:
		ces = 0
		peej = not peej
	if ces > 285 and peej == True:
		ces = 5
		peej = not peej
	arg1[i] = arg1[i] ^ (array[ces] ^ arg2[meh])
	meh += 1
	ces += 1

open('out.bin','wb').write(arg1)
Produces Andromeda:
0/43
https://www.virustotal.com/en/file/ad57 ... /analysis/

RC4 key: 19fc8d0b7d4edbb2123ecf6adb73df3a

Same bot that was going to popping domains previously
C2:
hxxp://lipetskrulit.com/and/gate.php
hxxp://123ga6sd7d1123.com/and/gate.php

[5,{"klt":0},[1,1,"http:\/\/lipetskrulit.com\/886.exe"],[4,1,"http:\/\/91.229.79.231:8080\/PWSBin.exe"],[6,1,"http:\/\/91.229.79.231:8080\/drose.exe"]]
Attachments
infected
(70.87 KiB) Downloaded 95 times

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 #28441  by geoffreyvdb
 Mon May 02, 2016 10:56 am
Andromeda/Gamarue, 1/57
40cb267f944376dc378825cb23884e6f

drops msvmj.exe to C:\ProgramData
40cb267f944376dc378825cb23884e6f

CNC:
htxp://and28.aviationdreamflightering1.com/bla28/gate1.php
htxp://and28.aviationdreamflightering2.com/bla28/gate2.php
htxp://and28.aviationdreamflightering3.com/bla28/gate3.php

https://www.virustotal.com/en/file/cb8d ... /analysis/

Re: Malware collection

 #28716  by xors
 Mon Jun 20, 2016 10:58 am
Found from a dropper

I think that it is Andromeda. Can anyone confirm ?
Attachments
pass: infected
(110.26 KiB) Downloaded 68 times
Last edited by EP_X0FF on Mon Jun 20, 2016 6:58 pm, edited 1 time in total. Reason: added password for archive
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
 Return to “Malware”