rkhunter wrote:http://www.0xebfe.net/blog/2013/03/30/f ... andromeda/Many people seem to have been fooled by that. http://www.lastline.com/analysis-of-an-evasive-backdoor
A forum for reverse engineering, OS internals and malware analysis
This was posted few weeks ago http://www.kernelmode.info/forum/viewto ... 773#p18773
Ring0 - the source of inspiration
SHA1
Code: Select all
2b15d7f5195f766e5151c4da772c5965c6d6eccb
b6e6850bca9ae2440c9a6f3fc19c999f2b81fec3
f6c60be8656242d4024d6f93dfc992d681e0442c
1925a0119584288d48bd54bd5b5a992788705f86
388c37ecbd40d531dd03afce462ccfc563924a8b
9a2192f413ac99127f14e9da708a49c97261a078
c6a5c476d0f662adf4d74e26b6bdbb592c57d7d6
d196982db154ef8ab98ce96a0e5053808983c51e
e69054e9f00af5fff867dc1ad95946c0aae3a6b8
f6c60be8656242d4024d6f93dfc992d681e0442c
8a262d6e513c60f10ef0b117de92b3db79885088
Attachments
pass: infected
(407.15 KiB) Downloaded 86 times
(407.15 KiB) Downloaded 86 times
Ring0 - the source of inspiration
EP_X0FF wrote:SHA1Any idea if they/some are the "reloaded" version namely "Andromeda 2.7" or the old version?
Code: Select all2b15d7f5195f766e5151c4da772c5965c6d6eccb b6e6850bca9ae2440c9a6f3fc19c999f2b81fec3 f6c60be8656242d4024d6f93dfc992d681e0442c 1925a0119584288d48bd54bd5b5a992788705f86 388c37ecbd40d531dd03afce462ccfc563924a8b 9a2192f413ac99127f14e9da708a49c97261a078 c6a5c476d0f662adf4d74e26b6bdbb592c57d7d6 d196982db154ef8ab98ce96a0e5053808983c51e e69054e9f00af5fff867dc1ad95946c0aae3a6b8 f6c60be8656242d4024d6f93dfc992d681e0442c 8a262d6e513c60f10ef0b117de92b3db79885088
@exitthematrix
And check this one. This sample is described in blogpost linked above.
Can be problematic to launch this sample, so when you are in debugger, take a look on @00405764 (easy to find, multiple combinations of cpuid/rdtsc), there all the magic of first stage take place -> set IP to
https://www.virustotal.com/en/file/29a5 ... /analysis/
https://www.virustotal.com/en/file/87a4 ... /analysis/
exitthematrix wrote:Any idea if they/some are the "reloaded" version namely "Andromeda 2.7" or the old version?Check all that detected as Gamarue.I, maybe that is what you are looking for.
And check this one. This sample is described in blogpost linked above.
Can be problematic to launch this sample, so when you are in debugger, take a look on @00405764 (easy to find, multiple combinations of cpuid/rdtsc), there all the magic of first stage take place -> set IP to
Code: Select all
dropper will continue to runpe part. In attach dropper (courtesy of markusg), decrypted 2stage dropper. Payload - TCP bind shell position independed code can be easily retrieved after NtAllocateVirtualMemory call. @00401247 in 2stage is decrypt proceduremov eax, main
call eaxhttps://www.virustotal.com/en/file/29a5 ... /analysis/
https://www.virustotal.com/en/file/87a4 ... /analysis/
Attachments
pass: infected
(42.58 KiB) Downloaded 87 times
(42.58 KiB) Downloaded 87 times
Ring0 - the source of inspiration
11 Andromeda droppers.
SHA1
SHA1
Code: Select all
298097a499a1e45314c7eaabb109ba7da70f4bf0
e3dcbd78ff5959e30f5645613474beac45f5554a
0e6f901a8193bac8ff5ca70325aceb63ed0c2476
19c1effb5294eb1d59ec530b73a4526d8a882107
19f8e7ac332db4d1508e7ac25f1f5591834f31cb
36129292066f264d46fdbe7ab67b976aa79421a6
4756a1687d8027ddab4a5efa034dbb1de2cc017d
ba09891a52d71d2ad2cc1acc76c8b774c34f1491
c9ca537a994bc4ec79128bbc5771252c08ca8fa6
e080a9a86da2ec9a20938d82c9ee983989414847
e3dcbd78ff5959e30f5645613474beac45f5554a
f881727c18fdb1a9fdf65f2dc6e18ceced6be226Attachments
pass: infected
(463.84 KiB) Downloaded 94 times
(463.84 KiB) Downloaded 94 times
Ring0 - the source of inspiration
Possible Gamarue attached. Received in spammail.
Subject:
Subject:
SMS-MMS Id505044
Attachments
(21.28 KiB) Downloaded 74 times
Gamarue has code Anti-Emulation and Anti-VM to detect the presence of Virtual machine, I was able to execute it on patched VM, but can you tell me does it have technique to disable USB spreading when it detects VM...