EP_X0FF wrote:
That's an old or different build of Andromeda, variant "I". In this thread mostly attached "F" variant. Analyze code, not how and where it connects.
Usual Andromeda encrypted strings related to AntiVM/SandboxIE.
Code: Select allЌ…ЊюяяPяuґяUр…А…pяяяяuґяUмhdll hdll.hsbie‹ДPяUьѓД…А…© З…|юяя j h.dllhpi32hadva‹ДPяUи‰EАѓД…А„Y hѕ<л‡яuАимъяя‰EФ…А„A hG1ћяuАиФъяя‰EР…А„) hRzСҐяuАијъяя‰EМ…А„ hnum hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst
This
Code: Select allUии sbiedll.dllя^юFVяUШюN…А…b и
advapi32.dllя^юFVяUм‰EДюN…А„ hУz:БяuДиЮщяя‰EФ…А„я hю9°яuДиЖщяя‰EР…А„з h5)©яuДи®щяя‰EМ…А„П и, system\currentcontrolset\services\disk\enum
And many other similarities.
I had a look on this sample, and I guess this is the new version of andromeda: this sample has some anti-debug/disassembly tricks that were not present in the "usual" sample, and the code which launches the injector is in a SEH handler (triggered by the "or word ptr [eax+46h], 80h"). To get the real payload (not the loader), start the malware in ollydbg, and set EIP to 00401AA2
Then, there are some differences in the compressed payload: the RC4 decryption key is now before the payload size and memory size, but compression is still done with jCalg1 (variant of aplib), and API calls in the payload are obfuscated to make the malware more difficult to reverse (the malware copies the first instruction into its memory space and then jumps to API+next_instruction to fuck up OllyDBG).
Finally, communication with the C&C also changed in this sample :] (I'll have to continue my analysis and write something about this in my blog :)). And there are more anti-debug tricks, which makes me to believe it's a new version of andromeda instead of an older one.
