A forum for reverse engineering, OS internals and malware analysis 

Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.

Re: Backdoor Andromeda (alias Gamarue)

 #17788  by unixfreaxjp
 Mon Jan 21, 2013 12:27 pm
Userbased wrote:The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.
Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.

Re: Backdoor Andromeda (alias Gamarue)

 #17791  by Userbased
 Mon Jan 21, 2013 4:14 pm
unixfreaxjp wrote:
Userbased wrote:The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.
Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.
I have attached a pcap of the connection. I also included in the archive a program that will prevent Andromeda VM detection.
Attachments
(1.99 KiB) Downloaded 78 times

Re: Backdoor Andromeda (alias Gamarue)

 #17866  by unixfreaxjp
 Fri Jan 25, 2013 9:20 pm
Userbased wrote:
unixfreaxjp wrote:
Userbased wrote:The andromeda sample connects to ugctrust.com/image.php. No download tasks for it at the moment.
Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.
I have attached a pcap of the connection. I also included in the archive a program that will prevent Andromeda VM detection.
May I use this for shutdown purpose?

Re: Backdoor Andromeda (alias Gamarue)

 #17867  by Userbased
 Sat Jan 26, 2013 3:44 am
unixfreaxjp wrote:
Userbased wrote:
unixfreaxjp wrote: Actually It is supposed to connect to both.
I can report of what the reproduction pcap data/memory dump shows only,
I would love to see it connect to ugctrust.com since the original report also showed it download payloads ransomware from that site. That'll be a crime evidence we're after.
I have attached a pcap of the connection. I also included in the archive a program that will prevent Andromeda VM detection.
May I use this for shutdown purpose?
Go right ahead. That's why I posted it.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 13
 Return to “Malware”