A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19877  by EP_X0FF
 Sun Jun 30, 2013 6:55 am
MAXS wrote:Gamarue has code Anti-Emulation and Anti-VM to detect the presence of Virtual machine, I was able to execute it on patched VM, but can you tell me does it have technique to disable USB spreading when it detects VM...
It won't start if VM detected.
 #19880  by EP_X0FF
 Sun Jun 30, 2013 7:09 am
MAXS wrote:I suppose you thought about spreading. Then how I got to execute malware on VM?
Prepare VM for malware analysis, what is the problem?
 #19882  by EP_X0FF
 Sun Jun 30, 2013 7:47 am
MAXS wrote:We didn't understand each other, I was able to start Gamarue under VM, but when I plug in USB, nothing happens, no spreading...
Then your particular sample does not have this USB spreading feature.
 #19883  by TwinHeadedEagle
 Sun Jun 30, 2013 8:06 am
I was able to find hashes for Gamarue that should spread via removable drives

cc9bfaa5b6d6201bf6ccad0ddda29d782b5e46deea94c0a0376e945456fda614
68146d831b73e9e372d7de2897788b83506386bca6d69d7dd230d4f8f565a874
e6cbcfbfbd8cf3e40d31408ea004b8b267b9fab14c69304a1fb6506264f825c4
184957150e0dc89fcc4f1944cfc6413d1d4940dc3affff8cac35af155ca9d960

I need all four, thanks :)
 #19978  by rough_spear
 Fri Jul 05, 2013 3:56 pm
Hi All, :D

15 sample files of Andromeda.

List of MD5 :
  • 09FE6259BCD918AC54B8C6CC7CCF3C96
    0D1D347D1A063985451B20295A8A25F1
    232DFCE76EB1F86A6C3960BF40FD8014
    48E29119B03641499492336695C29FFD
    6499A9B9E4AC5EE7A6B45A1E2E2F0648
    790458B3C8CAA22E65B251F6BCE0AB40
    79F7519035B9923B9F7D4D2DC50CE23C
    8B3D5C921B87E6926B1D70F992CF76D1
    9036B228EEF3BC0F0A785D1C91F4D5B3
    ABD9C787547E4994CB12903DDFF18822
    C00EBF839E8728DB2EE132B60DEA8F6C
    DE1B8A9943ABA93DDCB0841BD8F982A3
    F3BD9F6300AB86B917A308BEC5EF9FC3
    F9A79E80AD49748A60C9AB67DAD9DF10
    FE80E55F494EA5368F6BC41622C12BEA
Regards,

rough_spear. ;)
Attachments
password - infected.
(670.72 KiB) Downloaded 80 times
 #19998  by EP_X0FF
 Sun Jul 07, 2013 4:17 am
Andromeda USB infection control flow.

As example we are taking dumb110 sample.

1) LNK triggers first loader. In our case it is ~$WQXIND.FAT32 (internally named dll_down_exec.dll) is MSVC compiled loader packed with UPX which purpose - execute next stage;

2) Loader reads contents of desktop.ini file, which is actually 32 bit code and executes it;

3) desktop.ini code performs several actions - it decrypts main dropper body from file Thumbs.db and saves it on disk in temp folder as TrustedInstaller.exe and then executes it;

4) TrustedInstaller is a core component of infection.(https://www.virustotal.com/en/file/8cc8 ... 373170005/). It is complex another stage Andromeda loader (T:\ldr\CUSTOM\local\local\Release\ADropper.pdb). Purpose - install actual payload (https://www.virustotal.com/en/file/5848 ... /analysis/) and USB infection dll (T:\ldr\CUSTOM\local\Worm65.DLL.PnP\Release\Worm65.DLL.pdb) which is stored as encrypted key in registry - HKCU\Software under key ImageBase. Worm65.dll contains inside loader from first stage and all required data for USB infection
Code: Select all
h t t p : / / s u c k m y c o c k l a m e a v i n d u s t r y . i n /   IsWow64Process  k e r n e l 3 2         S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x p l o r e r \ A d v a n c e d   S h o w S u p e r H i d d e n   H i d d e n     S h e l l _ T r a y W n d       0   S o f t w a r e     I m a g e B a s e   . e x e     . b a t     . v b s     . p i f     . c m d     % s \ *     .   . .     % s \ % s   B a c k u p .   % s . e x e     % s % s         ~ $ W   . L N K     . I N F     . I N I     T h u m b s . d b   L a u n c h U 3 . e x e     \ *     \   d e s k t o p . i n i   a u t o r u n . i n f   NtQuerySystemInformation    n t d l l   NtQueryObject   % s \   GetDiskFreeSpaceExW k e r n e l 3 2 . d l l     % s \ D C I M   % s \ W i n d o w s     % s \       % s \ d e s k t o p . i n i     % s \ ~ $ W % s . F A T 3 2     % s \ T h u m b s . d b         ~ $ W % s . F A T 3 2 , _ l d r @ 1 6   d e s k t o p . i n i   R E T   T L S   "   "   % s \ M y   R e m o v a b l e   D e v i c e   ( % I 6 4 u G B ) . l n k     s h e l l 3 2 . d l l   r u n d l l 3 2     % s \ % s   ( % I 6 4 u G B ) . l n k   ABCDEFGHIJKLMNOPQRSTUVWXYZ  % c : \     % s a u t o r u n . i n f 
note the message to the AV industry in Andromeda from script-kiddie author, maybe wahoo, idgaf anyway;

5) The end of cycle - if removable drive is found, it is infected/reinfected with the encrypted data read from the registry and written to the file "thumbs.db", and the binary file with 32bit code is written to "desktop.ini", together with the loader DLL and a shortcut.

@borgir

Now find here "rdtsc", "sandbox" and other BS you posted previously.
Your posts has been removed as they have no sense. Furthermore stay away from posting BS just because you want to look cool while you actually look like an idiot.
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 13