A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18497  by EP_X0FF
 Tue Mar 12, 2013 12:07 pm
Andromeda.

https://www.virustotal.com/ru/file/f203 ... /analysis/
%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched cmd.exe
Credits to markusg.
Attachments
pass: infected
(23.6 KiB) Downloaded 98 times
 #18499  by r3shl4k1sh
 Tue Mar 12, 2013 6:39 pm
EP_X0FF wrote:Andromeda.

https://www.virustotal.com/ru/file/f203 ... /analysis/
%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched cmd.exe
Credits to markusg.
This bot uses IRC to connect (AFAIK Andromeda usually uses other type of connection).

server:
206.41.117.126:2201
 #18504  by EP_X0FF
 Wed Mar 13, 2013 1:15 am
r3shl4k1sh wrote:
EP_X0FF wrote:Andromeda.

https://www.virustotal.com/ru/file/f203 ... /analysis/
%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched cmd.exe
Credits to markusg.
This bot uses IRC to connect (AFAIK Andromeda usually uses other type of connection).

server:
206.41.117.126:2201

That's an old or different build of Andromeda, variant "I". In this thread mostly attached "F" variant. Analyze code, not how and where it connects.

Usual Andromeda encrypted strings related to AntiVM/SandboxIE.
Code: Select all
Ќ…ЊюяяPяuґяUр…А…pяяяяuґяUмhdll hdll.hsbie‹ДPяUьѓД…А…©  З…|юяя    j h.dllhpi32hadva‹ДPяUи‰EАѓД…А„Y  hѕ<л‡яuАимъяя‰EФ…А„A  hG1ћяuАиФъяя‰EР…А„)  hRzСҐяuАијъяя‰EМ…А„  hnum hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst
This
Code: Select all
Uии   sbiedll.dllя^юFVяUШюN…А…b  и
   advapi32.dllя^юFVяUм‰EДюN…А„  hУz:БяuДиЮщяя‰EФ…А„я   hю­9°яuДиЖщяя‰EР…А„з   h5)©яuДи®щяя‰EМ…А„П   и,   system\currentcontrolset\services\disk\enum
And many other similarities.
 #18589  by rough_spear
 Tue Mar 19, 2013 12:55 pm
Hi All, :D

Here are two more samples.low detection.

44ff2421bbd7918c6ad68da4fa276e02

VT link - https://www.virustotal.com/en/file/8909 ... /analysis/

5 / 45

bc76bd7b332aa8f6aedbb8e11b7ba9b6

VT link - https://www.virustotal.com/en/file/9535 ... /analysis/

1 / 45

Regards,

rough_spear. ;)
Attachments
password - infected.
(722.35 KiB) Downloaded 87 times
 #18613  by aaSSfxxx
 Wed Mar 20, 2013 7:00 pm
EP_X0FF wrote: That's an old or different build of Andromeda, variant "I". In this thread mostly attached "F" variant. Analyze code, not how and where it connects.

Usual Andromeda encrypted strings related to AntiVM/SandboxIE.
Code: Select all
Ќ…ЊюяяPяuґяUр…А…pяяяяuґяUмhdll hdll.hsbie‹ДPяUьѓД…А…©  З…|юяя    j h.dllhpi32hadva‹ДPяUи‰EАѓД…А„Y  hѕ<л‡яuАимъяя‰EФ…А„A  hG1ћяuАиФъяя‰EР…А„)  hRzСҐяuАијъяя‰EМ…А„  hnum hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst
This
Code: Select all
Uии   sbiedll.dllя^юFVяUШюN…А…b  и
   advapi32.dllя^юFVяUм‰EДюN…А„  hУz:БяuДиЮщяя‰EФ…А„я   hю­9°яuДиЖщяя‰EР…А„з   h5)©яuДи®щяя‰EМ…А„П   и,   system\currentcontrolset\services\disk\enum
And many other similarities.
I had a look on this sample, and I guess this is the new version of andromeda: this sample has some anti-debug/disassembly tricks that were not present in the "usual" sample, and the code which launches the injector is in a SEH handler (triggered by the "or word ptr [eax+46h], 80h"). To get the real payload (not the loader), start the malware in ollydbg, and set EIP to 00401AA2

Then, there are some differences in the compressed payload: the RC4 decryption key is now before the payload size and memory size, but compression is still done with jCalg1 (variant of aplib), and API calls in the payload are obfuscated to make the malware more difficult to reverse (the malware copies the first instruction into its memory space and then jumps to API+next_instruction to fuck up OllyDBG).

Finally, communication with the C&C also changed in this sample :] (I'll have to continue my analysis and write something about this in my blog :)). And there are more anti-debug tricks, which makes me to believe it's a new version of andromeda instead of an older one.
 #18622  by r3shl4k1sh
 Thu Mar 21, 2013 12:36 pm
aaSSfxxx wrote:
Finally, communication with the C&C also changed in this sample :] (I'll have to continue my analysis and write something about this in my blog :)). And there are more anti-debug tricks, which makes me to believe it's a new version of andromeda instead of an older one.
I thing you are right in your assumption that this sample is actually a new version.

when i wrote that:
r3shl4k1sh wrote:
This bot uses IRC to connect (AFAIK Andromeda usually uses other type of connection).

server:
206.41.117.126:2201
I have had a problem in my cuckoosandbox, it didn't shutdown itself right in a previous analysis and the results of the previous analysis merged with the analysis of this sample, hence i thought that this bot uses IRC.
 #18706  by aaSSfxxx
 Tue Mar 26, 2013 6:57 pm
As promised, I wrote an article about this sample (which is really a andromeda 2.07 sample) which you can read here: http://aassfxxx.infos.st/article22/andr ... 7-analysis (feel free to ask me question here on in comments about this article ;) ).

In this version, nothing really new, just some funny anti-reversring tricks added by the malware author :).
 #18711  by EP_X0FF
 Wed Mar 27, 2013 2:43 am
One more Andromeda, found in VT trash.

SHA256: 078e0e8b3e98103a77d0e1b8dbe984d69ed05e4c22d2d82cec3891b73ee34aa9
SHA1: 9b1950ced92dd4226c19bc5c5f2afd22e8b42c17
MD5: 0ffda65e7a0f3b4b50ba3b8c78fc8726

https://www.virustotal.com/en/file/078e ... /analysis/
Attachments
pass: malware
(42.71 KiB) Downloaded 71 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 13