Gamarue / Andromeda Malware | Joachim De Zutter
March/April 2013

Malware spreads via USB.

Root of the USB device has a *.LNK file which has as the filename the volume name of the drive it is on that contains:

C:\WINDOWS\system32\rundll32.exe ~$WRIODZ.FAT,crys desktop.ini koadordo nycnqcjp " "

A common pattern is ".FAT,crys desktop.ini" where crys indicates the entry point in the DLL file with the extension .FAT

On the USB device where the *.LNK file was found, hidden directories were found using the DIR /A:H command, and one of them appears to have no name:



The above screenshot also shows two hidden files:

Filename: Thumbs.db
Filesize: 275962
MD5: 44d679768e2bbc445f99204e901e9a72
SHA1: b7bb9154339c4ddac6fa501906c839d2ad05ae01
SHA256: 39ec8e77327784fed08c50ee1cd869a4b93ef420a38302681284049433efbe25

Filename: autorun.inf
Filesize: 0

Microsoft Answers: Files on external drive have been moved to a folder with no name in the drive and a shortcut to it was left in its place

Symantec AV also found some other files:

Risk,Filename,Original Location,Status,Date
Downloader,"desktop.ini","J:\","Infected","28.3.2013 ?. 16:12 ?."
Backdoor.Trojan,"desktop.ini","J:\ \","Infected","28.3.2013 ?. 16:12 ?."
Backdoor.Trojan,"A0056595.ini","K:\System Volume Information\_restore{AF8EEFC3-3792-455F-9A53-1D2FCC6F0564}\RP236\","Infected","28.3.2013 ?. 16:32 ?."
Backdoor.Trojan,"A0032909.ini","K:\System Volume Information\_restore{BAFAD6F8-7CC7-4FFA-A569-1B3CC4F192E8}\RP49\","Infected","28.3.2013 ?. 16:32 ?."
Downloader,"A0032910.ini","K:\System Volume Information\_restore{BAFAD6F8-7CC7-4FFA-A569-1B3CC4F192E8}\RP49\","Infected","28.3.2013 ?. 16:32 ?."

Filename: System Volume Information/_restore{AF8EEFC3-3792-455F-9A53-1D2FCC6F0564}/RP236/a0056595.ini
Filesize: 126
MD5: cab87416589cfb1bc950b367959fe470
SHA1: 44e277fef77f3bdbafffa35566365fe8224e7fc9
SHA256: 50c38ce209e85ff7307da7249a91718704058b761bb4ddfd8fd18052153994e9

Filename: System Volume Information\_restore{BAFAD6F8-7CC7-4FFA-A569-1B3CC4F192E8}\RP49\A0032907.inf
Filesize: 0
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Filename: System Volume Information\_restore{BAFAD6F8-7CC7-4FFA-A569-1B3CC4F192E8}\RP49\A0032908.lnk
Filesize: 479
MD5: 0a42ece35eec226cd7c97ea926ae1191
SHA1: cf4eae76ffa96e71a2d488b4bc4ff4e7fe093390
SHA256: fe70b412a06e169ba7b774e174971bdb85573226ef79d8e55cd3b10d89978db2

Filename: System Volume Information\_restore{BAFAD6F8-7CC7-4FFA-A569-1B3CC4F192E8}\RP49\a0032909.ini
Filesize: 126
MD5: cab87416589cfb1bc950b367959fe470
SHA1: 44e277fef77f3bdbafffa35566365fe8224e7fc9
SHA256: 50c38ce209e85ff7307da7249a91718704058b761bb4ddfd8fd18052153994e9

Filename: System Volume Information\_restore{BAFAD6F8-7CC7-4FFA-A569-1B3CC4F192E8}\RP49\a0032910.ini
Filesize: 2936
MD5: b140a84d99f6af63664c36079857265e
SHA1: a81eac190fffd22a946b3de490ae7b70c714e8af
SHA256: 37a05d508411190d6324d475132fa31a6d9a5d946d0b7ea31722cb63a19373cd

The file with MD5 b140a84d99f6af63664c36079857265e contains executable code. It puts strings on the stack such as "---.exe", C:\TEMP\TrustedInstaller.exe and a domain name which redirected to other URLs from which encrypted binary files could be downloaded (April 2013).

http://www.utrace.de/?query=79.124.90.226
Provider: Powernet Ltd Assigned address space
Region: Sofia (Bulgaria)


http://www.utrace.de/?query=5.39.220.224
Provider: Hostkey B.v. (The Netherlands)

Filesize: 948352
MD5: a30e86828a5a724e0d471c98140ed1e3
SHA1: d18752920cf29895b8afd81ce7ba9f768cdd379b
SHA256: 2b2f062b3f9718518fa4cf820de850d5ed55aab8289b47f83d1e919a8fc3ff6a
The binary file with MD5 a30e86828a5a724e0d471c98140ed1e3 appears to be a UPX compressed executable in weakly encrypted form (a byte substitution cipher). Decrypted the file has the following checksums:
MD5: a11b7dec0a997dfb0fe63979c2fef639
SHA1: 55af2dc6f231362252904c5d779e1c465373338c
SHA256: 160d08e8c77655460ddbd1b9bd1107ba29cbe8ed7c7a455825ba72d0b2609bad
When the UPX compressed executable is decompressed the executable file has a filesize of 1296000 bytes and the checksums are:
MD5: 41d651580dd9a7d58d921efddfc9cc2a
SHA1: 190c4fb0632f1e61582c9ae2055ee0077383a095
SHA256: f52a16784e0d750747432dba957755a1da3bdb5d5a12f414c3a5a9eff9015b03
The executable file with MD5 41d651580dd9a7d58d921efddfc9cc2a contains the following string:
"This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support."
The AutoIt script contains anti-debugging checks to detect analysis by Anubis.

Exe2Aut - AutoIt3 Decompiler

Filename: tik.pe
Filesize: 825856
MD5: 0d415989fe3e0c264b335dcc8600d987
SHA1: 659a82d5692d27c0873d0fa05aa936d9928df6f6
SHA256: f72a6e1bcd5c26471507a6ffa74be4d7f6367d79adecb02bd82356e12e25afba
The binary file with MD5 0d415989fe3e0c264b335dcc8600d987 appears to be an executable in weakly encrypted form (a byte substitution cipher) containing the following multibyte strings after decryption:
VS_VERSION_INFO
StringFileInfo
Comments
Praslin
CompanyName
House
FileDescription
Marko
FileVersion
1, 3, 4, 7
InternalName
Travka
LegalCopyright
Copyright Mamuze
2013
LegalTrademarks
Fioka
OriginalFilename
Voda.exe
PrivateBuild
Rainbow
ProductName
Sunce
ProductVersion
3, 0, 0, 0
SpecialBuild
Kotlina
VarFileInfo
Translation

Filename: tik.pe.decrypted
Filesize: 825856
MD5: 752261aa419466cab4d5caab1d86112e
SHA1: bb1118dddb201bd643a8724a9b6e02b49fdf4866
SHA256: 785cf4c5993685c8a7d9254ea5a436799066e62f301eda8db7901db9dd8b8bf1
It created the following file with file attributes system and hidden:
Filename: C:\Documents and Settings\%USERNAME%\Local Settings\Temp\_install_\msiexec.exe
Filesize: 94720
MD5: 48e29119b03641499492336695c29ffd
SHA1: 7c0eff63cdea6ea46f2a89f24e6f62e859e5e819
SHA256: 66a296fb5c388db8005c850f6c14fcfc36447bdc24a142ed4f6153d260846845
The executable file with MD5 48e29119b03641499492336695c29ffd was executed after which it listened on TCP port 8000.

Filename: t.pe
Filesize: 284160
MD5: 07fe468b87395852e147c739c04b5fae
SHA1: be71526a1dce02eca1c26b8a647c4417c0325b7f
SHA256: 37f42df2e327234124a4c444e063b577caf3b55e7bee57b0751a6309ac0c64a0
The binary file with MD5 07fe468b87395852e147c739c04b5fae appears to be an executable in weakly encrypted form (a byte substitution cipher).

Filename: t.pe.decrypted
Filesize: 284160
MD5: cf27bcb7cda06fe314c8c658c41496cb
SHA1: 31242097483a7ffa65b1cd97ca7dbfd7d66fdb01
SHA256: 70b1f25ede2626e378de5ece8f9e983f154033f51da376699557f7475c0444cb
It created the following file with file attributes system and hidden:
Filename: C:\Documents and Settings\%USERNAME%\Local Settings\Temp\_install_\msiexec.exe
Filesize: 187392
MD5: 70ca85fc2b48e472c6dd6ab7cb294d3d
SHA1: 67d4aed62aa984567de6227facd02811339408d7
SHA256: 9c0ace2b11b551667fa4ec8649464a94b2b9abb599a4675cfd3e981a83bd7661
The executable file with MD5 70ca85fc2b48e472c6dd6ab7cb294d3d was executed after which it listened on TCP port 8000.

Filename: zwe.pe
Filesize: 840192
MD5: f96a963609e00a0363627d3a180f52f9
SHA1: 4e63019d2819808bc2f33af188996e22cb4274c7
SHA256: 2e80a28c90d75bf6644d9e0e79b933cc6b3368d6f880dcf2a80087ce7a70a744
The binary file with MD5 f96a963609e00a0363627d3a180f52f9 appears to be an executable in weakly encrypted form (a byte substitution cipher) containing the following multibyte strings after decryption:
VS_VERSION_INFO
StringFileInfo
Comments
Praslin
CompanyName
House
FileDescription
Marko
FileVersion
1, 3, 4, 7
InternalName
Travka
LegalCopyright
Copyright Mamuze
2013
LegalTrademarks
Fioka
OriginalFilename
Voda.exe
PrivateBuild
Rainbow
ProductName
Sunce
ProductVersion
3, 0, 0, 0
SpecialBuild
Kotlina
VarFileInfo
Translation

Filename: zwe.pe.decrypted
Filesize: 840192
MD5: bf59ec7efc9a09be2e071fa1a3c6c25a
SHA1: 30ecd5773f6d2ee4605beaa8a3b5a4d5f7942bb4
SHA256: c2191ede550367f14a1a20d9e2213b7872a3de1057bed9d23ff432f255b16e0c
It created the following file with file attributes system and hidden:
Filename: C:\Documents and Settings\%USERNAME%\Local Settings\Temp\_install_\msiexec.exe
Filesize: 137216
MD5: a84c15fb551aa1de0ff9af31f4cad0f6
SHA1: d0ad2854e9a42545619de2259f9f3f16fee40981
SHA256: 3da8793008f61850e110b2e041fa2333e8bb37cc840c95cec4312801b14e6d26
The executable file with MD5 a84c15fb551aa1de0ff9af31f4cad0f6 was executed after which it listened on TCP port 8000.

Filename: 11.pe
Filesize: 3584
MD5: c0b7822a9df33dfd0d86ad330ee2383b
SHA1: c46adfc88e58da66d172e78b9f6b188dee368215
SHA256: ea3a51724dbdd2646490c4a085016376110f88472918f6835718ffba2eea4bc3

Filename: 11.pe.decrypted
Filesize: 3584
MD5: 2cfb6983df0f1ec8d224ed542211a61d
SHA1: 955903fe8a1c9b422fab1df3009cc966252d5bc8
SHA256: 6e178550491d2e0b34da61f112c61060497b9eacdc7cfc4c5e25cbc069c130d7
Contains the string "crys".

Filename: zve
Filesize: 561152
MD5: 7b549d2a0da000f4b4ef8462e878406f
SHA1: 428f44895530fd5c8aa4742e960358abdbb3a58a
SHA266: 05d436b2c394481ef85f3d9872590cf8ae764074ee8821768114464c39b960c7
The binary file with MD5 7b549d2a0da000f4b4ef8462e878406f appears to be an executable in weakly encrypted form (a byte substitution cipher) containing the following multibyte strings after decryption:
VS_VERSION_INFO
StringFileInfo
Comments
Praslin
CompanyName
House
FileDescription
Marko
FileVersion
1, 3, 4, 7
InternalName
Travka
LegalCopyright
Copyright Mamuze
2013
LegalTrademarks
Fioka
OriginalFilename
Voda.exe
PrivateBuild
Rainbow
ProductName
Sunce
ProductVersion
3, 0, 0, 0
SpecialBuild
Kotlina
VarFileInfo
Translation

Filename: zve.decrypted
Filesize: 561152
MD5: 560578a657a68e230544b0d0902e62ec
SHA1: 3a947afaec2f6849b8502e94bf849cfbd8f7e068
SHA256: 49e7711fb30665a14361e02cb9425e6e88360dff448000f95d3d4e1f2568ce0f
The executable created the following file:
Filename: C:\Documents and Settings\%USERNAME%\Local Settings\Temp\_install_\msiexec.exe
Filesize: 200704
MD5: 25fd85603ceac00df8530d2dd2883e02
SHA1: 6ad37097988b968e9912e256c2c3f8217a8fa117
SHA256: 1cfa1734ec08a1034ac63b6689e37dd59c5d360ad06c85ec608f0c4fa5ec2d4d
The executable file with MD5 25fd85603ceac00df8530d2dd2883e02 was executed after which it listened on TCP port 8000.

Filename: zdw
Filesize: 359936
MD5: a25cf86c208b499822e8b8d2cafb356f
SHA1: 45b30161e8045fd7f23ebe824ec6361764ef8399
SHA256: ca6727080fa5b18ec96f260228d239649559a427a67307f767a0e87e1c09ccaa

Filename: zdw.decrypted
Filesize: 359936
MD5: 1edef5be09486d8658f3f547b0fb2e0e
SHA1: 7ca33ed80b9d28ee075364f302ec608406079239
SHA256: e5b875d462fbd6217c905f7ef7d472645c4b32bf10efbef82d4f3af8f47182ee
The executable created the following file:
Filename: C:\Documents and Settings\%USERNAME%\Local Settings\Temp\_install_\msiexec.exe
Filesize: 250880
MD5: 88d67dcabe60bdcf5e225765ceadbd09
SHA1: 5ac7641edc14dee9e28f783da5cef53f4c1cb18a
SHA256: 092d2e51eeb2aa092dbf35571dd4218877c2b25677299a6c71b60ef2bf5a7ca5
The executable file with MD5 88d67dcabe60bdcf5e225765ceadbd09 was executed after which it listened on TCP port 8000.
The executable file with MD5 1edef5be09486d8658f3f547b0fb2e0e changed its file attributes to set the system and hidden attributes.

Filename: zwz
Filesize: 992768
MD5: bb4092205f768739e4a5b1b17f13d211
SHA1: 5161c36b4fd3229c6e1135d8b2a760113ef36df5
SHA256: af7b579aab91daa872758f896f857217868b7f86b02e6f35baaca369b4449ef4

Filename: zwz.decrypted
Filesize: 992768
MD5: 05f9e962566deb0a1a9f7529bc3bd0fc
SHA1: bfc5919b3cffa0af796a455b2a0ac7c912776683
SHA256: 9041897f450605415f205e717d7aa9768db1556853a4b9ec3402ad12123230f2
The executable created the following file:
Filename: C:\Documents and Settings\%USERNAME%\Local Settings\Temp\_install_\msiexec.exe
Filesize: 250880
MD5: 88d67dcabe60bdcf5e225765ceadbd09
SHA1: 5ac7641edc14dee9e28f783da5cef53f4c1cb18a
SHA256: 092d2e51eeb2aa092dbf35571dd4218877c2b25677299a6c71b60ef2bf5a7ca5
The executable file with MD5 88d67dcabe60bdcf5e225765ceadbd09 was executed after which it listened on TCP port 8000.

Filename: zzw
Filesize: 271872
MD5: 7e61ec1f35289f1df383ddc39405161c
SHA1: 7d1a83dd3a3862cd877280ff61b4751ba1575d93
SHA256: 3b4e2eadb7db4731a87298ccf1dcbe7a131c9dc4cc952fc9a857560763cd7716

Filename: zzw.decrypted
Filesize: 271872
MD5: 6499a9b9e4ac5ee7a6b45a1e2e2f0648
SHA1: 30823d23386b19411ebeb43cf339312e1bd242d3
SHA256: 35d6e37e52f71622076a6011faaa4a62b58563b19b6546b528f55b36a4a8766f
The executable created the following file:
Filename: C:\Documents and Settings\%USERNAME%\Local Settings\Temp\_install_\msiexec.exe
Filesize: 183296
MD5: c55ffdfce830a08b6ba6172712573350
SHA1: bc3e0a7fd4bf5075d356f8036c3c793d7fd57b54
SHA256: 44f7c89142df63059e75ccda9117a02fec4c7ee4c58c787afe0e5ca9701f5e0a
The executable file with MD5 c55ffdfce830a08b6ba6172712573350 was executed after which it listened on TCP port 8000.

Filename: zuz
Filesize: 536576
MD5: 36ae2d35572db2c9a5e7833d8d31a4e0
SHA1: 64910a7e5e915565f01e11c0c1118fb0c60aec28
SHA256: e750d73303dd584ba2e12352b4249ca9db6e0e920c071155bb793dfcd41dcf68

Filename: zuz.decrypted
Filesize: 536576
MD5: 7a1caa5fb2a927a73b3c9af267b19ce8
SHA1: 2c4f3a4be6377b67c645b7d05a66ee31ea243cb4
SHA256: a2119459f658d3e514e4f9b499ce3989b9fa26c2bfcf7904a67a0f67bd124627
Filesize: 190464
MD5: 347d61b639590169bb64cd1811e2643d
SHA1: 3f3a24a2d48e11adf52d14982027c05796df52cb
SHA256: 00146c6ac507db19b96ed030e0af750bb90da7ac82bc3029225786e0f7b62817
The executable file with MD5 347d61b639590169bb64cd1811e2643d was executed after which it listened on TCP port 8000.


"Windows Security Alert
To help protect your computer, Windows Firewall has blocked some features of this program.
Do you want to keep blocking this program?
Name: Marko
Publisher: House
Keep Blocking Unblock Ask Me Later
Windows Firewall has blocked this program from accepting connections from the Internet or a network. If you recognize the program or trust the publisher you can unblock it. When should I unblock a program?"

Filename: zin
Filesize: 771584
MD5: 40439b435778ef92db3b5c6ddb9afe3e
SHA1: 5401877823adc950775d0dd30febe6816546ce9f
SHA256: 117942942b67e7a89df47aeecc0b958f0b745682df0a2acac341cb2108ad8413
The binary file with MD5 40439b435778ef92db3b5c6ddb9afe3e appears to be an executable in weakly encrypted form (a byte substitution cipher) containing the following multibyte strings after decryption:
StringFileInfo
Comments
Preshin
CompanyName
Hause
FileDescription
Darko
FileVersion
2, 1, 3, 2
InternalName
Zdravka
LegalCopyright
Copyright
Radume
2013
LegalTrademarks
Gioka
OriginalFilename
Koda
PrivateBuild
Kizbow
ProductName
Drenzag
ProductVersion
5, 1, 8, 4
SpecialBuild
Mortlina
VarFileInfo
Translation

Filename: zin.decrypted
Filesize: 771584
MD5: 0f8d239dc9c43c839c1820e171b43603
SHA1: 7457bc8c52f2e01e369812562f01699ef4caeecd
SHA256: 01ae2b3011dbef145b63bf574054bd1a4b569fe0dd7349aba60d29c30cf7db69
The executable created the following file:
Filename: C:\Documents and Settings\%USERNAME%\Local Settings\Temp\_install_\msiexec.exe
Filesize: 97280
MD5: 091999351f12b922b46b9f123852a6a8
SHA1: 34b73c5b8389c96bd7f180f674b531971296dbf9
SHA256: 970442897bec2c32e69aa9a89fb2fb1406aec897a568e0ebc2767afc414bcec0
The file with MD5 091999351f12b922b46b9f123852a6a8 was executed.
The executable file with MD5 0f8d239dc9c43c839c1820e171b43603 changed its file attributes to set the system and hidden attributes.

On 16th of April 2013 the domain name in the binary file with MD5 b140a84d99f6af63664c36079857265e did not resolve to an IP address for some time. After that, it redirected to 217.23.11.124 from which weakly encrypted binaries could be downloaded.

http://www.utrace.de/?query=217.23.11.124
Provider: WorldStream (The Netherlands)

Filename: zzz
Filesize: 214016
MD5: 94e39e92dd7330f88ddd36ec0e042691
SHA1: 2d57e9fc23c7ce87a8729357b5a45b48de217325
SHA256: b8f70ac67ebac9a913ae493a68b2ca7ab3d63f6ac8158196b8b85d9ea5415a9a

Filename: zzz.decrypted
Filesize: 214016
MD5: cee33e59343ed51102057c62d36d4512
SHA1: 6197717ad1594d5ecd1162541f57ca7245f11aa3
SHA256: 070e726889e9da57bcbfe1ab4e4d2bf277dc5b98a21bc3c066cb5a9bbcf0351a
The file with MD5 cee33e59343ed51102057c62d36d4512 was packed with UPX, when it is decompressed the file has a filesize of 1791488 bytes and the following checksums:
MD5: 42a51a220501e38b5b93306ff206600b
SHA1: cc8bbfb4622e99a2b94e59698b527c8881e2466e
SHA256: 9fcda4fb993424fb035b1600fab8e8c6f56e33c4174b11b55aa311650b0cbf5f
The executable created the following file:
Filename: C:\Documents and Settings\%USERNAME%\Local Settings\Temp\_install_\msiexec.exe
Filesize: 97280
MD5: 091999351f12b922b46b9f123852a6a8
SHA1: 34b73c5b8389c96bd7f180f674b531971296dbf9
SHA256: 970442897bec2c32e69aa9a89fb2fb1406aec897a568e0ebc2767afc414bcec0
The file with MD5 091999351f12b922b46b9f123852a6a8 was executed.
The executable file with MD5 42a51a220501e38b5b93306ff206600b changed its file attributes to set the system and hidden attributes.

Filename: zzz
Filesize: 214016
MD5: 72c9add8710635db62515d98f84d10e8
SHA1: 5deb476b28f77efc79a8a93fb835e6e8a54bb877
SHA256: b5941c4e1a921dd661e45a3fedf11412d9a92616cda1fe7c420a2267662b1497

Filename: zzz.decrypted
Filesize: 214016
MD5: e4f4ae24234743e3cf9b8483a06ad2bd
SHA1: 665687965cb2bb78a3ca984b8a77f630ff838a8c
SHA256: cc1400691183db98de8e4ab8162a8d42802e178a3190a816407b2dea5ec6018d
The file with MD5 e4f4ae24234743e3cf9b8483a06ad2bd was packed with UPX, when it is decompressed the file has a filesize of 1666048 bytes and the following checksums:
MD5: cd9282ddf6331fd71674b92575932ba0
SHA1: 23525f9074d1031ddd1d71180bc12e48be6a0971
SHA256: b26431576bdc0d52e8005983bf2f3b9120f6ca99226a942bbe701fc2596b8c45

On and after 20th of April 2013 the domain name in the binary file with MD5 b140a84d99f6af63664c36079857265e did not resolve to an IP address.