{
	"id": "15965d97-fa54-47df-8d30-7e0d04c456a8",
	"created_at": "2026-04-06T00:18:30.853722Z",
	"updated_at": "2026-04-10T03:21:05.712209Z",
	"deleted_at": null,
	"sha1_hash": "09c5ef5ffed40ed10befa97c6da979883951a7e7",
	"title": "Andromeda/Gamarue bot loves JSON too (new versions details)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 837925,
	"plain_text": "Andromeda/Gamarue bot loves JSON too (new versions details)\r\nArchived: 2026-04-05 13:08:14 UTC\r\nAfter my last post about Andromeda different updates related to version 2.07 and 2.08 appeared. Mostly, Fortinet\r\nwas talking about the version 2.7 features and the new anti-analysis tricks of version 2.08. After that, Kimberly\r\nwas also mentioning version 2.09 in his blog but I have not seen too many details about the latest versions of\r\nAndromeda. This is a summary of the interesting details about the newer versions.\r\nAndromeda versions\r\nAfter version 2.08, the parameter used to send the bot version to the panel was removed from the POST request,\r\nso now it is a bit more difficult to distinguish between versions. An easy way to spot the different versions is\r\ntaking a look at the request format strings:\r\nid:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu (\u003c=2.06)\r\nid:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu (2.07/2.08)\r\nid:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu (2.09)\r\n{\"id\":%lu,\"bid\":%lu,\"os\":%lu,\"la\":%lu,\"rg\":%lu} (2.10?)\r\nIf the element bv (bot version) is present, it is easy, but if it is not there this trick can help. The latest version I\r\nhave analyzed uses JSON to communicate with the control panel, but I am not 100% sure if that it is really version\r\n2.10 (advertised in March 2015) or a variation of version 2.09. I say that I am not sure because Alexandru\r\nMaximciuc (Bitdefender) spotted one version already in January 2015 and since then there were more botnets\r\nusing this version and before the advertisement was published in March.\r\nNowadays, most of the Andromeda botnets use the leaked version 2.06. Then, the latest version seems to be really\r\npopular too, together with version 2.09. The rest of the versions seem to have a lower number of botnets.\r\nRC4 key and C\u0026C URL decryption\r\n \r\nSince version 2.09 Andromeda includes the fake RC4 key 754037e7be8f61cbb1b85ab46c7da77d, which is the\r\nMD5 hash of \"go fuck yourself\". Of course, this is just a distraction for the analysts and the good key is located in\r\na different offset in memory. The RC4 key is used to encrypt the communication with the C\u0026C but in reverse\r\norder is also used to decrypt the C\u0026C URLs. I won't give more details about it because this blog post explains\r\nreally well how and where the decrypted URLs are stored in memory.\r\nTask types removed\r\nhttps://eternal-todo.com/blog/andromeda-gamarue-loves-json\r\nPage 1 of 8\n\nIn the previous versions of Andromeda seven different task types were supported when the bot was asking the\r\nC\u0026C for tasks to execute:\r\n1: Download executable\r\n2: Install plugin\r\n3: Update bot\r\n4: Install DLL\r\n5: Uninstall DLL\r\n6: Delete plugins\r\n9: Kill bot\r\nHowever, since version 2.09 the task types in charge of installing and uninstalling DLLs have been removed:\r\nhttps://eternal-todo.com/blog/andromeda-gamarue-loves-json\r\nPage 2 of 8\n\nNetwork Time Protocol (NTP) traffic\r\nThe latest version of Andromeda uses some NTP domains to obtain the real time and store that in a variable. This\r\ntimestamp will be incremented by the bot as a time counter and it will be used as the first argument of the function\r\n\"aStart\", apparently exported by some plugins. The hardcoded NTP domains are:\r\neurope.pool.ntp.org\r\nnorth-america.pool.ntp.org\r\nsouth-america.pool.ntp.org\r\nasia.pool.ntp.org\r\noceania.pool.ntp.org\r\nafrica.pool.ntp.org\r\npool.ntp.org\r\nC\u0026C requests\r\nI was talking above about the request format used to send the different parameters to the control panel. This POST\r\nrequest is encrypted with the RC4 key and used to be encoded with Base64. However, this latest version of\r\nAndromeda skips the Base64 encoding and sends the data directly. It also changes the Content-Type header from\r\nthe usual “application/x-www-form-urlencoded” to “application/octet-stream”. Fortunately for the lovers of\r\nSNORT rules, it keeps using the same User-Agent, “Mozilla/4.0”. This is an example of a random sample:\r\n \r\nTalking about the C\u0026C response, all the previous versions use the Botid (bid) to decrypt this information.\r\nHowever, the latest version uses the same RC4 key needed to encrypt the request, instead of the Botid.\r\n \r\nhttps://eternal-todo.com/blog/andromeda-gamarue-loves-json\r\nPage 3 of 8\n\nPlugin decryption\r\nWhen the previous Andromeda versions (\u003c=2.09) were installing plugins from a given URL, the bot was\r\ndecrypting them skipping certain bytes as header and using the RC4 key to decrypt the data from a specific offset.\r\nAfter that aPLib was used to decompress the final DLL. In the latest version the process to decrypt the plugins is\r\nslightly more complex:\r\nDecrypt the header (43 bytes) with the RC4 key\r\nThe first DWORD is the XOR key to decrypt the other header values (after the 16th byte)\r\nThe first 16 bytes are the RC4 key to decrypt the plugin\r\nAfter that there is an aPLib compression layer too\r\n \r\nSince version 2.09 Andromeda added a TeamViewer plugin to its collection and it sends the TeamViewer ID and\r\npassword to the panel to be able to connect easily to the machine.\r\nMore processes blacklisted\r\nHe Xu (Fortinet) made a good job when he added a screenshot with the new hashes blacklisted in versions 2.07\r\nand 2.08. I really liked the idea and I did the same with these new versions. I also tried to discover what processes\r\nwere hidden after these hashes, uncovering all except one :) This is the full list:\r\ndd 99DD4432h ; vmwareuser.exe\r\ndd 2D859DB4h ; vmwareservice.exe\r\ndd 64340DCEh ; vboxservice.exe\r\ndd 63C54474h ; vboxtray.exe\r\ndd 349C9C8Bh ; sandboxiedcomlaunch.exe\r\ndd 3446EBCEh ; sandboxierpcss.exe\r\ndd 5BA9B1FEh ; procmon.exe\r\ndd 3CE2BEF3h ; regmon.exe\r\nhttps://eternal-todo.com/blog/andromeda-gamarue-loves-json\r\nPage 4 of 8\n\ndd 3D46F02Bh ; filemon.exe\r\ndd 77AE10F7h ; wireshark.exe\r\ndd 0F344E95Dh ; netmon.exe\r\ndd 2DBE6D6Fh ; prl_tools_service.exe (Parallels)\r\ndd 0A3D10244h ; prl_tools.exe (Parallels)\r\ndd 1D72ED91h ; prl_cc.exe (Parallels)\r\ndd 96936BBEh ; sharedintapp.exe (Parallels)\r\ndd 278CDF58h ; vmtoolsd.exe\r\ndd 3BFFF885h ; vmsrvc.exe\r\ndd 6D3323D9h ; vmusrvc.exe\r\ndd 0D2EFC6C4h ; python.exe\r\ndd 0DE1BACD2h ; perl.exe\r\ndd 3044F7D4h ; ???\r\nAs you can see, the version 2.09 includes the same hashes as the version 2.08, but the latest version adds\r\npython.exe, perl.exe and another mysterious process to the black list. It would be nice if someone could uncover\r\nthis missing process. Challenge: CRC32(lower($process)) = 0x3044F7D4; $process = ???\r\n \r\nAnti-analysis bypass\r\nThe old Andromeda versions used to include a nice bypass of the anti-analysis routine. If the CRC32 checksum of\r\nthe system drive volume name was 0x20C7DD84 then the bot was executing correctly even if it was running in a\r\nvirtual environment. The latest version has removed this bypass but it includes a different one. It is a bit more\r\nannoying to set it up, but not really difficult.\r\nhttps://eternal-todo.com/blog/andromeda-gamarue-loves-json\r\nPage 5 of 8\n\nYou need to create a value “is_not_vm” with a DWORD equal to the botid in the registry key\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies”. After that even if you are executing the blacklisted processes\r\nit will infect correctly.\r\n \r\nMore fun!\r\nIt seems that the development of Andromeda continues and they keep adding more functionalities and new\r\nfeatures to the bot. It is always fun taking a look at the new additions, so I am looking forward to the next version\r\nalready ;) I want more fun! :)\r\n \r\nb4da6909cf8b5e3791fc5be398247570 (latest)\r\n511e1a70e071ef059e07ff92cba4fe70 (2.09)\r\n9048e3797b1b24e83be5cf6f6a18fcb0 (2.08)\r\nd7c00d17e7a36987a359d77db4568df0 (2.07)\r\na6dd2204319d5fc96995bbbb22a41960 (2.06)\r\nUpdate (2015-05-05)\r\nhttps://eternal-todo.com/blog/andromeda-gamarue-loves-json\r\nPage 6 of 8\n\nOn the 24th of April @thedude13 found an Andromeda variant sending a new parameter to the control panel:\r\n \r\n \r\nThis variant (c73190c0b99109155df4c4c1006da43d) adds the parameter \"bb\" to the request format string:  \r\n{\"id\":%lu,\"bid\":%lu,\"os\":%lu,\"la\":%lu,\"rg\":%lu,\"bb\":%lu}\r\nDigging a bit in the code we can see that this new parameter is a flag specifying if the infected system uses a\r\n\"friendly\" keyboard layout (bb_flag = 1). The list of cool countries considered friends by Andromeda are: Russia,\r\nUkraine, Belarus and Kazakhstan.\r\n \r\n \r\nThis flag, besides being sent to the panel, will be checked in several locations in the code. If it is set:\r\nIt will not assure persistence of the bot after the system shuts down.\r\nNo tasks will be executed in the infected system, meaning that no plugins/udpates will be installed and no\r\nadditional malware will be dropped.\r\nIt will not disable security services and system notifications.\r\nIt will not disable UAC.\r\nIt will not generate NTP traffic and it will not hook the NtMapViewOfSection function.\r\nhttps://eternal-todo.com/blog/andromeda-gamarue-loves-json\r\nPage 7 of 8\n\nUpdate (2015-07-26)\r\nIn the paragraph related to the new processes blacklisted I was asking for some help to discover which process\r\nname was related to the CRC32 value 0x3044F7D4. After some tries with well-known security tools I was not\r\nable to uncover it. I did not try with processes related to AV software though. Yesterday, a new comment was\r\nadded by snemes solving the mystery (kudos to him!!). The process name avpui.exe (Kaspersky) has that specific\r\nCRC32 value :) This process is not the AV engine itself but the graphic interface (separated processes since\r\nKaspersky Internet Security 2014). That's curious. Another question could be why Andromeda checks just for that\r\nKaspersky process name and not for other AV products...:?\r\n \r\nSource: https://eternal-todo.com/blog/andromeda-gamarue-loves-json\r\nhttps://eternal-todo.com/blog/andromeda-gamarue-loves-json\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://eternal-todo.com/blog/andromeda-gamarue-loves-json"
	],
	"report_names": [
		"andromeda-gamarue-loves-json"
	],
	"threat_actors": [],
	"ts_created_at": 1775434710,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09c5ef5ffed40ed10befa97c6da979883951a7e7.pdf",
		"text": "https://archive.orkl.eu/09c5ef5ffed40ed10befa97c6da979883951a7e7.txt",
		"img": "https://archive.orkl.eu/09c5ef5ffed40ed10befa97c6da979883951a7e7.jpg"
	}
}