{
	"id": "5e11588a-efa3-47e9-aa19-ffc66e7e58f3",
	"created_at": "2026-04-06T00:08:34.113907Z",
	"updated_at": "2026-04-10T03:20:38.961057Z",
	"deleted_at": null,
	"sha1_hash": "54bd2bb2773a1deda015beeb72df40941d859d43",
	"title": "Knowledge Fragment: Bruteforcing Andromeda Configuration Buffers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 163971,
	"plain_text": "Knowledge Fragment: Bruteforcing Andromeda Configuration\r\nBuffers\r\nArchived: 2026-04-05 18:55:46 UTC\r\nThis blog post details how the more recent versions of Andromeda store their C\u0026C URLs and RC4 key and how\r\nthis information can be bruteforced from a memory dump.\r\nStorage Format\r\nThe Andromeda configuration always starts with the value that is transferred as \"bid\" to the C\u0026C server.\r\nIt is 4 bytes long and most likely resembles a builder / botnet ID. In some binaries I had a look at, this was likely a\r\nY-M-D binary date as in the example shown below: 14-07-03.\r\nAfter an arbitrary number of random bytes concatenated to the \"bid\", the binary RC4 key of length 16 bytes\r\nfollows.\r\nThis key is both used to decrypt the configuration as well as to encrypt the C\u0026C traffic.\r\nNote that this key is stored in reversed order to decrypt the configuration buffer.\r\nNext, more arbitrary random bytes are added, and then a linked list of encrypted C\u0026C URLs follows.\r\nThe first byte of each list entry is the offset to the next list item; a zero byte pointer indicates the end of the list.\r\nEach list entry is simply encrypted with the reversed RC4 key as described previously, resulting in the crypted\r\nC\u0026C entries having identical substrings at the start, the crypted equivalent of \"http\" =\u003e \"\\x0D\\x4C\\xD8\\xDB\".\r\nAndromeda config buffer and fake RC4 key\r\nhttps://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html\r\nPage 1 of 7\n\nConcealment of the configuration on bot initialization\r\nDuring its initialization, the Andromeda bot parses this configuration buffer and stores its parts on the heap. Each\r\ndata blob is prefixed with an indicator (crc32 over part of host processes' header, or 0x706e6800, xor bot_id),\r\nallowing the malware to identify its fragments on the heap in a similar way to the technique known as egg\r\nhunting.\r\nfunction used to handle the config and store rc4_key + C\u0026C URLs on the heap\r\nAfterwards, as a means of anti-analysis, the parsing routine is overwritten with a static 4 bytes (to kill the function\r\nprologue) and another function of the bot (in this case the function responsible for settings up hooking) in order to\r\ndestroy the pointers to the RC4 key and C\u0026C list.\r\nhttps://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html\r\nPage 2 of 7\n\ntop: function to destroy the parseConfig by overwriting with installHooks(), left: installHooks() right:\r\nresulting parseConfig\r\nExtraction of RC4 key and C\u0026C URLs\r\nAlthough the exact offsets of RC4 key and C\u0026C URL list are not available when examining a finally initialized\r\nAndromeda memory image in the injected process, it is possible to recover this information through guessing.\r\nFinding the \"bid\"\r\nCharacteristic for all encountered versions of Andromeda is a format string similar to the following:\r\nid:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu\r\nor more recently:\r\n{\"id\":%lu,\"bid\":%lu,\"os\":%lu,\"la\":%lu,\"rg\":%lu}\r\nAs its fields are likely filled in with a *sprintf* function, we can identify the offset of the \"bid\" by statically\r\nexamining parameters passed to said string format API call (this can e.g. be achieved with a carefully crafted\r\nregex).\r\nhttps://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html\r\nPage 3 of 7\n\nreference to the botnet/builder id \"bid\" with a characteristic sequence of instructions\r\nTreating the \"bid\" as start for the potential configuration buffer, we can assume its end by searching for a zero\r\ndword value starting at the offset of the \"bid\".\r\nFor the tested memory dumps, the resulting potential configuration buffer had a length of around 300 bytes.\r\nIdentifying crypted C\u0026C URL candidates\r\nAs described above, the C\u0026C URLs are stored as a linked list.\r\nRandomly assuming that a server address will be somewhere between 0x8 and 0x30 characters long, we can\r\nextract all byte sequences from the potential configuration buffer that match this property (start bytes highlighted):\r\n0000  14 07 03 00 d4 e2 04 63 53 03 86 e4 82 5d 97 1c   .......cS....]..\r\n0010  c6 f8 58 9c f0 8f 2c da 79 0b 6d 1c ce cb 9d ba   ..X...,.y.m.....\r\n0020  81 c5 c9 42 60 f1 63 48 87 45 00 c1 fe 34 8b bf   ...B`.cH.E...4..\r\n0030  bb 84 93 0d b7 ca 47 dc 2f 8a 35 8a 2d 48 87 31   ......G./.5.-H.1\r\n0040  33 b5 b1 3d 4f a8 2f 49 17 4d e4 58 93 11 a4 81   3..=O./I.M.X....\r\n0050  3b 4e 1e 8a 28 79 f7 8f 16 5a 85 2f 0a 11 3e 4a   ;N..(y...Z./..\u003eJ\r\n0060  df 5b 70 06 57 9d 33 f0 80 ae ad 6a 13 d2 ed 95   .[p.W.3....j....\r\n0070  50 ce e7 24 0d 4c d8 db 84 4d 56 13 40 83 06 2d   P..$.L...MV.@..-\r\n0080  3c 13 f5 52 59 f3 34 1f 84 ac 5c 46 13 ec e8 12   \u003c..RY.4....F....\r\n0090  c8 50 8d 87 8b 59 a8 d6 17 0d 4c d8 db 84 4d 56   .P...Y....L...MV\r\n00a0  4e 52 c6 5c 3a 3b 54 f3 51 58 f1 39 58 90 a1 02   NR..:;T.QX.9X...\r\n00b0  1f 0d 4c d8 db 84 4d 56 13 40 83 06 2d 3c 19 fb   ..L...MV.@..-\u003c..\r\n00c0  4b 55 ba 2f 13 94 e6 1b 4b 18 e4 bf 55 d6 5c 98   KU./....K...U...\r\n00d0  1d 0d 4c d8 db 84 4d 56 0d 54 9e 15 24 21 19 ff   ..L...MV.T..$!..\r\n00e0  11 53 e6 26 59 89 a7 16 40 04 af b7 13 d6 00 f0   .S.\u0026Y...@.......\r\n00f0  1b cb c7 a3 c5 68 48 ca b7 6a 91 bb 83 e9 07 ee   .....hH..j......\r\n0100  d2 78 8b 88 85 78 28 6b 3f 39 72 36 6f 88 ff db   .x...x(k?9r6o...\r\n0110  63 6d b4 f5 f3 89 99 c5 68 8d 68 6b 7b 62 9d 05   cm......h.hk{b..\r\nresulting in the following candidate sequences (offset, length, start bytes):\r\nhttps://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html\r\nPage 4 of 7\n\noffset: 0x000, 14-\u003e070300...\r\noffset: 0x00f, 1c-\u003ec6f858...\r\noffset: 0x016, 2c-\u003eda790b...\r\noffset: 0x019, 0b-\u003e6d1cce...\r\noffset: 0x01b, 1c-\u003ececb9d...\r\noffset: 0x033, 0d-\u003eb7ca47...\r\noffset: 0x038, 2f-\u003e8a358a...\r\noffset: 0x03c, 2d-\u003e488731...\r\noffset: 0x046, 2f-\u003e49174d...\r\noffset: 0x048, 17-\u003e4de458...\r\noffset: 0x04d, 11-\u003ea4813b...\r\noffset: 0x052, 1e-\u003e8a2879...\r\noffset: 0x054, 28-\u003e79f78f...\r\noffset: 0x058, 16-\u003e5a852f...\r\noffset: 0x05b, 2f-\u003e0a113e...\r\noffset: 0x05c, 0a-\u003e113e4a...\r\noffset: 0x05d, 11-\u003e3e4adf...\r\noffset: 0x06c, 13-\u003ed2ed95...\r\noffset: 0x073, 24-\u003e0d4cd8...\r\noffset: 0x074, 0d-\u003e4cd8db...\r\noffset: 0x07b, 13-\u003e408306...\r\noffset: 0x07f, 2d-\u003e3c13f5...\r\noffset: 0x081, 13-\u003ef55259...\r\noffset: 0x087, 1f-\u003e84ac5c...\r\noffset: 0x08c, 13-\u003eece812...\r\noffset: 0x08f, 12-\u003ec8508d...\r\noffset: 0x098, 17-\u003e0d4cd8...\r\noffset: 0x099, 0d-\u003e4cd8db...\r\noffset: 0x0b0, 1f-\u003e0d4cd8...\r\noffset: 0x0b1, 0d-\u003e4cd8db...\r\noffset: 0x0b8, 13-\u003e408306...\r\noffset: 0x0bc, 2d-\u003e3c19fb...\r\noffset: 0x0be, 19-\u003efb4b55...\r\noffset: 0x0c3, 2f-\u003e1394e6...\r\noffset: 0x0c4, 13-\u003e94e61b...\r\noffset: 0x0c7, 1b-\u003e4b18e4...\r\noffset: 0x0c9, 18-\u003ee4bf55...\r\noffset: 0x0d0, 1d-\u003e0d4cd8...\r\noffset: 0x0d1, 0d-\u003e4cd8db...\r\noffset: 0x0d8, 0d-\u003e549e15...\r\noffset: 0x0db, 15-\u003e242119...\r\noffset: 0x0dc, 24-\u003e2119ff...\r\nhttps://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html\r\nPage 5 of 7\n\noffset: 0x0dd, 21-\u003e19ff11...\r\noffset: 0x0de, 19-\u003eff1153...\r\noffset: 0x0e0, 11-\u003e53e626...\r\noffset: 0x0e3, 26-\u003e5989a7...\r\noffset: 0x0e7, 16-\u003e4004af...\r\noffset: 0x0ec, 13-\u003ed600f0...\r\noffset: 0x0f0, 1b-\u003ecbc7a3...\r\noffset: 0x106, 28-\u003e6b3f39...\r\nIdentifying the RC4 key\r\nNext, we can try to decrypt these URL candidates by using all possible RC4 keys from the potential configuration\r\nbuffer.\r\nFor this, we take every consecutive 16 bytes, hex encode them, reverse their order, and perform RC4 against all\r\nC\u0026C URL candidates.\r\nExample: candidate sequence at offset 0xd1, length: 0x1d bytes:\r\n00d0  1d 0d 4c d8 db 84 4d 56 0d 54 9e 15 24 21 19 ff   ..L...MV.T..$!..\r\n00e0  11 53 e6 26 59 89 a7 16 40 04 af b7 13 d6 00 f0   .S.\u0026Y...@.......\r\nbruteforce decryption attempts:\r\nrc4(candidate, \"c179d5284e68303536402e4d00307041\") -\u003e 60a1619e84209c\r\nrc4(candidate, \"6cc179d5284e68303536402e4d003070\") -\u003e d378675057f8f2\r\nrc4(candidate, \"8f6cc179d5284e68303536402e4d0030\") -\u003e 84ff7a9c4e2168\r\nrc4(candidate, \"858f6cc179d5284e68303536402e4d00\") -\u003e 3b5dd0750955f6\r\n[... 44 more attempts ...]\r\nrc4(candidate, \"33137884d2a853a8f2cd74ac7bd03948\") -\u003e 7cea19689c5d40\r\nrc4(candidate, \"5b33137884d2a853a8f2cd74ac7bd039\") -\u003e 38ca7a0068f32e\r\nrc4(candidate, \"1b5b33137884d2a853a8f2cd74ac7bd0\") -\u003e 6429d8151a51c2\r\nrc4(candidate, \"d31b5b33137884d2a853a8f2cd74ac7b\") -\u003e 687474703a2f2f\r\nfinally we hit a result of 687474703a2f2f which translates to \"http://\" and the whole URL decrypts to\r\n\"hxxp://sunglobe.org/index.php\" (defanged).\r\nAs soon as we decrypt the first sequence starting with \"http\" we have likely identified the correct RC4 key and can\r\nproceed to decrypt all other candidates to complete the list of C\u0026C URLs.\r\nRC4 key used for config:  d31b5b33137884d2a853a8f2cd74ac7b\r\nActual traffic RC4 key: b7ca47dc2f8a358a2d48873133b5b13d\r\nAll resolving candidates:\r\n0d4cd8db844d560d549e15242119ff1153e6265989a7164004afb713d6\r\n-\u003e hxxp://sunglobe.org/index.php\r\nhttps://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html\r\nPage 6 of 7\n\n0d4cd8db844d56134083062d3c19fb4b55ba2f1394e61b4b18e4bf55d65c98\r\n-\u003e hxxp://masterbati.net/index.php\r\n0d4cd8db844d564e52c65c3a3b54f35158f1395890a102\r\n-\u003e hxxp://0s6.ru/index.php\r\n0d4cd8db844d56134083062d3c13f55259f3341f84ac5c4613ece812c8508d878b59a8d6\r\n-\u003e hxxp://masterhomeguide.com/index.php\r\nConclusion\r\nIt's obvious that the above described method can be optimized here and there. But since it executes in less than a\r\nsecond on a given memdump and gave me good results on a collection of Andromeda dumps, I didn't bother to\r\nimprove it further.\r\nsample used:\r\n  md5: a17247808c176c81c3ea66860374d705\r\n  sha256: ce59dbe27957e69d6ac579080d62966b69be72743143e15dbb587400efe6ce77\r\nRepository with defanged memdump + extraction code\r\nSource: https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html\r\nhttps://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html"
	],
	"report_names": [
		"kf-andromeda-bruteforcing.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434114,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54bd2bb2773a1deda015beeb72df40941d859d43.pdf",
		"text": "https://archive.orkl.eu/54bd2bb2773a1deda015beeb72df40941d859d43.txt",
		"img": "https://archive.orkl.eu/54bd2bb2773a1deda015beeb72df40941d859d43.jpg"
	}
}