{
	"id": "c9f4b9e1-4402-4ad8-9002-0daf38990dbe",
	"created_at": "2026-04-06T00:14:32.888956Z",
	"updated_at": "2026-04-10T03:20:26.966849Z",
	"deleted_at": null,
	"sha1_hash": "6e9b9d3349d49ebcc8cae5d86755f04734e10bcd",
	"title": "Andromeda under the microscope",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1790929,
	"plain_text": "Andromeda under the microscope\r\nBy Threat Intelligence Team 6 Apr 2016\r\nArchived: 2026-04-05 15:56:12 UTC\r\nAndromeda is one of the longest running and most prevalent malware families to have existed.\r\nAndromeda is one of the longest running and most prevalent malware families to\r\nhave existed. Andromeda was first discovered in late 2011 and it probably evolved\r\nfrom ngrBot/DorkBot. Throughout its existence, the groups behind Andromeda\r\nhave used various methods to spread the malware and infect users.\r\nWe have seen Andromeda spread via spam email campaigns with infected files attached (doc, xls, pdf, zip.),\r\nthrough illegal download sites, warez (infected cracks, keygens, ..), or infecting users via other phishing\r\ncampaigns.\r\nInfection vector\r\nIn recent months, the authors have mainly focused on spreading Andromeda via exploit kits (Neutrino, Nuclear,\r\nAngler,..) located on compromised websites or advertisement services. These exploit kits are mainly found on a\r\ndubious sites (p0rn, warez, video streaming sites, share sites etc.) but occasionally appear on trusted sites as well.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 1 of 34\n\nAndromeda binary files are almost always stored on hacked websites, but we have also discovered files hosted on\r\na few dedicated servers that only host malware. Not only have we seen Andromeda appear on hacked websites,\r\nbut we have also seen its plugins being distributed on SourceForge.net, a repository that hosts 7zip, VLC player,\r\nOpenOffice, FileZilla and other popular open source projects.\r\nAndromeda’s core anatomy\r\nThis analysis covers the latest variant of Andromeda samples, which began spreading since the beginning of this\r\nyear. The authors have not made many changes to Andromeda’s core binary file, but  they are constantly changing\r\nthe PE packer/obfuscator in the top most layer. Andromeda uses various PE packers of different quality to avoid\r\nAV detections. Some packers also contain other anti-vm/emul/debug tricks. We’ve seen a packer very similar to\r\nZbot (based on its source code), obfuscated Visual Basic and .NET binaries and even a few custom packers\r\nreminiscent of Dridex included in the Andromeda variant.\r\nAndromeda’s authors put a lot of effort into diversifying their portfolio of infection droppers and to disable, or at\r\nleast complicate the sample submission and exchange between AV companies and their regular process used to\r\nscan and thoroughly analyze files. To achieve this, they update the custom packers daily and as a bonus, they bloat\r\nthe binaries with more than 70 MB of garbage. This strategy can either significantly prolong the sample upload\r\n(on a slow connection) or cause an overflow of scan/submit limits of some antivirus scanning engines (or online\r\nscanning services respectively). On the other hand, this trick is suspicious and it can help to heuristically detect\r\nthe file.\r\nZbot-like packer in detail\r\nAndromeda’s top-layer packer is interesting and deserves a closer look. The packer is very similar to that of Zbot,\r\nbased on the source code. The encrypted payload is stored inside the “.rsrc” section as the “raw data”.\r\nThe Andromeda payload is twice encrypted with custom encryption and compressed by the RtlCompressBuffer\r\nAPI function with LZ compression (0x002 - COMPRESSION_FORMAT_LZNT1). The custom encryption uses\r\nrandom seed values and generic obfuscation with lots of SMC (self-modificated code) and junk instructions.\r\nFirst payload custom encryption:\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 2 of 34\n\nSecond encryption:\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 3 of 34\n\nThe decrypted data is then ready for a decompression via the significant RtlDecompressBuffer API function.\r\nPayload Loader\r\nUnder all of the obfuscated layers, we found a typical Andromeda payload loader binary. The entire loader is very\r\nminimalistic (~20kB) and includes the final malware payload in compressed (Aplib) and encrypted (RC4) form\r\nand hardcoded config structure.\r\nLoader config structure\r\nThe structure is hardcoded right before the encrypted payload that is 0x28h (40) bytes long and it contains seven\r\nvalues:\r\nRC4 key for payload decryption (first 16 bytes).\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 4 of 34\n\nPayload size (dword).\r\nPayload CRC32 hash (dword).\r\nHeap allocation size for decompressed payload data (dword).\r\nEntry point of decompressed payload (dword).\r\nPointer to decompressed payload data section (dword).\r\nSize of decompressed payload data section (dword). This value is unused by loader.\r\nEntire config structure is located at the beginning of  “.rdata” section (VA offset: 0x00402000h).\r\nLoader API hashes\r\nIt’s interesting that Andromeda’s loader binary has no imports (in PE directories). The payload loader uses only\r\nthe ntdll.dll library and all imported API functions are hardcoded as custom hash values.\r\nThe malware obtains a handle of the ntdll.dll library via a PEB_LDR_DATA (contains the base address of ntdll\r\nand kernel32) trick, well known from many shellcodes:\r\nHashing algorithm is trivial and combines XOR and ROL operations over API names (ASCII).\r\nAll API hashes are stored at the beginning of “.text” section (VA offset 0x00401000h) as DWORD values.\r\nloader_api_hashes.png\r\nThe authors seem to be very experienced native subsystem and low-level programmers and have deep knowledge\r\nof the AV detection methods. This malware uses very uncommon API functions in low-level form (Nt/Rtl), which\r\nis probably used to avoid standard API monitors/tracers, sandboxes and other dynamic analysis tools with\r\npredefined API lists or well known API combinations patterns.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 5 of 34\n\nList of all hashes and resolved API functions:\r\nHash value API function\r\n0AB48C65 LdrLoadDll\r\nDE604C6A RtlDosPathNameToNtPathName_U\r\n925F5D71 RtlFreeAnsiString\r\nEFD32EF6 LdrProcessRelocationBlock\r\nB8E06C7D RtlComputeCrc32\r\n831D0FAA RtlExitUserThread\r\nA62BF608 NtSetInformationProcess\r\n102DE0D9 NtAllocateVirtualMemory\r\n7CD8E53D NtFreeVirtualMemory\r\n6815415A NtOpenFile\r\nE7F9919F NtQueryDirectoryFile\r\n64C4ACE4 NtClose\r\n028C54D3 memcpy\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 6 of 34\n\n82D84ED3 memset\r\nPayload encryption \u0026 compression\r\nThe final Andromeda payload is compressed with Aplib and encrypted with RC4 stream cipher. The encrypted\r\npayload is verified with a hardcoded CRC32 hash and proceeds to decryption if this check passes.\r\nRC4 decryption followed by Aplib decompression:\r\nFinal payload fixups\r\nOnce the payload is decrypted and unpacked, it’s necessary to relocate it to its new base address, because it is not\r\na position independent code. This is done through another uncommon API call - LdrProcessRelocationBlock -\r\nwhich is a function used only internally by the system to relocate loaded PE modules.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 7 of 34\n\nThe API function takes a pointer to a relocation record and information about the old and new base address. First\r\nrelocation record is stored at the beginning of payload data section.\r\nAfter processing each relocation record, the LdrProcessRelocationBlock function returns a pointer to the next\r\nrecord. This makes it possible to traverse to the end of relocations (there’s a terminating null, which signals that\r\nthere’s nothing else to process).\r\nThe last step in the loader part is the API function preparation for the final Andromeda payload. All API functions\r\nare represented by the same custom hash form (XOR+ROL) described earlier.\r\nThere is also a little config structure located right after the relocation records. The first value of this structure is a\r\ncustom hash (DWORD) of the DLL file name. The second value is offset to the final payload (DWORD), where\r\nresolved API functions will be stored.  The custom hashes (DWORD) of API functions from DLL terminated with\r\n0x0000h are also stored.\r\nThe algorithm for resolving the DLL file name from the hash is similar to resolving API hashes, but it also\r\ncontains lower-case transformation.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 8 of 34\n\nThe loader uses a very uncommon method to search and load resolved DLL files. All steps are made through low-level API and the authors use the same method with PEB_LDR_DATA structure as described above. The loader\r\nuses returned UNICODE string from the FullDllName value this time.\r\nThis unicode string with the full DLL path is used as an argument for the RtlDosPathNameToNtPathName_U API\r\nfunction, which transforms the unicode file path string into following unicode format:\r\n“\\??\\C:\\WINDOWS\\system32\\ntdll.dll\"\r\nThis string is used to extract the fully qualified path and the “*.dll” file mask and pass them to the\r\nNtQueryDirectoryFile API function, which then enumerates libraries in the system directory. Each library name is\r\nhashed and compared with stored custom hashes. If the hashes are equal, the DLL file is directly loaded via the\r\nLdrLoadDll API function and the loader continues to resolve API function names from hard-coded hashes.\r\nFinally, the loader writes all the resolved function pointers to the payload. The payload itself uses a more\r\nsophisticated API redirection method, which first copies an instruction from the particular API function to the final\r\npayload, then executes it and redirects back to the original API function’s second instruction. This technique is\r\nknown as stolen bytes. The authors use JMP instructions 0xEB and 0xE9 for this trick.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 9 of 34\n\nExample of the API redirection:\r\nThese mangled calls of API functions made  our analysis harder, because the debugger cannot correctly\r\nidentify/resolve the names of the API functions when they are called this way.\r\nList of all used API functions inside final payload:\r\nntdll.dll\r\nisdigit, memcpy, memset, NtDelayExecution, NtMapViewOfSection,\r\nNtQueryInformationProcess, NtQuerySection, NtUnmapViewOfSection, pow,\r\nRtlComputeCrc32, RtlImageHeader, RtlRandom, RtlWalkHeap, _allmul, _alloca_probe\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 10 of 34\n\nws2_32.dll\r\nclosesocket, connect, FreeAddrInfoW, getaddrinfo, getsockname, htonl, ioctlsocket, recv,\r\nsendto, socket, WSACloseEvent, WSACreateEvent, WSAEventSelect, WSAStartup\r\nkernel32.dll\r\nCloseHandle, CopyFileW, CreateEventW, CreateFileMappingA, CreateFileW,\r\nCreateProcessW, CreateThread, CreateToolhelp32Snapshot, DeleteFileW, ExitProcess,\r\nExitThread, ExpandEnvironmentStringsW, FlushInstructionCache, FreeLibrary,\r\nGetCurrentProcess, GetEnvironmentVariableW, GetFileTime, GetModuleFileNameW,\r\nGetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessHeap,\r\nGetSystemTimeAsFileTime, GetThreadContext, GetTickCount, GetVersionExW,\r\nGetVolumeInformationW, GetWindowsDirectoryW, GlobalAlloc, GlobalFree, GlobalLock,\r\nGlobalReAlloc, GlobalSize, GlobalUnlock, HeapDestroy, LoadLibraryA, LoadLibraryW,\r\nLocalFree, lstrcatW, lstrcmpiW, lstrcpy, lstrcpyW, lstrlen, lstrlenW, MapViewOfFile,\r\nModule32FirstW, Module32NextW, MoveFileExW, MultiByteToWideChar,\r\nNTDLL.RtlAllocateHeap, NTDLL.RtlFreeHeap, NTDLL.RtlGetLastWin32Error,\r\nNTDLL.RtlSizeHeap, OpenEvenW, Process32First, Process32Next, QueueUserAPC,\r\nResumeThread, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFileAttributesW,\r\nSetFileTime, Sleep, TerminateProcess, UnmapViewOfFile, VirtualAlloc, VirtualFree,\r\nVirtualProtect, WaitForSingleObject, WriteFile\r\nadvapi32.dll\r\nAdjustTokenPrivileges, CheckTockenMembership,\r\nConvertStringSecurityDescriptorToSecurityDescriptorA, ConvertStringSidToSidA,\r\nGetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation,\r\nLookupPrivilegeValueA, OpenProcessToken, RedEnumValueW, RegCloseKey,\r\nRegCreateKeyExW, RegDeleteValueW, RegFlushKey, RegOpenKeyExW,\r\nRegQueryValueExW, RegSetKeySecurity, RegSetValueExW\r\nuser32.dll\r\nFindWindowA, GetKeyboardLayoutList, mouse_event, SendMessageA, wsprintfA,\r\nwsprintfW\r\nshell32.dll ShellExecuteExW\r\nole32.dll CoInitialize, CreateStreamOnHGlobal\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 11 of 34\n\nwinhttp.dll\r\nWinHttpCloseHandle, WinHttpConnect, WinHttpCrackUrl, WinHttpOpen,\r\nWinHttpOpenRequest, WinHttpQueryHeaders, WinHttpReadData, WinHttpRecieveResponse,\r\nWinHttpSendRequest, WinHttpSetOption\r\ndnsapi.dll DnsExtractRecordsFromMessage_W, DnsFree, DnsWriteQuestionToBuffer_W\r\nshlwapi.dll\r\nPathFindFileNameW, PathQuoteSpacesW, PathRemoveBackslashW, PathRemoveFileSpecsW,\r\nStrChrW, StrRChrW, StrToIntW\r\n \r\nAs you can see, the authors use many uncommon or undocumented API functions.\r\nThere are some special cases matched by RegEx, where the authors use NTDLL.Rtl functions from the\r\nkernel32.dll library and the Andromeda loader had to load the ntdll.dll again and use proper pointers for the Rtl\r\nAPI functions.\r\nAfter resolving all hard-coded DLLs and API functions, the loader continues to final payload Entry Point.\r\nFinal Andromeda payload\r\nAlthough the final payload is very small (~24 kb), the code is very complex and sophisticated. The authors, again,\r\nuse a variety of anti-emul and anti-vm tricks.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 12 of 34\n\nAt the very beginning, Andromeda disables Windows error notifications via the SetErrorMode API function with\r\n0x8007h parameter, which means SEM_FAILCRITICALERRORS, SEM_NOALIGNMENTFAULTEXCEPT,\r\nSEM_NOGPFAULTERRORBOX, SEM_NOOPENFILEERRORBOX.\r\nAnti-VirtualMachine protection\r\nAndromeda uses a simple and well-known anti-vm trick that compares the names of running processes with a\r\n“black list” of prohibited process names stored as CRC32 hashes.\r\nList of forbidden process names:\r\n99DD4432 vmwareuser.exe  \r\n2D859DB4 vmwareservice.exe\r\n64340DCE vboxservice.exe  \r\n63C54474 vboxtray.exe  \r\n349C9C8B sandboxiedcomlaunch.exe\r\n3446EBCE sandboxierpcss.exe  \r\n5BA9B1FE procmon.exe\r\n3CE2BEF3 regmon.exe  \r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 13 of 34\n\n3D46F02B filemon.exe\r\n77AE10F7 wireshark.exe\r\n0F344E95D netmon.exe  \r\n2DBE6D6F prl_tools_service.exe\r\n0A3D10244 prl_tools.exe\r\n1D72ED91 prl_cc.exe\r\n96936BBE sharedintapp.exe\r\n278CDF58 vmtoolsd.exe  \r\n3BFFF885 vmsrvc.exe  \r\n6D3323D9 vmusrvc.exe  \r\n0D2EFC6C4 python.exe\r\n0DE1BACD2 perl.exe\r\n3044F7D4 avpui.exe\r\nThis procedure is implemented through the classic API functions, CreateToolhelp32Snapshot and Process32First /\r\nProcess32Next. If the malware reveals a forbidden running process, the execution flow ends in an infinite loop.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 14 of 34\n\nAn interesting feature is the possibility of creating a special key in the registry, which allows Andromeda to infect\r\nthe system even with a running blacklisted processes.\r\nThe process blacklisting functionality is ignored when “is_not_vm” key is present inside the\r\n\"HKEY_LOCAL_MACHINE \\ SOFTWARE \\ Policies\" registry and when the proper UserID (DWORD) is set.\r\nPersistence\r\nThe techniques to persist the infection and to camouflage the Andromeda PE binary among regular system\r\nbinaries are well designed. All communication goes through an injected system application - msiexec.exe, which is\r\na part of the standard Windows Installer.\r\nAndromeda copies itself to the %ALLUSERPROFILE% folder and renames the binary to \"ms {random [az]\r\n{5}}.exe” where the UserID is used as a seed for the RtlRandom API function.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 15 of 34\n\nLater, the resulting file’s attributes are set to “FILE_ATTRIBUTE_HIDDEN” and\r\n“FILE_ATTRIBUTE_SYSTEM” (+h +s) and the file time is set to the file time obtained from the original\r\nmsiexec.exe file. The well known functions - GetFileTime and SetFileTime are used.\r\nAnother trick used by the authors is deleting the NTFS stream bound to the file. They call the DeleteFile API to\r\nremove the :Zone.Identifier flag from the newly created ms*.exe file (to bypass the “File Downloaded from the\r\nInternet” warning).\r\nzoneidentifier.png\r\nIn the next step, Andromeda prevents the displaying of hidden files via the registry key\r\n\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" and sets proper “Hidden” and\r\n“ShowSuperHidden” values.\r\nFinally, Andromeda creates a new value (UserID) inside the\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run” registry key and sets the path to the\r\npreviously created “ms*.exe” file. After that, it protects the value by changing the permissions through Security\r\nDescriptors. Andromeda tries to avoid modifications or deleting of this value, however, modern AV engines are\r\nable to bypass this restriction.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 16 of 34\n\nInjection of msiexec.exe and system API function hooks\r\nThe entire final payload is injected to a newly created msiexec.exe process and activated via the ResumeThread\r\nAPI function. The original payload process is terminated after a new thread activation and the malware only\r\ncontinues from the injected msiexec.exe process.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 17 of 34\n\nAndromeda also injects ntdll.dll and ws2_32.dll system libraries. Inside ntdll.dll Andromeda hooks the\r\nNtMapViewOfSection API function and replaces it with a jump to payload, and  also hooks the GetAddrInfoW\r\nAPI function inside the ws2_32.dll library.\r\nBoth API hooks are resolved inside the payload and then jump to the affected API functions after being replaced\r\nby jmp instructions.\r\nPart of the resolved code for the GetAddrInfoW API function by payload:\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 18 of 34\n\nLanguage exclusions\r\nAnother interesting feature is the detection of keyboard layout settings. If Andromeda detects the Russian,\r\nUkrainian, Belarusian or Kazakh keyboard, it sets a special flag that disables the infection, persistence, NTP traffic\r\nand injection of ntdll and ws2_32 libraries.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 19 of 34\n\nThe malware is also completely removed from the infected machine if it detects one of these keyboard layouts.\r\nNTP traffic\r\nAndromeda uses hardcoded NTP (Network Time Protocol) domains to obtain the current time, which is  received\r\nby the “Transmit Timestamp”, if this connection isn’t successful the current time is obtained from infected\r\ncomputer.\r\nThe hardcoded NTP domains are africa.pool.ntp.org, asia.pool.ntp.org, europe.pool.ntp.org, oceania.pool.ntp.org\r\nand pool.ntp.org as the last attempt if the other domains fail. NTP traffic uses port 123.\r\nThe malware verifies if the size of the received data is 0x30h (48) bytes and first parses DWORD from the\r\n“Transmit Timestamp” value.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 20 of 34\n\nThis value is increased by 0x7C558180h and the result is used as an argument of the “aStart” function exported by\r\na plugin.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 21 of 34\n\nIf all connections to the NTP domains fail, an argument for the aStart function is computed by the payload via the\r\nfollowing algorithm based on the result of the GetSystemTimeAsFileTime API function, instead of the Transmit\r\nTimestamp value from the NTP request.\r\nThe  “compute_aStart_arg” function algorithm:\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 22 of 34\n\nObtain local IP via sockaddr struct\r\nAndromeda uses a very uncommon method to obtain local IP addresses of infected machines.\r\nThe malware tries to connect various legal servers on port 80 with a crafted socket and obtain the infected\r\nmachine’s IP address from the sockaddr structure via the getsockname API function.\r\nThe resolved value is used as “la” parameter for C\u0026C requests.\r\nList of domains that  Andromeda tries to connect to in the following order: update.microsoft.com, microsoft.com,\r\nbing.com, google.com, yahoo.com\r\nC\u0026C communication\r\nAll communication is RC4 encrypted and uses HTTP/1.1 in the raw data format “Content-Type: application/octet-stream” with predefined “Mozilla/4.0” User-Agent.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 23 of 34\n\nAndromeda contains a hard-coded RC4 key, which is used for C\u0026C server communication, for the downloaded\r\nplugin decryption and also for decrypting hard-coded C\u0026C URLs where the key is used backwards.\r\nAll values are hardcoded to a structure located in the beginning of payload data. The first value is BID\r\n(Botnet/BuildID), which is also used as a parameter for C\u0026C requests. RC4 key is hard-coded between random\r\njunk data and is followed by encrypted C\u0026C URLs. The first byte of each encrypted URL is the length of data and\r\nit is used as a pointer to the next encrypted URL. Zero byte indicates the end of an encrypted URL data block.\r\nC\u0026C JSON requests\r\nAndromeda uses JSON format for all communication with C\u0026C servers encrypted with RC4.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 24 of 34\n\nThe malware includes two types of JSON requests and one command object.\r\nInfection report / Ask for action request\r\n{\"id\":%lu,\"bid\":%lu,\"os\":%lu,\"la\":%lu,\"rg\":%lu}\r\nJSON item Name Info\r\nid User ID Computed from VolumeSerialNumber of infected machine HDD.\r\nbid Botnet/Build ID Hard-coded inside Andromeda payload.\r\nos OS version Version of current operating system.\r\nla Local IP address Obtained from sockaddr structure.\r\nrg Administrator rights Set 1 if malware process runs under an administrator account.\r\nLive example:\r\n{\"id\":1839815145,\"bid\":8384538,\"os\":65889,\"la\":168732589,\"rg\":0}\r\nReceived command object from C\u0026C server\r\n[sleep_before_request, {unused_object}, [TaskID, RequestType, URL,..]..]\r\nObject item Info\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 25 of 34\n\nsleep_before_request\r\nSleep time in minutes before send next request to the C\u0026C server, the most common\r\nvalue is 60.\r\n{unused_object} When this object is found, it is skipped. The most common value is {“klt:0”}.\r\nTaskID\r\nID of a task provided by the C\u0026C server. This ID is send back to server with\r\nstatus/error report request.\r\nRequestType Identifier of the task type (update plugin, download exe, install plugin, delete bot)\r\nURL URL for downloading plugin or other malware.\r\nLive example of a command to download Andromeda plugins:\r\n[60,{\"klt\":0},[15,2,\"http:\\/\\/netcologne.dl.sourceforge.net\\/project\\/googlecodefork\\/g11.pack\"]]\r\nTask report request\r\n{“id”:%lu, “tid”:%lu, “err”:%lu, “w32”:%lu}\r\nJSON item Name Info\r\nid User ID Computed from VolumeSerialNumber of infected machine HDD.\r\ntid TaskID ID of task provided by the C\u0026C server.\r\nerr Error Set 0 if task is successfully completed.\r\nw32 System error code Obtained from RtlGetLastWin32Error API function.\r\n \r\nLive example:\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 26 of 34\n\n{\"id\":1839815145,\"tid\":15,\"err\":0,\"w32\":127}\r\nC\u0026C servers\r\nThe Andromeda payload uses two domains as C\u0026C servers for a very long time period and requests are sent via\r\nPOST method.\r\nServer one:\r\nhxxp://disorderstatus.ru/order.php\r\nServer two:\r\nhxxp://differentia.ru/diff.php\r\nBoth domains are connected to multiple DNS servers located throughout the world.\r\nBelow is the differentia.ru DNS graph up to the April 2016 hosted on pointhq.com servers:\r\nThe above map shows where the servers are located.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 27 of 34\n\nList of “A” IP domain records:\r\nIP Hosted by Location\r\n46.4.114.61 Hetzner Online GmbH Germany\r\n95.213.192.71 Selectel Net Russian Federation\r\n176.9.48.86 Hetzner Online GmbH Germany\r\nThe below shows a DNS graph of the differentia.ru domain hosted on Hurricane Electric servers, where the\r\nauthors currenlty moved the entire network infrastructure.\r\nComplete current DNS record of differentia.ru:\r\nNS ns1.he.net 216.218.130.2 United States CA Fremont Hurricane Electric HURRICANE-1\r\nSOA ns1.he.net 216.218.130.2  \r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 28 of 34\n\nNS ns2.he.net 216.218.131.2  \r\nNS ns3.he.net 216.218.132.2  \r\nNS ns4.he.net 216.66.1.2 United States CA Fremont Hurricane Electric HURRICANE-6\r\nNS ns5.he.net 216.66.80.18  \r\nA 95.213.186.51  \r\nRussian Federation SELECTEL-NET SELECTEL OOO\r\n\"Network of data-centers \"S RU-SELECTEL-20090812\r\nA 176.9.174.220  \r\nGermany HETZNER-RZ-FKS-BLK4 HETZNER-AS Hetzner\r\nOnline GmbH DE-HETZNER-20110517\r\nStatistics of blocked differentia.ru domain:\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 29 of 34\n\nDownloaded plugins includes other C\u0026C server domains:\r\natomictrivia.ru, designthefuture.ru, gvaq70s7he.ru, getuptateserv.eu,..\r\nAndromeda Plugins\r\nThis malware is modular and Andromeda offers several plugins like Keylogger, Browser Formgrabber, Rootkit,\r\nHidden TeamViewer remote control, etc. We are preparing a detailed analysis of the all modules which we will\r\npublish at a later date.\r\nThe plugins are hosted and downloaded from the Source Forge repository.\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 30 of 34\n\nThe authors recently updated the plugin files, repacked binaries with PE packers and changed their file names.\r\nThis Source Forge project was registered on 2015-05-16 under “dofeedthetrolls” username.\r\nPlugin encryption\r\nThe plugin binaries are twice encrypted with RC4 encryption and compressed by Aplib. Each plugin contains 43\r\nbytes of config header, with a hard-coded RC4 key, CRC32 hashes and data length values for validation and a\r\nparameter for the case the plugin is stored in the registry.\r\nEncrypted plugin header:\r\nDecrypted plugin header:\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 31 of 34\n\nDecrypting the plugin is a bit tricky:\r\n1. Decrypt header (43 bytes) with a RC4 encryption key from the Andromeda payload (used for C\u0026C\r\ncommunication).\r\n2. The first DWORD value is the XOR key to decrypt the config header values.\r\n3. The first 16 bytes are the RC4 key to decrypt the plugin.\r\n4. Decompress (Aplib) decrypted data.\r\nPlugin persistence\r\nDownloaded plugins are stored in the registry and  in the %TEMP% directory under two file names.\r\nThe first file name is saved in the following format: %TEMP%\\KB{GetTickCount}.exe\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 32 of 34\n\nThe second file name is %TEMP%\\cdo*.dll\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 33 of 34\n\nThe Andromeda payload also searches for three plugin exports aStart, aUpdate and aReport via the\r\nGetProcAddress API function.\r\nConclusion\r\nAndromeda malware has very long history. It’s one of the most prevalent malware families and nothing indicates\r\nthat it will disappear anytime soon. The authors are skilled programmers and operators, recently updating plugins,\r\nmaintaining entire systems and looking for new infected domains with Exploit Kits. Analyzing Andromeda's very\r\ncomplex ecosystem is a challenging task, but we're investigating it further. Stay tuned for the next blog post!\r\nSource: https://blog.avast.com/andromeda-under-the-microscope\r\nhttps://blog.avast.com/andromeda-under-the-microscope\r\nPage 34 of 34",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.avast.com/andromeda-under-the-microscope"
	],
	"report_names": [
		"andromeda-under-the-microscope"
	],
	"threat_actors": [],
	"ts_created_at": 1775434472,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e9b9d3349d49ebcc8cae5d86755f04734e10bcd.pdf",
		"text": "https://archive.orkl.eu/6e9b9d3349d49ebcc8cae5d86755f04734e10bcd.txt",
		"img": "https://archive.orkl.eu/6e9b9d3349d49ebcc8cae5d86755f04734e10bcd.jpg"
	}
}