Andromeda delivered via malspam and follow on traffic

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-06-24-Andromeda-pcap.zip
2017-06-24-Andromeda-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES: [Initial JavaScript Infection]

  • 62.149.142.151 – www.claudiocalaprice.com GET /r6.php?group=prs
  • 91.239.66.4 – karolbunsch.pl GET /r6.php?cmd=p&id=
  • 31.11.32.207 – www.edilmarmoceramic.it GET /intarsi/r6.php?cmd=e  – ANDROMEDIA
  • 64.71.33.38 – dtechgroup.com GET /r6.php?cmd=l&data=memory
  • 194.58.119.78 – sll.goog.jakioo.com POST /new_and/post990.php – POST INFECT TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the malicious malspam JavaScript attachment and the delivery Andromeda

 

Shown above: Malware uses Google’s DNS for domain lookup

 

Shown above: JavaScript uses registry to remain persistent

 

Shown above: C2 traffic associated with Andromeda

 

On 2017-06-26 I rebooted the infected host to try and generate additional traffic. Below are the results.

ASSOCIATED DOMAINS AND IP ADDRESSES: [Reboot of infected host]

  • 62.149.140.167 – www.eurobiosspa.it GET /r6.php?cmd=p&id=
  • 194.58.119.78 – sll.goog.jakioo.com POST /new_and/post990.php – POST INFECT TRAFFIC
  • 142.91.104.188 – GET /c/lol.pack
  • 31.11.32.166 – www.tecnostampistoro.it GET /wpp/11itundmf.exe
  • 166.78.238.143 – itcgalilei.it GET /AR/22.zip
  • 81.31.147.141 – sipbc.it GET /libraries/fof/form/farm.dmg – TOR CLIENT DOWNLOAD

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with Andromeda infection and post infection additional malware downloads

 

Shown above: TOR client uses registry to remain persistent

 

MALICIOUS PAYLOAD ASSOCIATED ANDROMEDIA:

inv.12873282.js – [MALSPAM ATTACHMENT]
Hybrid-Analysis
48559.exe – [ANDROMEDA]
Hybrid-Analysis
cdo5421752.dll – [SECONDARY DOWNLOAD]
Virus Total
KB00073679.exe – [SECONDARY DOWLOAD]
Hybrid-Analysis