Heap allocation size for decompressed payload data (dword).RC4 key for payload decryption (first 16 bytes).
![aplib decompressor aplib decompressor](http://xxl.atari.pl/wordpress/wp-content/uploads/2016/06/s_game.gif)
The structure is hardcoded right before the encrypted payload that is 0x28h (40) bytes long and it contains seven values: The entire loader is very minimalistic (~20kB) and includes the final malware payload in compressed (Aplib) and encrypted (RC4) form and hardcoded config structure. Under all of the obfuscated layers, we found a typical Andromeda payload loader binary. The decrypted data is then ready for a decompression via the significant RtlDecompressBuffer API function. The custom encryption uses random seed values and generic obfuscation with lots of SMC (self-modificated code) and junk instructions. The Andromeda payload is twice encrypted with custom encryption and compressed by the RtlCompressBuffer API function with LZ compression (0x002 - COMPRESSION_FORMAT_LZNT1).
![aplib decompressor aplib decompressor](http://xxl.atari.pl/wordpress/wp-content/uploads/2016/06/s_plansza.gif)
The encrypted payload is stored inside the “.rsrc” section as the “raw data”. The packer is very similar to that of Zbot, based on the source code. Zbot-like packer in detailĪndromeda’s top-layer packer is interesting and deserves a closer look. On the other hand, this trick is suspicious and it can help to heuristically detect the file. This strategy can either significantly prolong the sample upload (on a slow connection) or cause an overflow of scan/submit limits of some antivirus scanning engines (or online scanning services respectively).
#Aplib decompressor update#
To achieve this, they update the custom packers daily and as a bonus, they bloat the binaries with more than 70 MB of garbage. NET binaries and even a few custom packers reminiscent of Dridex included in the Andromeda variant.Īndromeda’s authors put a lot of effort into diversifying their portfolio of infection droppers and to disable, or at least complicate the sample submission and exchange between AV companies and their regular process used to scan and thoroughly analyze files. We’ve seen a packer very similar to Zbot (based on its source code), obfuscated Visual Basic and. Some packers also contain other anti-vm/emul/debug tricks. Andromeda uses various PE packers of different quality to avoid AV detections. The authors have not made many changes to Andromeda’s core binary file, but they are constantly changing the PE packer/obfuscator in the top most layer. This analysis covers the latest variant of Andromeda samples, which began spreading since the beginning of this year. Not only have we seen Andromeda appear on hacked websites, but we have also seen its plugins being distributed on, a repository that hosts 7zip, VLC player, OpenOffice, FileZilla and other popular open source projects. These exploit kits are mainly found on a dubious sites (p0rn, warez, video streaming sites, share sites etc.) but occasionally appear on trusted sites as well.Īndromeda binary files are almost always stored on hacked websites, but we have also discovered files hosted on a few dedicated servers that only host malware.
![aplib decompressor aplib decompressor](http://xxl.atari.pl/wordpress/wp-content/uploads/2016/06/JSWVBXE-400x310.png)
In recent months, the authors have mainly focused on spreading Andromeda via exploit kits (Neutrino, Nuclear, Angler.) located on compromised websites or advertisement services. ), or infecting users via other phishing campaigns.
#Aplib decompressor download#
We have seen Andromeda spread via spam email campaigns with infected files attached (doc, xls, pdf, zip.), through illegal download sites, warez (infected cracks, keygens. Throughout its existence, the groups behind Andromeda have used various methods to spread the malware and infect users. Andromeda was first discovered in late 2011 and it probably evolved from ngrBot/DorkBot. Andromeda is one of the longest running and most prevalent malware families to have existed.
![aplib decompressor aplib decompressor](http://xxl.atari.pl/wordpress/wp-content/uploads/2016/05/fm_mockup1.gif)