SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crosswalk (Back to overview)

CROSSWALK

Actor(s): APT41


According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2019-09-30vmwareScott Knight
@online{knight:20190930:cb:a21cf30, author = {Scott Knight}, title = {{CB Threat Analysis Unit: Technical Analysis of “Crosswalk”}}, date = {2019-09-30}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/}, language = {English}, urldate = {2020-04-21} } CB Threat Analysis Unit: Technical Analysis of “Crosswalk”
CROSSWALK
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
2018-12-24Twitter (@MrDanPerez)Dan Perez
@online{perez:20181224:hashes:9a4fc8c, author = {Dan Perez}, title = {{Tweet on hashes for CROSSWALK}}, date = {2018-12-24}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1159459082534825986}, language = {English}, urldate = {2019-11-27} } Tweet on hashes for CROSSWALK
CROSSWALK
Yara Rules
[TLP:WHITE] win_crosswalk_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_crosswalk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d1c85d48b4100 8b03 8b15???????? 83cfff 8bca 33d0 }
            // n = 6, score = 200
            //   8d1c85d48b4100       | lea                 ebx, [eax*4 + 0x418bd4]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b15????????         |                     
            //   83cfff               | or                  edi, 0xffffffff
            //   8bca                 | mov                 ecx, edx
            //   33d0                 | xor                 edx, eax

        $sequence_1 = { eb07 8b0cc50c644100 894de4 85c9 7455 8b4510 8945e8 }
            // n = 7, score = 200
            //   eb07                 | jmp                 9
            //   8b0cc50c644100       | mov                 ecx, dword ptr [eax*8 + 0x41640c]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   85c9                 | test                ecx, ecx
            //   7455                 | je                  0x57
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_2 = { 8d7901 897df4 3bfb 0f8e6fffffff 83c8ff eb07 8b04cd743f4100 }
            // n = 7, score = 200
            //   8d7901               | lea                 edi, [ecx + 1]
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   3bfb                 | cmp                 edi, ebx
            //   0f8e6fffffff         | jle                 0xffffff75
            //   83c8ff               | or                  eax, 0xffffffff
            //   eb07                 | jmp                 9
            //   8b04cd743f4100       | mov                 eax, dword ptr [ecx*8 + 0x413f74]

        $sequence_3 = { 85c0 7f19 68???????? e8???????? 83c404 b801000000 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   7f19                 | jg                  0x1b
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   b801000000           | mov                 eax, 1

        $sequence_4 = { c74634f41a4100 57 ff7634 e8???????? 59 59 5f }
            // n = 7, score = 200
            //   c74634f41a4100       | mov                 dword ptr [esi + 0x34], 0x411af4
            //   57                   | push                edi
            //   ff7634               | push                dword ptr [esi + 0x34]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi

        $sequence_5 = { 03048d808e4100 50 ff15???????? 5d c3 8bff }
            // n = 6, score = 200
            //   03048d808e4100       | add                 eax, dword ptr [ecx*4 + 0x418e80]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi

        $sequence_6 = { 56 ff15???????? 68a0860100 ff15???????? 68???????? e8???????? }
            // n = 6, score = 200
            //   56                   | push                esi
            //   ff15????????         |                     
            //   68a0860100           | push                0x186a0
            //   ff15????????         |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_7 = { e9???????? c745dc03000000 eb7c c745e0205b4100 ebbb d9e8 8b4510 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   c745dc03000000       | mov                 dword ptr [ebp - 0x24], 3
            //   eb7c                 | jmp                 0x7e
            //   c745e0205b4100       | mov                 dword ptr [ebp - 0x20], 0x415b20
            //   ebbb                 | jmp                 0xffffffbd
            //   d9e8                 | fld1                
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_8 = { 488b8100010000 4885c0 7404 f0440108 488d4138 41b806000000 488d15a9e30000 }
            // n = 7, score = 100
            //   488b8100010000       | dec                 eax
            //   4885c0               | sar                 eax, 6
            //   7404                 | dec                 eax
            //   f0440108             | lea                 ecx, [0xd62c]
            //   488d4138             | mov                 eax, 8
            //   41b806000000         | dec                 eax
            //   488d15a9e30000       | imul                eax, eax, 1

        $sequence_9 = { ff15???????? 4821742420 4c8d4c2468 448bc5 488bd7 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   4821742420           | dec                 eax
            //   4c8d4c2468           | and                 dword ptr [esp + 0x20], esi
            //   448bc5               | dec                 esp
            //   488bd7               | lea                 ecx, [esp + 0x68]

        $sequence_10 = { 488b0d???????? 488d1d590e0100 483bcb 740c e8???????? 48891d???????? }
            // n = 6, score = 100
            //   488b0d????????       |                     
            //   488d1d590e0100       | dec                 eax
            //   483bcb               | mov                 dword ptr [esp + eax + 0x20], ecx
            //   740c                 | dec                 eax
            //   e8????????           |                     
            //   48891d????????       |                     

        $sequence_11 = { b808000000 486bc001 488b0d???????? 48894c0420 488d0d2dab0000 }
            // n = 5, score = 100
            //   b808000000           | mov                 edi, ecx
            //   486bc001             | dec                 esp
            //   488b0d????????       |                     
            //   48894c0420           | arpl                dx, dx
            //   488d0d2dab0000       | dec                 ecx

        $sequence_12 = { f00fc103 83f801 7516 488d05c9f40000 }
            // n = 4, score = 100
            //   f00fc103             | inc                 esp
            //   83f801               | mov                 eax, ebp
            //   7516                 | dec                 eax
            //   488d05c9f40000       | mov                 edx, edi

        $sequence_13 = { 48d3ca 4933d0 4b8794fe40600100 eb2d }
            // n = 4, score = 100
            //   48d3ca               | lea                 ecx, [0xab2d]
            //   4933d0               | dec                 esp
            //   4b8794fe40600100     | lea                 ecx, [0x9016]
            //   eb2d                 | vsubsd              xmm1, xmm1, xmm2

        $sequence_14 = { 488bf9 4c63d2 498bc2 418be9 48c1f806 488d0d2cd60000 }
            // n = 6, score = 100
            //   488bf9               | lock xadd           dword ptr [ebx], eax
            //   4c63d2               | cmp                 eax, 1
            //   498bc2               | jne                 0x1b
            //   418be9               | dec                 eax
            //   48c1f806             | lea                 eax, [0xf4c9]
            //   488d0d2cd60000       | dec                 eax

        $sequence_15 = { c5f1eb0d???????? 4c8d0d16900000 c5f35cca c4c173590cc1 }
            // n = 4, score = 100
            //   c5f1eb0d????????     |                     
            //   4c8d0d16900000       | mov                 eax, edx
            //   c5f35cca             | inc                 ecx
            //   c4c173590cc1         | mov                 ebp, ecx

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules