Actor(s): APT41
According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.
rule win_crosswalk_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 33f6 8d6e20 8bcd e8???????? } // n = 4, score = 1300 // 33f6 | inc ecx // 8d6e20 | sub edi, 1 // 8bcd | jne 0xfffffff1 // e8???????? | $sequence_1 = { d3ca 03d0 4183ef01 75ef } // n = 4, score = 1300 // d3ca | mov eax, eax // 03d0 | imul ecx // 4183ef01 | add edx, ecx // 75ef | sar edx, 0xb $sequence_2 = { 4c8bc6 33d2 410fbe00 49ffc0 d3ca 03d0 } // n = 6, score = 1300 // 4c8bc6 | add edx, eax // 33d2 | dec esp // 410fbe00 | mov eax, esi // 49ffc0 | xor edx, edx // d3ca | inc ecx // 03d0 | movsx eax, byte ptr [eax] $sequence_3 = { 458d7ee0 418bd7 ff15???????? 4821742420 } // n = 4, score = 1300 // 458d7ee0 | mov eax, edx // 418bd7 | shr eax, 0x1f // ff15???????? | // 4821742420 | add edx, eax $sequence_4 = { c1e81f 03d0 69c2890e0000 3bc8 } // n = 4, score = 1300 // c1e81f | inc ecx // 03d0 | mov eax, eax // 69c2890e0000 | imul ecx // 3bc8 | add edx, ecx $sequence_5 = { 458bc6 33d2 488bc8 e8???????? 4533c9 } // n = 5, score = 1300 // 458bc6 | mov eax, edx // 33d2 | shr eax, 0x1f // 488bc8 | add edx, eax // e8???????? | // 4533c9 | imul eax, edx, 0xe89 $sequence_6 = { ff15???????? 448bf0 4533c9 4533c0 } // n = 4, score = 1300 // ff15???????? | // 448bf0 | shr eax, 0x1f // 4533c9 | add edx, eax // 4533c0 | imul eax, edx, 0xe89 $sequence_7 = { 418bc0 f7e9 03d1 c1fa0b 8bc2 c1e81f 03d0 } // n = 7, score = 1300 // 418bc0 | inc ecx // f7e9 | mov eax, eax // 03d1 | imul ecx // c1fa0b | add edx, ecx // 8bc2 | sar edx, 0xb // c1e81f | mov eax, edx // 03d0 | shr eax, 0x1f $sequence_8 = { a1???????? 897de0 394508 7c1f 3934bd808e4100 7531 e8???????? } // n = 7, score = 200 // a1???????? | // 897de0 | cmp ecx, eax // 394508 | inc ecx // 7c1f | mov eax, 0x8ce6568d // 3934bd808e4100 | inc ecx // 7531 | mov eax, eax // e8???????? | $sequence_9 = { f20f59db 660f282d???????? 660f59f5 660f28aa80594100 } // n = 4, score = 200 // f20f59db | sar edx, 0xb // 660f282d???????? | // 660f59f5 | inc ecx // 660f28aa80594100 | mov eax, 0x8ce6568d $sequence_10 = { 53 56 8b0485808e4100 33db 8b7508 } // n = 5, score = 200 // 53 | shr eax, 0x1f // 56 | dec esp // 8b0485808e4100 | mov eax, esi // 33db | xor edx, edx // 8b7508 | inc ecx $sequence_11 = { 6a00 8d78f4 57 56 } // n = 4, score = 200 // 6a00 | imul ecx // 8d78f4 | add edx, ecx // 57 | sar edx, 0xb // 56 | mov eax, edx $sequence_12 = { c745e0245b4100 8b4508 8bcf 8b7510 dd00 8b450c dd5de4 } // n = 7, score = 200 // c745e0245b4100 | xor edx, edx // 8b4508 | inc ecx // 8bcf | movsx eax, byte ptr [eax] // 8b7510 | dec ecx // dd00 | inc eax // 8b450c | ror edx, cl // dd5de4 | inc esp $sequence_13 = { 8b04bd808e4100 f644032801 7444 837c0318ff 743d } // n = 5, score = 200 // 8b04bd808e4100 | inc ecx // f644032801 | sub edi, 1 // 7444 | shr eax, 0x1f // 837c0318ff | add edx, eax // 743d | imul eax, edx, 0xe89 $sequence_14 = { 8be5 5d c3 6a40 6800100000 50 } // n = 6, score = 200 // 8be5 | inc ecx // 5d | mov eax, eax // c3 | imul ecx // 6a40 | add edx, ecx // 6800100000 | sar edx, 0xb // 50 | mov eax, edx $sequence_15 = { 660f28aa80594100 660f54e5 660f58fe 660f58fc 660f59c8 } // n = 5, score = 200 // 660f28aa80594100 | movsx eax, byte ptr [eax] // 660f54e5 | dec ecx // 660f58fe | inc eax // 660f58fc | ror edx, cl // 660f59c8 | add edx, eax condition: 7 of them and filesize < 286720 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY