SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crosswalk (Back to overview)

CROSSWALK

aka: ProxIP, Motnug

Actor(s): APT41

According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.

References
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2019-09-30vmwareScott Knight
@online{knight:20190930:cb:a21cf30, author = {Scott Knight}, title = {{CB Threat Analysis Unit: Technical Analysis of “Crosswalk”}}, date = {2019-09-30}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/}, language = {English}, urldate = {2020-04-21} } CB Threat Analysis Unit: Technical Analysis of “Crosswalk”
CROSSWALK
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
2018-12-24Twitter (@MrDanPerez)Dan Perez
@online{perez:20181224:hashes:9a4fc8c, author = {Dan Perez}, title = {{Tweet on hashes for CROSSWALK}}, date = {2018-12-24}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1159459082534825986}, language = {English}, urldate = {2019-11-27} } Tweet on hashes for CROSSWALK
CROSSWALK
Yara Rules
[TLP:WHITE] win_crosswalk_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_crosswalk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 448bf0 4533c9 4533c0 }
            // n = 4, score = 1300
            //   ff15????????         |                     
            //   448bf0               | sub                 edi, 1
            //   4533c9               | jne                 0xfffffff7
            //   4533c0               | add                 edx, ecx

        $sequence_1 = { 33d2 488bc8 e8???????? 4533c9 4533c0 33d2 }
            // n = 6, score = 1300
            //   33d2                 | xor                 edx, edx
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   4533c9               | mov                 ecx, eax
            //   4533c0               | inc                 ebp
            //   33d2                 | xor                 ecx, ecx

        $sequence_2 = { 4c8bc6 33d2 410fbe00 49ffc0 d3ca }
            // n = 5, score = 1300
            //   4c8bc6               | sar                 edx, 0xb
            //   33d2                 | mov                 eax, edx
            //   410fbe00             | shr                 eax, 0x1f
            //   49ffc0               | add                 edx, eax
            //   d3ca                 | imul                eax, edx, 0xe89

        $sequence_3 = { 41b88d56e68c 418bc0 f7e9 03d1 c1fa0b 8bc2 }
            // n = 6, score = 1300
            //   41b88d56e68c         | and                 dword ptr [esp + 0x20], esi
            //   418bc0               | sar                 edx, 0xb
            //   f7e9                 | mov                 eax, edx
            //   03d1                 | shr                 eax, 0x1f
            //   c1fa0b               | add                 edx, eax
            //   8bc2                 | imul                eax, edx, 0xe89

        $sequence_4 = { 458d7ee0 418bd7 ff15???????? 4821742420 }
            // n = 4, score = 1300
            //   458d7ee0             | inc                 ebp
            //   418bd7               | xor                 eax, eax
            //   ff15????????         |                     
            //   4821742420           | xor                 edx, edx

        $sequence_5 = { 49ffc0 d3ca 03d0 4183ef01 75ef }
            // n = 5, score = 1300
            //   49ffc0               | inc                 ecx
            //   d3ca                 | mov                 eax, 0x8ce6568d
            //   03d0                 | inc                 ecx
            //   4183ef01             | mov                 eax, eax
            //   75ef                 | imul                ecx

        $sequence_6 = { 33f6 8d6e20 8bcd e8???????? }
            // n = 4, score = 1300
            //   33f6                 | cmp                 ecx, eax
            //   8d6e20               | inc                 ecx
            //   8bcd                 | movsx               eax, byte ptr [eax]
            //   e8????????           |                     

        $sequence_7 = { c1fa0b 8bc2 c1e81f 03d0 69c2890e0000 }
            // n = 5, score = 1300
            //   c1fa0b               | inc                 ebp
            //   8bc2                 | lea                 edi, [esi - 0x20]
            //   c1e81f               | inc                 ecx
            //   03d0                 | mov                 edx, edi
            //   69c2890e0000         | dec                 eax

        $sequence_8 = { c70021000000 e9???????? 894ddc c745e0185b4100 e9???????? c745e0145b4100 eba2 }
            // n = 7, score = 200
            //   c70021000000         | mov                 eax, esi
            //   e9????????           |                     
            //   894ddc               | xor                 edx, edx
            //   c745e0185b4100       | dec                 eax
            //   e9????????           |                     
            //   c745e0145b4100       | mov                 ecx, eax
            //   eba2                 | inc                 ebp

        $sequence_9 = { 8904bd808e4100 85c0 7514 6a0c 5e 8975e4 c745fcfeffffff }
            // n = 7, score = 200
            //   8904bd808e4100       | mov                 eax, eax
            //   85c0                 | imul                ecx
            //   7514                 | add                 edx, ecx
            //   6a0c                 | sar                 edx, 0xb
            //   5e                   | mov                 eax, edx
            //   8975e4               | shr                 eax, 0x1f
            //   c745fcfeffffff       | add                 edx, eax

        $sequence_10 = { 83e03f 6bd030 8955e0 8b048d808e4100 }
            // n = 4, score = 200
            //   83e03f               | inc                 ecx
            //   6bd030               | sub                 edi, 1
            //   8955e0               | jne                 0xfffffff9
            //   8b048d808e4100       | inc                 ebp

        $sequence_11 = { 8bec 8b4d08 33c0 3b0cc5501c4100 7427 40 83f82d }
            // n = 7, score = 200
            //   8bec                 | xor                 ecx, ecx
            //   8b4d08               | inc                 ebp
            //   33c0                 | lea                 edi, [esi - 0x20]
            //   3b0cc5501c4100       | inc                 ecx
            //   7427                 | mov                 edx, edi
            //   40                   | dec                 eax
            //   83f82d               | and                 dword ptr [esp + 0x20], esi

        $sequence_12 = { 8b55d4 8a07 8b0c95808e4100 8844192e 8b0495808e4100 }
            // n = 5, score = 200
            //   8b55d4               | dec                 ecx
            //   8a07                 | inc                 eax
            //   8b0c95808e4100       | ror                 edx, cl
            //   8844192e             | add                 edx, eax
            //   8b0495808e4100       | inc                 ecx

        $sequence_13 = { 50 ff7304 57 56 ff15???????? 85c0 }
            // n = 6, score = 200
            //   50                   | sar                 edx, 0xb
            //   ff7304               | dec                 ecx
            //   57                   | inc                 eax
            //   56                   | ror                 edx, cl
            //   ff15????????         |                     
            //   85c0                 | add                 edx, eax

        $sequence_14 = { 0f850c120000 8d0dc0584100 ba1b000000 e9???????? a900000080 7517 ebd4 }
            // n = 7, score = 200
            //   0f850c120000         | imul                eax, edx, 0xe89
            //   8d0dc0584100         | cmp                 ecx, eax
            //   ba1b000000           | ror                 edx, cl
            //   e9????????           |                     
            //   a900000080           | add                 edx, eax
            //   7517                 | inc                 ecx
            //   ebd4                 | sub                 edi, 1

        $sequence_15 = { eb17 894638 eb0e c74634f41a4100 c7463806000000 }
            // n = 5, score = 200
            //   eb17                 | dec                 esp
            //   894638               | mov                 eax, esi
            //   eb0e                 | xor                 edx, edx
            //   c74634f41a4100       | inc                 ecx
            //   c7463806000000       | movsx               eax, byte ptr [eax]

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules