Actor(s): APT41
According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.
rule win_crosswalk_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-05-30" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk" malpedia_rule_date = "20200529" malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8" malpedia_version = "20200529" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d1c85d48b4100 8b03 8b15???????? 83cfff 8bca 33d0 } // n = 6, score = 200 // 8d1c85d48b4100 | lea ebx, [eax*4 + 0x418bd4] // 8b03 | mov eax, dword ptr [ebx] // 8b15???????? | // 83cfff | or edi, 0xffffffff // 8bca | mov ecx, edx // 33d0 | xor edx, eax $sequence_1 = { eb07 8b0cc50c644100 894de4 85c9 7455 8b4510 8945e8 } // n = 7, score = 200 // eb07 | jmp 9 // 8b0cc50c644100 | mov ecx, dword ptr [eax*8 + 0x41640c] // 894de4 | mov dword ptr [ebp - 0x1c], ecx // 85c9 | test ecx, ecx // 7455 | je 0x57 // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 8945e8 | mov dword ptr [ebp - 0x18], eax $sequence_2 = { 8d7901 897df4 3bfb 0f8e6fffffff 83c8ff eb07 8b04cd743f4100 } // n = 7, score = 200 // 8d7901 | lea edi, [ecx + 1] // 897df4 | mov dword ptr [ebp - 0xc], edi // 3bfb | cmp edi, ebx // 0f8e6fffffff | jle 0xffffff75 // 83c8ff | or eax, 0xffffffff // eb07 | jmp 9 // 8b04cd743f4100 | mov eax, dword ptr [ecx*8 + 0x413f74] $sequence_3 = { 85c0 7f19 68???????? e8???????? 83c404 b801000000 } // n = 6, score = 200 // 85c0 | test eax, eax // 7f19 | jg 0x1b // 68???????? | // e8???????? | // 83c404 | add esp, 4 // b801000000 | mov eax, 1 $sequence_4 = { c74634f41a4100 57 ff7634 e8???????? 59 59 5f } // n = 7, score = 200 // c74634f41a4100 | mov dword ptr [esi + 0x34], 0x411af4 // 57 | push edi // ff7634 | push dword ptr [esi + 0x34] // e8???????? | // 59 | pop ecx // 59 | pop ecx // 5f | pop edi $sequence_5 = { 03048d808e4100 50 ff15???????? 5d c3 8bff } // n = 6, score = 200 // 03048d808e4100 | add eax, dword ptr [ecx*4 + 0x418e80] // 50 | push eax // ff15???????? | // 5d | pop ebp // c3 | ret // 8bff | mov edi, edi $sequence_6 = { 56 ff15???????? 68a0860100 ff15???????? 68???????? e8???????? } // n = 6, score = 200 // 56 | push esi // ff15???????? | // 68a0860100 | push 0x186a0 // ff15???????? | // 68???????? | // e8???????? | $sequence_7 = { e9???????? c745dc03000000 eb7c c745e0205b4100 ebbb d9e8 8b4510 } // n = 7, score = 200 // e9???????? | // c745dc03000000 | mov dword ptr [ebp - 0x24], 3 // eb7c | jmp 0x7e // c745e0205b4100 | mov dword ptr [ebp - 0x20], 0x415b20 // ebbb | jmp 0xffffffbd // d9e8 | fld1 // 8b4510 | mov eax, dword ptr [ebp + 0x10] $sequence_8 = { 488b8100010000 4885c0 7404 f0440108 488d4138 41b806000000 488d15a9e30000 } // n = 7, score = 100 // 488b8100010000 | dec eax // 4885c0 | sar eax, 6 // 7404 | dec eax // f0440108 | lea ecx, [0xd62c] // 488d4138 | mov eax, 8 // 41b806000000 | dec eax // 488d15a9e30000 | imul eax, eax, 1 $sequence_9 = { ff15???????? 4821742420 4c8d4c2468 448bc5 488bd7 } // n = 5, score = 100 // ff15???????? | // 4821742420 | dec eax // 4c8d4c2468 | and dword ptr [esp + 0x20], esi // 448bc5 | dec esp // 488bd7 | lea ecx, [esp + 0x68] $sequence_10 = { 488b0d???????? 488d1d590e0100 483bcb 740c e8???????? 48891d???????? } // n = 6, score = 100 // 488b0d???????? | // 488d1d590e0100 | dec eax // 483bcb | mov dword ptr [esp + eax + 0x20], ecx // 740c | dec eax // e8???????? | // 48891d???????? | $sequence_11 = { b808000000 486bc001 488b0d???????? 48894c0420 488d0d2dab0000 } // n = 5, score = 100 // b808000000 | mov edi, ecx // 486bc001 | dec esp // 488b0d???????? | // 48894c0420 | arpl dx, dx // 488d0d2dab0000 | dec ecx $sequence_12 = { f00fc103 83f801 7516 488d05c9f40000 } // n = 4, score = 100 // f00fc103 | inc esp // 83f801 | mov eax, ebp // 7516 | dec eax // 488d05c9f40000 | mov edx, edi $sequence_13 = { 48d3ca 4933d0 4b8794fe40600100 eb2d } // n = 4, score = 100 // 48d3ca | lea ecx, [0xab2d] // 4933d0 | dec esp // 4b8794fe40600100 | lea ecx, [0x9016] // eb2d | vsubsd xmm1, xmm1, xmm2 $sequence_14 = { 488bf9 4c63d2 498bc2 418be9 48c1f806 488d0d2cd60000 } // n = 6, score = 100 // 488bf9 | lock xadd dword ptr [ebx], eax // 4c63d2 | cmp eax, 1 // 498bc2 | jne 0x1b // 418be9 | dec eax // 48c1f806 | lea eax, [0xf4c9] // 488d0d2cd60000 | dec eax $sequence_15 = { c5f1eb0d???????? 4c8d0d16900000 c5f35cca c4c173590cc1 } // n = 4, score = 100 // c5f1eb0d???????? | // 4c8d0d16900000 | mov eax, edx // c5f35cca | inc ecx // c4c173590cc1 | mov ebp, ecx condition: 7 of them and filesize < 237568 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
