Actor(s): APT41
According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.
rule win_crosswalk_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2019-11-26" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator 0.1a" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk" malpedia_version = "20190204" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach will be published in the near future here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 81fea0264100 7418 8b86b0000000 85c0 } // n = 4, score = 200 // 81fea0264100 | cmp esi, 0x4126a0 // 7418 | je 0x1a // 8b86b0000000 | mov eax, dword ptr [esi + 0xb0] // 85c0 | test eax, eax $sequence_1 = { 03148d808e4100 8b00 894218 8a03 884228 8b45fc } // n = 6, score = 200 // 03148d808e4100 | add edx, dword ptr [ecx*4 + 0x418e80] // 8b00 | mov eax, dword ptr [eax] // 894218 | mov dword ptr [edx + 0x18], eax // 8a03 | mov al, byte ptr [ebx] // 884228 | mov byte ptr [edx + 0x28], al // 8b45fc | mov eax, dword ptr [ebp - 4] $sequence_2 = { 6804134100 6a04 e8???????? 8bf0 } // n = 4, score = 200 // 6804134100 | push 0x411304 // 6a04 | push 4 // e8???????? | // 8bf0 | mov esi, eax $sequence_3 = { c3 6874224100 686c224100 6874224100 6a01 } // n = 5, score = 200 // c3 | ret // 6874224100 | push 0x412274 // 686c224100 | push 0x41226c // 6874224100 | push 0x412274 // 6a01 | push 1 $sequence_4 = { 56 33f6 8b86808e4100 85c0 740e } // n = 5, score = 200 // 56 | push esi // 33f6 | xor esi, esi // 8b86808e4100 | mov eax, dword ptr [esi + 0x418e80] // 85c0 | test eax, eax // 740e | je 0x10 $sequence_5 = { 8bd7 c1fa06 8bc7 83e03f 6bc830 8b0495808e4100 f644082801 } // n = 7, score = 200 // 8bd7 | mov edx, edi // c1fa06 | sar edx, 6 // 8bc7 | mov eax, edi // 83e03f | and eax, 0x3f // 6bc830 | imul ecx, eax, 0x30 // 8b0495808e4100 | mov eax, dword ptr [edx*4 + 0x418e80] // f644082801 | test byte ptr [eax + ecx + 0x28], 1 $sequence_6 = { 6894224100 688c224100 68d4124100 6a04 e8???????? 83c410 } // n = 6, score = 200 // 6894224100 | push 0x412294 // 688c224100 | push 0x41228c // 68d4124100 | push 0x4112d4 // 6a04 | push 4 // e8???????? | // 83c410 | add esp, 0x10 $sequence_7 = { 6884584100 83600400 e9???????? 8d4508 50 e8???????? 59 } // n = 7, score = 200 // 6884584100 | push 0x415884 // 83600400 | and dword ptr [eax + 4], 0 // e9???????? | // 8d4508 | lea eax, [ebp + 8] // 50 | push eax // e8???????? | // 59 | pop ecx $sequence_8 = { 83e809 83f806 0f8722ffffff 39771c 0f8519ffffff } // n = 5, score = 100 // 83e809 | dec eax // 83f806 | cmp ecx, edx // 0f8722ffffff | jae 9 // 39771c | sub eax, 9 // 0f8519ffffff | cmp eax, 6 $sequence_9 = { 488bd0 48d3ca 4933d0 4b8794fe40600100 eb2d } // n = 5, score = 100 // 488bd0 | mov edx, 0x80000000 // 48d3ca | cmp dword ptr [edi + 4], esi // 4933d0 | jle 0xffffff88 // 4b8794fe40600100 | cmp dword ptr [edi], ebp // eb2d | jne 0xffffff88 $sequence_10 = { 0f8ec4000000 396c2430 0f85ba000000 48634704 85c0 0f8eae000000 392f } // n = 7, score = 100 // 0f8ec4000000 | jmp 0x2f // 396c2430 | mov eax, dword ptr [edi + 4] // 0f85ba000000 | cmp dword ptr [esp + 0x30], eax // 48634704 | jne 0x50 // 85c0 | dec eax // 0f8eae000000 | mov ecx, ebx // 392f | sar edx, 0xb $sequence_11 = { 448d4607 33c0 4533c9 4821442430 ba00000080 } // n = 5, score = 100 // 448d4607 | ja 0xffffff28 // 33c0 | cmp dword ptr [edi + 0x1c], esi // 4533c9 | jne 0xffffff28 // 4821442430 | inc esp // ba00000080 | lea eax, [esi + 7] $sequence_12 = { 397704 7e83 392f 0f857bffffff 8b4f0c } // n = 5, score = 100 // 397704 | xor eax, eax // 7e83 | inc ebp // 392f | xor ecx, ecx // 0f857bffffff | dec eax // 8b4f0c | and dword ptr [esp + 0x30], eax $sequence_13 = { c1fa0b 8bc2 c1e81f 03d0 69c2890e0000 } // n = 5, score = 100 // c1fa0b | ror edx, cl // 8bc2 | dec ecx // c1e81f | xor edx, eax // 03d0 | dec ebx // 69c2890e0000 | xchg dword ptr [esi + edi*8 + 0x16040], edx $sequence_14 = { 8b4704 39442430 7545 488bcb } // n = 4, score = 100 // 8b4704 | mov ecx, dword ptr [edi + 0xc] // 39442430 | dec eax // 7545 | mov edx, eax // 488bcb | dec eax $sequence_15 = { 488d05???????? eb04 4883c020 4883c428 c3 483bca 7304 } // n = 7, score = 100 // 488d05???????? | // eb04 | jmp 6 // 4883c020 | dec eax // 4883c428 | add eax, 0x20 // c3 | dec eax // 483bca | add esp, 0x28 // 7304 | ret condition: 7 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
