SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crutch (Back to overview)

Crutch

Actor(s): Turla Group


There is no description at this point.

References
2021-04-29ESET ResearchRobert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek
@techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2020-12-02ESET ResearchMatthieu Faou
@online{faou:20201202:turla:7f8c935, author = {Matthieu Faou}, title = {{Turla Crutch: Keeping the “back door” open}}, date = {2020-12-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/}, language = {English}, urldate = {2020-12-08} } Turla Crutch: Keeping the “back door” open
Crutch Gazer Turla Group
Yara Rules
[TLP:WHITE] win_crutch_auto (20211008 | Detects win.crutch.)
rule win_crutch_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.crutch."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b542428 8b742420 8b3a 81c604050000 e8???????? 5f 5e }
            // n = 7, score = 100
            //   8b542428             | mov                 edx, dword ptr [esp + 0x28]
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   8b3a                 | mov                 edi, dword ptr [edx]
            //   81c604050000         | add                 esi, 0x504
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { 33c0 803935 8d5102 0f9dc0 52 51 b914000000 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   803935               | cmp                 byte ptr [ecx], 0x35
            //   8d5102               | lea                 edx, dword ptr [ecx + 2]
            //   0f9dc0               | setge               al
            //   52                   | push                edx
            //   51                   | push                ecx
            //   b914000000           | mov                 ecx, 0x14

        $sequence_2 = { 50 e8???????? 83c408 0fb7c0 6685ed 7662 0fb7c0 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   0fb7c0               | movzx               eax, ax
            //   6685ed               | test                bp, bp
            //   7662                 | jbe                 0x64
            //   0fb7c0               | movzx               eax, ax

        $sequence_3 = { 6840420f00 99 51 56 8bf8 8bda e8???????? }
            // n = 7, score = 100
            //   6840420f00           | push                0xf4240
            //   99                   | cdq                 
            //   51                   | push                ecx
            //   56                   | push                esi
            //   8bf8                 | mov                 edi, eax
            //   8bda                 | mov                 ebx, edx
            //   e8????????           |                     

        $sequence_4 = { 83ec10 8bc4 8910 8b9578060000 894804 8b8d7c060000 895008 }
            // n = 7, score = 100
            //   83ec10               | sub                 esp, 0x10
            //   8bc4                 | mov                 eax, esp
            //   8910                 | mov                 dword ptr [eax], edx
            //   8b9578060000         | mov                 edx, dword ptr [ebp + 0x678]
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   8b8d7c060000         | mov                 ecx, dword ptr [ebp + 0x67c]
            //   895008               | mov                 dword ptr [eax + 8], edx

        $sequence_5 = { 8bd3 895c2418 eb09 ba00040000 89542418 8b460c 8b6820 }
            // n = 7, score = 100
            //   8bd3                 | mov                 edx, ebx
            //   895c2418             | mov                 dword ptr [esp + 0x18], ebx
            //   eb09                 | jmp                 0xb
            //   ba00040000           | mov                 edx, 0x400
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   8b6820               | mov                 ebp, dword ptr [eax + 0x20]

        $sequence_6 = { 57 6827270000 53 e8???????? 53 e8???????? ff7598 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   6827270000           | push                0x2727
            //   53                   | push                ebx
            //   e8????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   ff7598               | push                dword ptr [ebp - 0x68]

        $sequence_7 = { 8944240c 8d9b00000000 8a08 84c9 741f 0fb6c1 50 }
            // n = 7, score = 100
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8d9b00000000         | lea                 ebx, dword ptr [ebx]
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   84c9                 | test                cl, cl
            //   741f                 | je                  0x21
            //   0fb6c1               | movzx               eax, cl
            //   50                   | push                eax

        $sequence_8 = { 884dab 83f80b 0f877b020000 ff24858ce70510 8d41cf 3c08 7706 }
            // n = 7, score = 100
            //   884dab               | mov                 byte ptr [ebp - 0x55], cl
            //   83f80b               | cmp                 eax, 0xb
            //   0f877b020000         | ja                  0x281
            //   ff24858ce70510       | jmp                 dword ptr [eax*4 + 0x1005e78c]
            //   8d41cf               | lea                 eax, dword ptr [ecx - 0x31]
            //   3c08                 | cmp                 al, 8
            //   7706                 | ja                  8

        $sequence_9 = { 83c418 c3 8b542418 8b7334 8b3e 8d442424 50 }
            // n = 7, score = 100
            //   83c418               | add                 esp, 0x18
            //   c3                   | ret                 
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]
            //   8b7334               | mov                 esi, dword ptr [ebx + 0x34]
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   8d442424             | lea                 eax, dword ptr [esp + 0x24]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 1067008
}
Download all Yara Rules