SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crutch (Back to overview)

Crutch

Actor(s): Turla Group


There is no description at this point.

References
2021-04-29ESET ResearchRobert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek
@techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2020-12-02ESET ResearchMatthieu Faou
@online{faou:20201202:turla:7f8c935, author = {Matthieu Faou}, title = {{Turla Crutch: Keeping the “back door” open}}, date = {2020-12-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/}, language = {English}, urldate = {2020-12-08} } Turla Crutch: Keeping the “back door” open
Crutch Gazer Turla Group
Yara Rules
[TLP:WHITE] win_crutch_auto (20220516 | Detects win.crutch.)
rule win_crutch_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.crutch."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 668944241c 89442414 8844241e 8b8264010000 56 8bb2f4000000 57 }
            // n = 7, score = 100
            //   668944241c           | mov                 word ptr [esp + 0x1c], ax
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   8844241e             | mov                 byte ptr [esp + 0x1e], al
            //   8b8264010000         | mov                 eax, dword ptr [edx + 0x164]
            //   56                   | push                esi
            //   8bb2f4000000         | mov                 esi, dword ptr [edx + 0xf4]
            //   57                   | push                edi

        $sequence_1 = { 8b908c030000 8911 33c0 c3 8b80b04a0000 8901 33c0 }
            // n = 7, score = 100
            //   8b908c030000         | mov                 edx, dword ptr [eax + 0x38c]
            //   8911                 | mov                 dword ptr [ecx], edx
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   8b80b04a0000         | mov                 eax, dword ptr [eax + 0x4ab0]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { 8b442418 85c0 7556 3944241c 754e 3985d0020000 7546 }
            // n = 7, score = 100
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   85c0                 | test                eax, eax
            //   7556                 | jne                 0x58
            //   3944241c             | cmp                 dword ptr [esp + 0x1c], eax
            //   754e                 | jne                 0x50
            //   3985d0020000         | cmp                 dword ptr [ebp + 0x2d0], eax
            //   7546                 | jne                 0x48

        $sequence_3 = { 0f92c1 f7d9 0bc8 6a00 51 c7460400000000 e8???????? }
            // n = 7, score = 100
            //   0f92c1               | setb                cl
            //   f7d9                 | neg                 ecx
            //   0bc8                 | or                  ecx, eax
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   e8????????           |                     

        $sequence_4 = { 8b08 898ea8000000 8b5004 8996ac000000 8b4808 898eb0000000 }
            // n = 6, score = 100
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   898ea8000000         | mov                 dword ptr [esi + 0xa8], ecx
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   8996ac000000         | mov                 dword ptr [esi + 0xac], edx
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   898eb0000000         | mov                 dword ptr [esi + 0xb0], ecx

        $sequence_5 = { ff4f14 8bf5 85ed 75cd 8b442410 8344241810 40 }
            // n = 7, score = 100
            //   ff4f14               | dec                 dword ptr [edi + 0x14]
            //   8bf5                 | mov                 esi, ebp
            //   85ed                 | test                ebp, ebp
            //   75cd                 | jne                 0xffffffcf
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8344241810           | add                 dword ptr [esp + 0x18], 0x10
            //   40                   | inc                 eax

        $sequence_6 = { 6a5d 56 894c2428 e8???????? 8be8 83c408 }
            // n = 6, score = 100
            //   6a5d                 | push                0x5d
            //   56                   | push                esi
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax
            //   83c408               | add                 esp, 8

        $sequence_7 = { 8b4b28 51 ff15???????? 8b532c 52 ff15???????? 8b442434 }
            // n = 7, score = 100
            //   8b4b28               | mov                 ecx, dword ptr [ebx + 0x28]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b532c               | mov                 edx, dword ptr [ebx + 0x2c]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]

        $sequence_8 = { 68???????? e8???????? 8bf0 83c404 85f6 7507 b81b000000 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi
            //   7507                 | jne                 9
            //   b81b000000           | mov                 eax, 0x1b

        $sequence_9 = { 8954243c 8b542460 03c7 89442444 33c0 57 8944244c }
            // n = 7, score = 100
            //   8954243c             | mov                 dword ptr [esp + 0x3c], edx
            //   8b542460             | mov                 edx, dword ptr [esp + 0x60]
            //   03c7                 | add                 eax, edi
            //   89442444             | mov                 dword ptr [esp + 0x44], eax
            //   33c0                 | xor                 eax, eax
            //   57                   | push                edi
            //   8944244c             | mov                 dword ptr [esp + 0x4c], eax

    condition:
        7 of them and filesize < 1067008
}
Download all Yara Rules