SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gearshift (Back to overview)

GEARSHIFT

Actor(s): APT41


According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.

References
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
Yara Rules
[TLP:WHITE] win_gearshift_auto (20230715 | Detects win.gearshift.)
rule win_gearshift_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.gearshift."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 498bd4 488bcb ff15???????? 41b900800000 41b810010000 }
            // n = 5, score = 200
            //   498bd4               | mov                 eax, dword ptr [esp + 0x70]
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   41b900800000         | mov                 eax, dword ptr [eax + 8]
            //   41b810010000         | dec                 eax

        $sequence_1 = { 6689442455 88442457 8885f0000000 e8???????? 33d2 488d8d81000000 }
            // n = 6, score = 200
            //   6689442455           | mov                 dword ptr [edi + eax + 0x50], 1
            //   88442457             | dec                 eax
            //   8885f0000000         | lea                 edx, [0xafbf]
            //   e8????????           |                     
            //   33d2                 | dec                 ecx
            //   488d8d81000000       | mov                 ecx, esp

        $sequence_2 = { 0f84ec000000 8bc8 48034d08 ff96c0000000 4c8be0 4883f8ff 0f841d020000 }
            // n = 7, score = 200
            //   0f84ec000000         | test                edx, edx
            //   8bc8                 | je                  0x66b
            //   48034d08             | add                 al, byte ptr [ecx]
            //   ff96c0000000         | mov                 byte ptr [ecx], 0
            //   4c8be0               | ret                 
            //   4883f8ff             | xor                 eax, eax
            //   0f841d020000         | mov                 ecx, dword ptr fs:[0]

        $sequence_3 = { ff15???????? 488d1587ae0000 498bcc 48894528 ff15???????? 488d1563af0000 498bcc }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   488d1587ae0000       | mov                 ecx, dword ptr [eax + 0x20]
            //   498bcc               | dec                 eax
            //   48894528             | mov                 eax, dword ptr [esp + 0x2b0]
            //   ff15????????         |                     
            //   488d1563af0000       | dec                 eax
            //   498bcc               | add                 eax, ecx

        $sequence_4 = { 488b88c0000000 488d05a73b0300 395914 4a8b0ce0 498b0c0f 0f94c3 ff15???????? }
            // n = 7, score = 200
            //   488b88c0000000       | test                eax, eax
            //   488d05a73b0300       | jne                 0x17df
            //   395914               | inc                 ebp
            //   4a8b0ce0             | xor                 eax, eax
            //   498b0c0f             | xor                 edx, edx
            //   0f94c3               | dec                 eax
            //   ff15????????         |                     

        $sequence_5 = { 75b6 488bcd ff15???????? 4c8bac2478010000 488bbc2470010000 }
            // n = 5, score = 200
            //   75b6                 | cmp                 esi, esp
            //   488bcd               | jne                 0x1fe
            //   ff15????????         |                     
            //   4c8bac2478010000     | dec                 ecx
            //   488bbc2470010000     | movsx               eax, ah

        $sequence_6 = { 48897818 488b05???????? 4833c4 48894570 488d0d5f320200 }
            // n = 5, score = 200
            //   48897818             | mov                 ecx, esp
            //   488b05????????       |                     
            //   4833c4               | mov                 dword ptr [esp + 0x70], edi
            //   48894570             | inc                 ecx
            //   488d0d5f320200       | mov                 eax, 0x40

        $sequence_7 = { 488b742410 488b7c2418 c3 41ffc2 48ffc2 443bd3 }
            // n = 6, score = 200
            //   488b742410           | dec                 eax
            //   488b7c2418           | mov                 dword ptr [eax], ecx
            //   c3                   | dec                 eax
            //   41ffc2               | cmp                 ecx, edx
            //   48ffc2               | jb                  0x986
            //   443bd3               | dec                 eax

        $sequence_8 = { 448ba890000000 ba14000000 4c036d08 498bcd }
            // n = 4, score = 200
            //   448ba890000000       | mov                 eax, dword ptr [ecx + 4]
            //   ba14000000           | dec                 ecx
            //   4c036d08             | lea                 edx, [ecx + 8]
            //   498bcd               | dec                 eax

        $sequence_9 = { 0fb7d1 eb09 488b4508 488d540102 }
            // n = 4, score = 200
            //   0fb7d1               | dec                 eax
            //   eb09                 | mov                 eax, dword ptr [esp + 0x30]
            //   488b4508             | mov                 eax, dword ptr [eax + 0x24]
            //   488d540102           | and                 eax, 0x20000000

    condition:
        7 of them and filesize < 540672
}
[TLP:WHITE] win_gearshift_w0   (20191207 | No description)
rule win_gearshift_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 4C 8D 41 24 33 D2 B9 03 00 1F 00 FF 9? F8 00 00 00 48 85 C0 74 }
        $b2 = { 4C 8B 4? 08 BA 01 00 00 00 49 8B C? FF D0 85 C0 [2-6] C7 4? 1C 01 00 00 00 B8 01 00 00 00 }
        $b3 = { 8B 4B E4 8B 53 EC 41 B8 00 40 00 00 4? 0B C? FF 9? B8 00 00 00 EB }
    condition:
        (2 of ($b*))
}
Download all Yara Rules