SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gearshift (Back to overview)

GEARSHIFT

Actor(s): APT41


According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.

References
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
Yara Rules
[TLP:WHITE] win_gearshift_auto (20230125 | Detects win.gearshift.)
rule win_gearshift_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.gearshift."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4889842440040000 4c8b0d???????? 4c8b05???????? 8b942468040000 488b8c2460040000 }
            // n = 5, score = 200
            //   4889842440040000     | mov                 ecx, ebx
            //   4c8b0d????????       |                     
            //   4c8b05????????       |                     
            //   8b942468040000       | inc                 ecx
            //   488b8c2460040000     | mov                 ecx, 0x8000

        $sequence_1 = { 488b442470 488b4008 4889442430 488b442470 488b00 480590000000 4889442420 }
            // n = 7, score = 200
            //   488b442470           | dec                 esp
            //   488b4008             | mov                 ebp, eax
            //   4889442430           | dec                 eax
            //   488b442470           | test                eax, eax
            //   488b00               | inc                 ecx
            //   480590000000         | mov                 ecx, 0x3000
            //   4889442420           | dec                 eax

        $sequence_2 = { 4889442420 eb9a 488d155f530000 488d0d40530000 e8???????? 488d155c530000 488d0d4d530000 }
            // n = 7, score = 200
            //   4889442420           | mov                 ecx, eax
            //   eb9a                 | inc                 esp
            //   488d155f530000       | lea                 eax, [edx + 0x20]
            //   488d0d40530000       | call                dword ptr [esi + 0x90]
            //   e8????????           |                     
            //   488d155c530000       | inc                 ecx
            //   488d0d4d530000       | mov                 ecx, 0x40

        $sequence_3 = { 488d8d30040000 33d2 41b858020000 e8???????? 4c8d2585d00000 4533ed 6690 }
            // n = 7, score = 200
            //   488d8d30040000       | dec                 eax
            //   33d2                 | cmp                 dword ptr [esp + 0x50], 0
            //   41b858020000         | jne                 0x5f2
            //   e8????????           |                     
            //   4c8d2585d00000       | xor                 eax, eax
            //   4533ed               | dec                 eax
            //   6690                 | mov                 eax, dword ptr [esp + 0x58]

        $sequence_4 = { 48c1f905 4d6bc058 4d0384c960ce0300 eb0a 4c8bc2 4c8d0d51a9ffff }
            // n = 6, score = 200
            //   48c1f905             | mov                 eax, dword ptr [esp + 0x70]
            //   4d6bc058             | dec                 eax
            //   4d0384c960ce0300     | mov                 eax, dword ptr [eax]
            //   eb0a                 | movzx               eax, word ptr [eax + 0x14]
            //   4c8bc2               | dec                 eax
            //   4c8d0d51a9ffff       | lea                 eax, [ecx + eax + 0x18]

        $sequence_5 = { e8???????? 4889442458 48837c245800 741a 488b542470 488b4c2458 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4889442458           | ret                 
            //   48837c245800         | cmp                 eax, 6
            //   741a                 | jne                 0xd5b
            //   488b542470           | mov                 eax, dword ptr [esp + 0x28]
            //   488b4c2458           | test                eax, eax
            //   e8????????           |                     

        $sequence_6 = { ebe6 4533c0 488d155fd10000 458d4803 498bc8 4c8d1565070100 498bc0 }
            // n = 7, score = 200
            //   ebe6                 | je                  0x796
            //   4533c0               | dec                 eax
            //   488d155fd10000       | mov                 eax, dword ptr [esp + 0x20]
            //   458d4803             | mov                 eax, dword ptr [eax]
            //   498bc8               | mov                 dword ptr [esp + 0x30], eax
            //   4c8d1565070100       | cmp                 dword ptr [esp + 0x30], 0x9090c3cc
            //   498bc0               | jne                 0x786

        $sequence_7 = { 7404 33c0 eb33 488b442440 0fbe00 85c0 7507 }
            // n = 7, score = 200
            //   7404                 | dec                 eax
            //   33c0                 | mov                 ecx, dword ptr [esp + 0x190]
            //   eb33                 | dec                 eax
            //   488b442440           | xor                 ecx, esp
            //   0fbe00               | dec                 eax
            //   85c0                 | add                 esp, 0x1a8
            //   7507                 | ret                 

        $sequence_8 = { 48ffce 75d4 488d1db7870000 488b4bf8 4885c9 740b 833b01 }
            // n = 7, score = 200
            //   48ffce               | xor                 eax, eax
            //   75d4                 | dec                 eax
            //   488d1db7870000       | mov                 esi, dword ptr [esp + 0x50]
            //   488b4bf8             | dec                 eax
            //   4885c9               | mov                 ebp, dword ptr [esp + 0x48]
            //   740b                 | dec                 eax
            //   833b01               | add                 edi, 8

        $sequence_9 = { 4883ec20 4863d9 488d3d68860000 4803db 48833cdf00 }
            // n = 5, score = 200
            //   4883ec20             | xor                 esp, esp
            //   4863d9               | dec                 eax
            //   488d3d68860000       | mov                 esi, ecx
            //   4803db               | dec                 eax
            //   48833cdf00           | mov                 dword ptr [ebp - 9], eax

    condition:
        7 of them and filesize < 540672
}
[TLP:WHITE] win_gearshift_w0   (20191207 | No description)
rule win_gearshift_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 4C 8D 41 24 33 D2 B9 03 00 1F 00 FF 9? F8 00 00 00 48 85 C0 74 }
        $b2 = { 4C 8B 4? 08 BA 01 00 00 00 49 8B C? FF D0 85 C0 [2-6] C7 4? 1C 01 00 00 00 B8 01 00 00 00 }
        $b3 = { 8B 4B E4 8B 53 EC 41 B8 00 40 00 00 4? 0B C? FF 9? B8 00 00 00 EB }
    condition:
        (2 of ($b*))
}
Download all Yara Rules