SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gearshift (Back to overview)

GEARSHIFT

Actor(s): APT41


According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.

References
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
Yara Rules
[TLP:WHITE] win_gearshift_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_gearshift_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 488d15b6bd0000 488bcb 488905???????? ff15???????? 488d158fbd0000 488bcb }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   488d15b6bd0000       | mov                 ebx, dword ptr [eax + 8]
            //   488bcb               | mov                 esi, dword ptr [eax + 0xc]
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d158fbd0000       | cmp                 esi, -1
            //   488bcb               | je                  0x17c2

        $sequence_1 = { e8???????? 488d0d7caf0000 ff15???????? 488d0dbfb00000 4c8be0 ff15???????? 488d0d9fb00000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488d0d7caf0000       | dec                 eax
            //   ff15????????         |                     
            //   488d0dbfb00000       | mov                 eax, dword ptr [esp + 0x2b0]
            //   4c8be0               | dec                 eax
            //   ff15????????         |                     
            //   488d0d9fb00000       | add                 eax, ecx

        $sequence_2 = { 0f1f00 4585c9 7e1f 4c8bc7 488bcf 49f7d8 6690 }
            // n = 7, score = 200
            //   0f1f00               | mov                 eax, ecx
            //   4585c9               | dec                 ecx
            //   7e1f                 | add                 eax, esi
            //   4c8bc7               | je                  0x1aa2
            //   488bcf               | mov                 ecx, dword ptr [ebx + 0x20]
            //   49f7d8               | mov                 edx, dword ptr [ebx + 0x24]
            //   6690                 | mov                 dword ptr [esp + 0x14], eax

        $sequence_3 = { 4c8d258e140300 488b0d???????? eb7c 4c8d2576140300 488b0d???????? eb6c e8???????? }
            // n = 7, score = 200
            //   4c8d258e140300       | lea                 ecx, [esp + 0x20]
            //   488b0d????????       |                     
            //   eb7c                 | dec                 eax
            //   4c8d2576140300       | mov                 edx, eax
            //   488b0d????????       |                     
            //   eb6c                 | call                dword ptr [eax + 8]
            //   e8????????           |                     

        $sequence_4 = { b801000000 4883c428 c3 488d0dc9a80000 48895c2420 ff15???????? 488d1597a90000 }
            // n = 7, score = 200
            //   b801000000           | dec                 esp
            //   4883c428             | lea                 ecx, [esp + 0x38]
            //   c3                   | inc                 esp
            //   488d0dc9a80000       | mov                 eax, dword ptr [esp + 0x44]
            //   48895c2420           | cmp                 dword ptr [ebp + 8], 0
            //   ff15????????         |                     
            //   488d1597a90000       | jne                 0x803

        $sequence_5 = { 488b05???????? 488d4c2420 488947ff 8b05???????? 894707 0fb705???????? 6689470b }
            // n = 7, score = 200
            //   488b05????????       |                     
            //   488d4c2420           | inc                 ecx
            //   488947ff             | mov                 ecx, 0x40
            //   8b05????????         |                     
            //   894707               | inc                 ecx
            //   0fb705????????       |                     
            //   6689470b             | mov                 eax, 0x1000

        $sequence_6 = { ff15???????? 488d15e3af0000 498bcc 48894500 ff15???????? 488d15bfaf0000 498bcc }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   488d15e3af0000       | mov                 ecx, dword ptr [ebp + 8]
            //   498bcc               | mov                 eax, 0x5a4d
            //   48894500             | mov                 eax, ebx
            //   ff15????????         |                     
            //   488d15bfaf0000       | add                 esp, 8
            //   498bcc               | sub                 eax, dword ptr [esi + 0x34]

        $sequence_7 = { 4881ec78020000 33c0 458bf8 448bf1 488bda 488d8df1000000 448d4063 }
            // n = 7, score = 200
            //   4881ec78020000       | je                  0x517
            //   33c0                 | dec                 esp
            //   458bf8               | mov                 esp, dword ptr [ebp + 0x1c8]
            //   448bf1               | inc                 esp
            //   488bda               | mov                 esi, dword ptr [ebp + 0x1d0]
            //   488d8df1000000       | dec                 esp
            //   448d4063             | mov                 dword ptr [esp + 0x70], edi

        $sequence_8 = { 48f7d1 48ffc9 413bcd 410f4dcd }
            // n = 4, score = 200
            //   48f7d1               | dec                 eax
            //   48ffc9               | add                 esp, 0x20
            //   413bcd               | pop                 edi
            //   410f4dcd             | dec                 eax

        $sequence_9 = { 57 4883ec20 4c8d5a10 488bda 488bf9 4c8d442439 }
            // n = 6, score = 200
            //   57                   | call                dword ptr [esi + 0xa0]
            //   4883ec20             | dec                 eax
            //   4c8d5a10             | arpl                word ptr [edi + 0x3c], ax
            //   488bda               | dec                 eax
            //   488bf9               | add                 eax, ebx
            //   4c8d442439           | dec                 eax

    condition:
        7 of them and filesize < 540672
}
[TLP:WHITE] win_gearshift_w0   (20191207 | No description)
rule win_gearshift_w0 {
    meta:
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $b1 = { 4C 8D 41 24 33 D2 B9 03 00 1F 00 FF 9? F8 00 00 00 48 85 C0 74 }
        $b2 = { 4C 8B 4? 08 BA 01 00 00 00 49 8B C? FF D0 85 C0 [2-6] C7 4? 1C 01 00 00 00 B8 01 00 00 00 }
        $b3 = { 8B 4B E4 8B 53 EC 41 B8 00 40 00 00 4? 0B C? FF 9? B8 00 00 00 EB }
    condition:
        (2 of ($b*))
}
Download all Yara Rules