SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gearshift (Back to overview)

GEARSHIFT

Actor(s): APT41

According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.

References
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
Yara Rules
[TLP:WHITE] win_gearshift_auto (20210616 | Detects win.gearshift.)
rule win_gearshift_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.gearshift."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4889742410 48897c2418 4154 4883ec20 4c8d25a4080300 }
            // n = 5, score = 200
            //   4889742410           | inc                 edx
            //   48897c2418           | jmp                 0xd34
            //   4154                 | mov                 dword ptr [esp + 0x20], edi
            //   4883ec20             | cmp                 edi, 0x100
            //   4c8d25a4080300       | inc                 edx

        $sequence_1 = { 488b4b08 4883c308 4885c9 75c0 4983c514 }
            // n = 5, score = 200
            //   488b4b08             | dec                 eax
            //   4883c308             | cmp                 dword ptr [ebp + 0x18], esi
            //   4885c9               | je                  0x858
            //   75c0                 | dec                 eax
            //   4983c514             | cmp                 dword ptr [ebp + 0x60], esi

        $sequence_2 = { 488d4c2421 33d2 41b803010000 c644242000 e8???????? 488d4c2420 ba04010000 }
            // n = 7, score = 200
            //   488d4c2421           | mov                 ecx, eax
            //   33d2                 | dec                 eax
            //   41b803010000         | test                eax, eax
            //   c644242000           | dec                 eax
            //   e8????????           |                     
            //   488d4c2420           | mov                 esi, eax
            //   ba04010000           | dec                 eax

        $sequence_3 = { 4883c310 48ffce 75d4 488d1def070300 }
            // n = 4, score = 200
            //   4883c310             | mov                 dword ptr [esp + 0x28], 1
            //   48ffce               | mov                 dword ptr [esp + 0x20], esi
            //   75d4                 | inc                 ebp
            //   488d1def070300       | xor                 ecx, ecx

        $sequence_4 = { 4885c9 0f84aa000000 53 4883ec20 4889742430 33f6 }
            // n = 6, score = 200
            //   4885c9               | xor                 edi, edi
            //   0f84aa000000         | dec                 esp
            //   53                   | lea                 eax, dword ptr [0xb157]
            //   4883ec20             | mov                 edx, edi
            //   4889742430           | inc                 ecx
            //   33f6                 | mov                 ebx, edx

        $sequence_5 = { 48898424b0000000 4885c0 752a 418b5550 448d4840 33c9 41b800200000 }
            // n = 7, score = 200
            //   48898424b0000000     | dec                 eax
            //   4885c0               | arpl                word ptr [ecx + 0x3c], ax
            //   752a                 | dec                 esp
            //   418b5550             | mov                 ebp, edx
            //   448d4840             | dec                 esp
            //   33c9                 | mov                 esp, ecx
            //   41b800200000         | cmp                 dword ptr [eax + ecx + 0x8c], 0

        $sequence_6 = { 4c8d052c400000 498bd4 488bcd e8???????? 85c0 7541 4c8bc3 }
            // n = 7, score = 200
            //   4c8d052c400000       | dec                 eax
            //   498bd4               | sub                 esp, 0x278
            //   488bcd               | xor                 eax, eax
            //   e8????????           |                     
            //   85c0                 | inc                 ebp
            //   7541                 | mov                 edi, eax
            //   4c8bc3               | inc                 esp

        $sequence_7 = { 8bc3 488b9c24d0000000 4881c4c0000000 5f }
            // n = 4, score = 200
            //   8bc3                 | je                  0x163b
            //   488b9c24d0000000     | je                  0x164c
            //   4881c4c0000000       | dec                 eax
            //   5f                   | mov                 eax, dword ptr [esp + 0x48]

        $sequence_8 = { 41b900800000 41b810010000 498bd5 488bcb ff15???????? 448b85c0010000 }
            // n = 6, score = 200
            //   41b900800000         | lea                 edx, dword ptr [esp + 0x20]
            //   41b810010000         | dec                 eax
            //   498bd5               | lea                 ecx, dword ptr [0xe2ba]
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   448b85c0010000       | lea                 ecx, dword ptr [esp + 0x50]

        $sequence_9 = { 7416 488d95f0000000 488d4d94 41b863000000 e8???????? 488d0d7caf0000 }
            // n = 6, score = 200
            //   7416                 | mov                 edx, 0x10000
            //   488d95f0000000       | inc                 ecx
            //   488d4d94             | mov                 eax, 0x20
            //   41b863000000         | dec                 eax
            //   e8????????           |                     
            //   488d0d7caf0000       | mov                 ecx, ebx

    condition:
        7 of them and filesize < 540672
}
[TLP:WHITE] win_gearshift_w0   (20191207 | No description)
rule win_gearshift_w0 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $b1 = { 4C 8D 41 24 33 D2 B9 03 00 1F 00 FF 9? F8 00 00 00 48 85 C0 74 }
        $b2 = { 4C 8B 4? 08 BA 01 00 00 00 49 8B C? FF D0 85 C0 [2-6] C7 4? 1C 01 00 00 00 B8 01 00 00 00 }
        $b3 = { 8B 4B E4 8B 53 EC 41 B8 00 40 00 00 4? 0B C? FF 9? B8 00 00 00 EB }
    condition:
        (2 of ($b*))
}
Download all Yara Rules