Actor(s): APT41
According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.
rule win_gearshift_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.gearshift." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4889842440040000 4c8b0d???????? 4c8b05???????? 8b942468040000 488b8c2460040000 } // n = 5, score = 200 // 4889842440040000 | mov ecx, ebx // 4c8b0d???????? | // 4c8b05???????? | // 8b942468040000 | inc ecx // 488b8c2460040000 | mov ecx, 0x8000 $sequence_1 = { 488b442470 488b4008 4889442430 488b442470 488b00 480590000000 4889442420 } // n = 7, score = 200 // 488b442470 | dec esp // 488b4008 | mov ebp, eax // 4889442430 | dec eax // 488b442470 | test eax, eax // 488b00 | inc ecx // 480590000000 | mov ecx, 0x3000 // 4889442420 | dec eax $sequence_2 = { 4889442420 eb9a 488d155f530000 488d0d40530000 e8???????? 488d155c530000 488d0d4d530000 } // n = 7, score = 200 // 4889442420 | mov ecx, eax // eb9a | inc esp // 488d155f530000 | lea eax, [edx + 0x20] // 488d0d40530000 | call dword ptr [esi + 0x90] // e8???????? | // 488d155c530000 | inc ecx // 488d0d4d530000 | mov ecx, 0x40 $sequence_3 = { 488d8d30040000 33d2 41b858020000 e8???????? 4c8d2585d00000 4533ed 6690 } // n = 7, score = 200 // 488d8d30040000 | dec eax // 33d2 | cmp dword ptr [esp + 0x50], 0 // 41b858020000 | jne 0x5f2 // e8???????? | // 4c8d2585d00000 | xor eax, eax // 4533ed | dec eax // 6690 | mov eax, dword ptr [esp + 0x58] $sequence_4 = { 48c1f905 4d6bc058 4d0384c960ce0300 eb0a 4c8bc2 4c8d0d51a9ffff } // n = 6, score = 200 // 48c1f905 | mov eax, dword ptr [esp + 0x70] // 4d6bc058 | dec eax // 4d0384c960ce0300 | mov eax, dword ptr [eax] // eb0a | movzx eax, word ptr [eax + 0x14] // 4c8bc2 | dec eax // 4c8d0d51a9ffff | lea eax, [ecx + eax + 0x18] $sequence_5 = { e8???????? 4889442458 48837c245800 741a 488b542470 488b4c2458 e8???????? } // n = 7, score = 200 // e8???????? | // 4889442458 | ret // 48837c245800 | cmp eax, 6 // 741a | jne 0xd5b // 488b542470 | mov eax, dword ptr [esp + 0x28] // 488b4c2458 | test eax, eax // e8???????? | $sequence_6 = { ebe6 4533c0 488d155fd10000 458d4803 498bc8 4c8d1565070100 498bc0 } // n = 7, score = 200 // ebe6 | je 0x796 // 4533c0 | dec eax // 488d155fd10000 | mov eax, dword ptr [esp + 0x20] // 458d4803 | mov eax, dword ptr [eax] // 498bc8 | mov dword ptr [esp + 0x30], eax // 4c8d1565070100 | cmp dword ptr [esp + 0x30], 0x9090c3cc // 498bc0 | jne 0x786 $sequence_7 = { 7404 33c0 eb33 488b442440 0fbe00 85c0 7507 } // n = 7, score = 200 // 7404 | dec eax // 33c0 | mov ecx, dword ptr [esp + 0x190] // eb33 | dec eax // 488b442440 | xor ecx, esp // 0fbe00 | dec eax // 85c0 | add esp, 0x1a8 // 7507 | ret $sequence_8 = { 48ffce 75d4 488d1db7870000 488b4bf8 4885c9 740b 833b01 } // n = 7, score = 200 // 48ffce | xor eax, eax // 75d4 | dec eax // 488d1db7870000 | mov esi, dword ptr [esp + 0x50] // 488b4bf8 | dec eax // 4885c9 | mov ebp, dword ptr [esp + 0x48] // 740b | dec eax // 833b01 | add edi, 8 $sequence_9 = { 4883ec20 4863d9 488d3d68860000 4803db 48833cdf00 } // n = 5, score = 200 // 4883ec20 | xor esp, esp // 4863d9 | dec eax // 488d3d68860000 | mov esi, ecx // 4803db | dec eax // 48833cdf00 | mov dword ptr [ebp - 9], eax condition: 7 of them and filesize < 540672 }
rule win_gearshift_w0 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $b1 = { 4C 8D 41 24 33 D2 B9 03 00 1F 00 FF 9? F8 00 00 00 48 85 C0 74 } $b2 = { 4C 8B 4? 08 BA 01 00 00 00 49 8B C? FF D0 85 C0 [2-6] C7 4? 1C 01 00 00 00 B8 01 00 00 00 } $b3 = { 8B 4B E4 8B 53 EC 41 B8 00 40 00 00 4? 0B C? FF 9? B8 00 00 00 EB } condition: (2 of ($b*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY