SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sidewalk (Back to overview)

SideWalk

aka: ScrambleCross

Shellcode-based malware family that according to ESET Research was likely written by the same authors as win.crosswalk.

References
2021-09-09SymantecThreat Hunter Team
@online{team:20210909:grayfly:60c5478, author = {Threat Hunter Team}, title = {{Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware}}, date = {2021-09-09}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware}, language = {English}, urldate = {2021-09-10} } Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
CROSSWALK MimiKatz SideWalk
2021-08-25Trend MicroHara Hiroaki, Ted Lee
@techreport{hiroaki:20210825:earth:776384f, author = {Hara Hiroaki and Ted Lee}, title = {{Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor}}, date = {2021-08-25}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf}, language = {English}, urldate = {2021-08-31} } Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor
Cobalt Strike SideWalk
2021-08-24ESET ResearchThibaut Passilly, Mathieu Tartare
@online{passilly:20210824:sidewalk:75d39db, author = {Thibaut Passilly and Mathieu Tartare}, title = {{The SideWalk may be as dangerous as the CROSSWALK}}, date = {2021-08-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/}, language = {English}, urldate = {2021-08-31} } The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk
Yara Rules
[TLP:WHITE] win_sidewalk_auto (20230125 | Detects win.sidewalk.)
rule win_sidewalk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.sidewalk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 418bc1 4133c6 c1c608 c1c010 4403de 4403e8 }
            // n = 6, score = 200
            //   418bc1               | inc                 ebp
            //   4133c6               | mov                 esi, ecx
            //   c1c608               | inc                 esp
            //   c1c010               | xor                 esi, eax
            //   4403de               | inc                 ecx
            //   4403e8               | rol                 esi, 8

        $sequence_1 = { 4403c8 4533d1 41c1c208 4503fa }
            // n = 4, score = 200
            //   4403c8               | inc                 esp
            //   4533d1               | add                 ebx, esi
            //   41c1c208             | inc                 esp
            //   4503fa               | add                 ebp, eax

        $sequence_2 = { 418b09 418bc0 c1e002 4d8d4904 4863d0 }
            // n = 5, score = 200
            //   418b09               | xor                 ebx, ebx
            //   418bc0               | rol                 ebx, 0xc
            //   c1e002               | add                 edx, ebx
            //   4d8d4904             | mov                 esi, edx
            //   4863d0               | inc                 ecx

        $sequence_3 = { c1e918 884202 884a03 4183f810 7ccc }
            // n = 5, score = 200
            //   c1e918               | xor                 edx, ecx
            //   884202               | inc                 esp
            //   884a03               | add                 ebp, esi
            //   4183f810             | inc                 ecx
            //   7ccc                 | rol                 edx, 0x10

        $sequence_4 = { 0fb642fe c1e108 0bc8 41890c10 488d5204 4983e901 }
            // n = 6, score = 200
            //   0fb642fe             | inc                 ecx
            //   c1e108               | mov                 eax, ebx
            //   0bc8                 | xor                 esi, ecx
            //   41890c10             | inc                 ecx
            //   488d5204             | xor                 edi, eax
            //   4983e901             | rol                 esi, 0x10

        $sequence_5 = { 7d15 8a040f 3201 41880408 }
            // n = 4, score = 200
            //   7d15                 | inc                 ecx
            //   8a040f               | mov                 ebx, edi
            //   3201                 | inc                 esp
            //   41880408             | add                 ecx, eax

        $sequence_6 = { 7ce2 4883c640 4883c340 4883ef40 }
            // n = 4, score = 200
            //   7ce2                 | add                 esp, esi
            //   4883c640             | inc                 esp
            //   4883c340             | add                 ecx, ebx
            //   4883ef40             | inc                 ebp

        $sequence_7 = { 48ffc1 488d040a 483bc6 7ce2 4883c640 }
            // n = 5, score = 200
            //   48ffc1               | add                 ecx, ebx
            //   488d040a             | inc                 ebp
            //   483bc6               | xor                 edx, ecx
            //   7ce2                 | inc                 esp
            //   4883c640             | add                 ebp, esi

        $sequence_8 = { 4133db 418bcd c1c307 4133c8 }
            // n = 4, score = 200
            //   4133db               | mov                 esi, ecx
            //   418bcd               | inc                 esp
            //   c1c307               | xor                 esi, eax
            //   4133c8               | inc                 ecx

        $sequence_9 = { 4403c9 458bf1 4433f0 41c1c608 4503ee 418bc5 }
            // n = 6, score = 200
            //   4403c9               | rol                 edi, 0x10
            //   458bf1               | inc                 esp
            //   4433f0               | add                 ebx, edi
            //   41c1c608             | inc                 ecx
            //   4503ee               | rol                 esi, 0x10
            //   418bc5               | inc                 ebp

        $sequence_10 = { 4133db c1c30c 03d3 8bf2 }
            // n = 4, score = 200
            //   4133db               | xor                 ebx, ebx
            //   c1c30c               | inc                 ecx
            //   03d3                 | xor                 ebx, ebx
            //   8bf2                 | inc                 ecx

        $sequence_11 = { 33f1 4133f8 c1c610 4433f2 c1c710 4403df }
            // n = 6, score = 200
            //   33f1                 | inc                 ecx
            //   4133f8               | xor                 ecx, eax
            //   c1c610               | inc                 ecx
            //   4433f2               | xor                 eax, esi
            //   c1c710               | rol                 esi, 8
            //   4403df               | rol                 eax, 0x10

        $sequence_12 = { 41c1c610 4503e6 4403cb 4533d1 4403ee 41c1c210 }
            // n = 6, score = 200
            //   41c1c610             | add                 ebp, eax
            //   4503e6               | inc                 ecx
            //   4403cb               | xor                 ebx, ebx
            //   4533d1               | inc                 ecx
            //   4403ee               | mov                 ecx, ebp
            //   41c1c210             | rol                 ebx, 7

        $sequence_13 = { 4489750f 44897d03 448965ff 44896dfb }
            // n = 4, score = 200
            //   4489750f             | rol                 esi, 0x10
            //   44897d03             | inc                 ebp
            //   448965ff             | add                 esp, esi
            //   44896dfb             | inc                 esp

        $sequence_14 = { 4433f2 c1c710 4403df 41c1c610 4503e6 4403cb }
            // n = 6, score = 200
            //   4433f2               | inc                 esp
            //   c1c710               | xor                 esi, edx
            //   4403df               | rol                 edi, 0x10
            //   41c1c610             | inc                 esp
            //   4503e6               | add                 ebx, edi
            //   4403cb               | inc                 ecx

        $sequence_15 = { 488d5204 4983e901 75d4 4863457f }
            // n = 4, score = 200
            //   488d5204             | inc                 ecx
            //   4983e901             | rol                 esi, 0x10
            //   75d4                 | inc                 ebp
            //   4863457f             | add                 esp, esi

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules