CrashOverride_revised091118
Common Information
| Type | Value |
|---|---|
| UUID | 56cc4b8a-ecb7-4158-9cdb-e5a6ee2609d4 |
| Fingerprint | 2b6d9687e4c67c6ef586f83edc3cbf57cdc1ead69b7923eeed3c4c88a5dcaffd |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 11, 2018, 12:15 a.m. |
| Added to db | March 10, 2024, 12:28 a.m. |
| Last updated | Aug. 31, 2024, 7:39 a.m. |
| Headline | CrashOverride_revised091118 |
| Title | CrashOverride_revised091118 |
| Detected Hints/Tags/Attributes | 130/2/31 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 10 | cve-2015-5374 |
|
| Details | Domain | 56 | www.dragos.com |
|
| Details | Domain | 4128 | github.com |
|
| Details | File | 5 | opc.exe |
|
| Details | File | 4 | 61850.exe |
|
| Details | File | 4 | haslo.exe |
|
| Details | File | 9 | 104.dll |
|
| Details | File | 5 | haslo.dat |
|
| Details | File | 5 | 101.dll |
|
| Details | File | 3 | crash101.dll |
|
| Details | File | 2 | crash104.dll |
|
| Details | File | 5 | 61850.dll |
|
| Details | File | 2 | crash61850.dll |
|
| Details | File | 4 | opcclientdemo.dll |
|
| Details | File | 2 | crashopcclientdemo.dll |
|
| Details | File | 3 | d2multicommservice.exe |
|
| Details | File | 2 | crashd2multicommservice.exe |
|
| Details | File | 2 | iec104.log |
|
| Details | Github username | 1 | dragosinc |
|
| Details | IPv4 | 2 | 195.16.88.6 |
|
| Details | IPv4 | 2 | 93.115.27.57 |
|
| Details | IPv4 | 2 | 5.39.218.152 |
|
| Details | Url | 1 | https://github.com/dragosinc/crashoverride |
|
| Details | Windows Registry Key | 2 | HKLM\SYSTEM\CurrentControlSet\Ser |
|
| Details | Yara rule | 2 | import "pe"
rule dragos_crashoverride_exporting_dlls {
meta:
description = "CRASHOVERRIDE v1 Suspicious Export"
author = "Dragos Inc"
condition:
pe.exports("Crash") & pe.characteristics
} |
|
| Details | Yara rule | 2 | import "pe"
rule dragos_crashoverride_suspcious {
meta:
description = "CRASHOVERRIDE v1 Wiper"
author = "Dragos Inc"
strings:
$s0 = "SYS_BASCON.COM" wide nocase fullword
$s1 = ".pcmp" wide nocase fullword
$s2 = ".pcmi" wide nocase fullword
$s3 = ".pcmt" wide nocase fullword
$s4 = ".cin" wide nocase fullword
condition:
pe.exports("Crash") and any of ($s*)
} |
|
| Details | Yara rule | 2 | import "pe"
rule dragos_crashoverride_name_search {
meta:
description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
author = "Dragos Inc"
strings:
$s0 = "101.dll" wide nocase fullword
$s1 = "Crash101.dll" wide nocase fullword
$s2 = "104.dll" wide nocase fullword
$s3 = "Crash104.dll" wide nocase fullword
$s4 = "61850.dll" wide nocase fullword
$s5 = "Crash61850.dll" wide nocase fullword
$s6 = "OPCClientDemo.dll" wide nocase fullword
$s7 = "OPC" wide nocase fullword
$s8 = "CrashOPCClientDemo.dll" wide nocase fullword
$s9 = "D2MultiCommService.exe" wide nocase fullword
$s10 = "CrashD2MultiCommService.exe" wide nocase fullword
$s11 = "61850.exe" wide nocase fullword
$s12 = "OPC.exe" wide nocase fullword
$s13 = "haslo.exe" wide nocase fullword
$s14 = "haslo.dat" wide nocase fullword
condition:
any of ($s*) and pe.exports("Crash")
} |
|
| Details | Yara rule | 2 | rule dragos_crashoverride_moduleStrings {
meta:
description = "IEC-104 Interaction Module Program Strings"
author = "Dragos Inc"
strings:
$s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" ascii wide nocase
$s2 = " MSTR ->> SLV" ascii wide nocase
$s3 = " MSTR <<- SLV" ascii wide nocase
$s4 = "Unknown APDU format !!!" ascii wide nocase
$s5 = "iec104.log" ascii wide nocase
condition:
any of ($s*)
} |
|
| Details | Yara rule | 2 | rule dragos_crashoverride_weirdMutex {
meta:
description = "Blank mutex creation assoicated with CRASHOVERRIDE"
author = "Dragos Inc"
strings:
$s1 = { 81 EC 08 02 00 00 57 33 FF 57 57 57 FF 15 ?? ?? 40 00 A3 ?? ?? ?? 00 85 C0 }
$s2 = { 8D 85 ?? ?? ?? FF 50 57 57 6A 2E 57 FF 15 ?? ?? ?? 00 68 ?? ?? 40 00 }
condition:
all of them
} |
|
| Details | Yara rule | 2 | rule dragos_crashoverride_serviceStomper {
meta:
description = "Identify service hollowing and persistence setting"
author = "Dragos Inc"
strings:
$s0 = { 33 C9 51 51 51 51 51 51 ?? ?? ?? }
$s1 = { 6A FF 6A FF 6A FF 50 FF 15 24 ?? 40 00 FF ?? ?? FF 15 20 ?? 40 00 }
condition:
all of them
} |
|
| Details | Yara rule | 2 | rule dragos_crashoverride_wiperModuleRegistry {
meta:
description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
author = "Dragos Inc"
strings:
$s0 = { 8D 85 A0 ?? ?? ?? 46 50 8D 85 A0 ?? ?? ?? 68 68 0D ?? ?? 50 }
$s1 = { 6A 02 68 78 0B ?? ?? 6A 02 50 68 B4 0D ?? ?? FF B5 98 ?? ?? ?? FF 15 04 ?? ?? ?? }
$s2 = { 68 00 02 00 00 8D 85 A0 ?? ?? ?? 50 56 FF B5 9C ?? ?? ?? FF 15 00 ?? ?? ?? 85 C0 }
condition:
all of them
} |