CrashOverride Malware | CISA
Tags
country: Russia Ukraine United States Of America
attack-pattern: Data Bidirectional Communication - T1102.002 Bidirectional Communication - T1481.002 Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Exploits - T1587.004 Exploits - T1588.005 Hardware - T1592.001 Malware - T1587.001 Malware - T1588.001 Multi-Factor Authentication - T1556.006 One-Way Communication - T1102.003 One-Way Communication - T1481.003 Remote Desktop Protocol - T1021.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 Remote Desktop Protocol - T1076
Show in Graph
Common Information
Type Value
UUID dc2e641b-a69a-40a5-a0ee-787bc8b6acbc
Fingerprint a7300a5a0a7be5fb
Analysis status DONE
Considered CTI value 2
Text language
Published June 12, 2017, midnight
Added to db Sept. 26, 2022, 9:32 a.m.
Last updated Nov. 17, 2024, 5:56 p.m.
Headline Alert (TA17-163A)
Title CrashOverride Malware | CISA
Detected Hints/Tags/Attributes 93/2/37
Source URLs
Redirection Url
Details Source https://www.us-cert.gov/ncas/alerts/TA17-163A
URL Provider
Details Provider Source level domain
Details us-cert.gov www.us-cert.gov
Attributes
Details Type #Events CTI Value
Details Domain 154 
us-cert.cisa.gov
Details Domain 10 
hq.dhs.gov
Details Email 7 
ncciccustomerservice@hq.dhs.gov
Details File 5 
101.dll
Details File 3 
crash101.dll
Details File 9 
104.dll
Details File 2 
crash104.dll
Details File 5 
61850.dll
Details File 2 
crash61850.dll
Details File 4 
opcclientdemo.dll
Details File 2 
crashopcclientdemo.dll
Details File 3 
d2multicommservice.exe
Details File 2 
crashd2multicommservice.exe
Details File 4 
61850.exe
Details File 5 
opc.exe
Details File 4 
haslo.exe
Details File 5 
haslo.dat
Details File 2 
iec104.log
Details sha1 2 
f6c21f8189ced6ae150f9ef2e82a3a57843b587d
Details sha1 2 
cccce62996d578b984984426a024d9b250237533
Details sha1 2 
8e39eca1e48240c01ee570631ae8f0c9a9637187
Details sha1 2 
2cb8230281b86fa944d3043ae906016c8b5984d9
Details sha1 2 
79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a
Details sha1 2 
94488f214b165512d2fc0438a581f5c9e3bd4d4c
Details sha1 2 
5a5fafbc3fec8d36fd57b075ebf34119ba3bff04
Details sha1 2 
b92149f046f00bb69de329b8457d32c24726ee00
Details sha1 2 
b335163e6eb854df5e08e85026b2c3518891eda8
Details Yara rule 2 
import "pe"

rule dragos_crashoverride_exporting_dlls {
	meta:
		description = "CRASHOVERRIDE v1 Suspicious Export"
		author = "Dragos Inc"
	condition:
		pe.exports("Crash") & pe.characteristics
}
Details Yara rule 2 
import "pe"

rule dragos_crashoverride_suspcious {
	meta:
		description = "CRASHOVERRIDE v1 Wiper"
		author = "Dragos Inc"
	strings:
		$s0 = "SYS_BASCON.COM" wide nocase fullword
		$s1 = ".pcmp" wide nocase fullword
		$s2 = ".pcmi" wide nocase fullword
		$s3 = ".pcmt" wide nocase fullword
		$s4 = ".cin" wide nocase fullword
	condition:
		pe.exports("Crash") and any of ($s*)
}
Details Yara rule 2 
import "pe"

rule dragos_crashoverride_name_search {
	meta:
		description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
		author = "Dragos Inc"
	strings:
		$s0 = "101.dll" wide nocase fullword
		$s1 = "Crash101.dll" wide nocase fullword
		$s2 = "104.dll" wide nocase fullword
		$s3 = "Crash104.dll" wide nocase fullword
		$s4 = "61850.dll" wide nocase fullword
		$s5 = "Crash61850.dll" wide nocase fullword
		$s6 = "OPCClientDemo.dll" wide nocase fullword
		$s7 = "OPC" wide nocase fullword
		$s8 = "CrashOPCClientDemo.dll" wide nocase fullword
		$s9 = "D2MultiCommService.exe" wide nocase fullword
		$s10 = "CrashD2MultiCommService.exe" wide nocase fullword
		$s11 = "61850.exe" wide nocase fullword
		$s12 = "OPC.exe" wide nocase fullword
		$s13 = "haslo.exe" wide nocase fullword
		$s14 = "haslo.dat" wide nocase fullword
	condition:
		any of ($s*) and pe.exports("Crash")
}
Details Yara rule 1 
import "hash"

rule dragos_crashoverride_hashes {
	meta:
		description = "CRASHOVERRIDE Malware Hashes"
		author = "Dragos Inc"
	condition:
		filesize < 1MB and hash.sha1(0, filesize) == "f6c21f8189ced6ae150f9ef2e82a3a57843b587d" or hash.sha1(0, filesize) == "cccce62996d578b984984426a024d9b250237533" or hash.sha1(0, filesize) == "8e39eca1e48240c01ee570631ae8f0c9a9637187" or hash.sha1(0, filesize) == "2cb8230281b86fa944d3043ae906016c8b5984d9" or hash.sha1(0, filesize) == "79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a" or hash.sha1(0, filesize) == "94488f214b165512d2fc0438a581f5c9e3bd4d4c" or hash.sha1(0, filesize) == "5a5fafbc3fec8d36fd57b075ebf34119ba3bff04" or hash.sha1(0, filesize) == "b92149f046f00bb69de329b8457d32c24726ee00" or hash.sha1(0, filesize) == "b335163e6eb854df5e08e85026b2c3518891eda8"
}
Details Yara rule 2 
rule dragos_crashoverride_moduleStrings {
	meta:
		description = "IEC-104 Interaction Module Program Strings"
		author = "Dragos Inc"
	strings:
		$s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" ascii wide nocase
		$s2 = " MSTR ->> SLV" ascii wide nocase
		$s3 = " MSTR <<- SLV" ascii wide nocase
		$s4 = "Unknown APDU format !!!" ascii wide nocase
		$s5 = "iec104.log" ascii wide nocase
	condition:
		any of ($s*)
}
Details Yara rule 1 
rule dragos_crashoverride_configReader {
	meta:
		description = "CRASHOVERRIDE v1 Config File Parsing"
		author = "Dragos Inc"
	strings:
		$s0 = { 68 E8 ?? ?? ?? 6A 00 E8 A3 ?? ?? ?? 8B F8 83 C4 ?8 }
		$s1 = { 8A 10 3A 11 75 ?? 84 D2 74 12 }
		$s2 = { 33 C0 EB ?? 1B C0 83 C8 ?? }
		$s3 = { 85 C0 75 ?? 8D 95 ?? ?? ?? ?? 8B CF ?? ?? }
	condition:
		all of them
}
Details Yara rule 2 
rule dragos_crashoverride_weirdMutex {
	meta:
		description = "Blank mutex creation assoicated with CRASHOVERRIDE"
		author = "Dragos Inc"
	strings:
		$s1 = { 81 EC 08 02 00 00 57 33 FF 57 57 57 FF 15 ?? ?? 40 00 A3 ?? ?? ?? 00 85 C0 }
		$s2 = { 8D 85 ?? ?? ?? FF 50 57 57 6A 2E 57 FF 15 ?? ?? ?? 00 68 ?? ?? 40 00 }
	condition:
		all of them
}
Details Yara rule 2 
rule dragos_crashoverride_serviceStomper {
	meta:
		description = "Identify service hollowing and persistence setting"
		author = "Dragos Inc"
	strings:
		$s0 = { 33 C9 51 51 51 51 51 51 ?? ?? ?? }
		$s1 = { 6A FF 6A FF 6A FF 50 FF 15 24 ?? 40 00 FF ?? ?? FF 15 20 ?? 40 00 }
	condition:
		all of them
}
Details Yara rule 2 
rule dragos_crashoverride_wiperModuleRegistry {
	meta:
		description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
		author = "Dragos Inc"
	strings:
		$s0 = { 8D 85 A0 ?? ?? ?? 46 50 8D 85 A0 ?? ?? ?? 68 68 0D ?? ?? 50 }
		$s1 = { 6A 02 68 78 0B ?? ?? 6A 02 50 68 B4 0D ?? ?? FF B5 98 ?? ?? ?? FF 15 04 ?? ?? ?? }
		$s2 = { 68 00 02 00 00 8D 85 A0 ?? ?? ?? 50 56 FF B5 9C ?? ?? ?? FF 15 00 ?? ?? ?? 85 C0 }
	condition:
		all of them
}
Details Yara rule 1 
rule dragos_crashoverride_wiperFileManipulation {
	meta:
		description = "File manipulation actions associated with CRASHOVERRIDE wiper"
		author = "Dragos Inc"
	strings:
		$s0 = { 6A 00 68 80 00 00 00 6A 03 6A 00 6A 02 8B F9 68 00 00 00 40 57 FF 15 1C ?? ?? ?? 8B D8 }
		$s2 = { 6A 00 50 57 56 53 FF 15 4C ?? ?? ?? 56 }
	condition:
		all of them
}