There is no description at this point.
There are currently no references.
rule win_gameover_dga_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.gameover_dga." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 53 8b5c2410 55 8b6c240c 03dd 57 53 } // n = 7, score = 700 // 53 | push ebx // 8b5c2410 | mov ebx, dword ptr [esp + 0x10] // 55 | push ebp // 8b6c240c | mov ebp, dword ptr [esp + 0xc] // 03dd | add ebx, ebp // 57 | push edi // 53 | push ebx $sequence_1 = { 895c2414 8bce e8???????? 837c241400 0f8581000000 33c9 } // n = 6, score = 700 // 895c2414 | mov dword ptr [esp + 0x14], ebx // 8bce | mov ecx, esi // e8???????? | // 837c241400 | cmp dword ptr [esp + 0x14], 0 // 0f8581000000 | jne 0x87 // 33c9 | xor ecx, ecx $sequence_2 = { 53 894618 e8???????? 84c0 7440 6a00 } // n = 6, score = 700 // 53 | push ebx // 894618 | mov dword ptr [esi + 0x18], eax // e8???????? | // 84c0 | test al, al // 7440 | je 0x42 // 6a00 | push 0 $sequence_3 = { 03c0 01471c 8b4718 8bcd 53 8b1cb0 8bd3 } // n = 7, score = 700 // 03c0 | add eax, eax // 01471c | add dword ptr [edi + 0x1c], eax // 8b4718 | mov eax, dword ptr [edi + 0x18] // 8bcd | mov ecx, ebp // 53 | push ebx // 8b1cb0 | mov ebx, dword ptr [eax + esi*4] // 8bd3 | mov edx, ebx $sequence_4 = { c3 f605????????01 7534 56 be???????? 56 ff15???????? } // n = 7, score = 700 // c3 | ret // f605????????01 | // 7534 | jne 0x36 // 56 | push esi // be???????? | // 56 | push esi // ff15???????? | $sequence_5 = { 83c604 3bd7 72f2 81c138020000 53 8b01 ff5010 } // n = 7, score = 700 // 83c604 | add esi, 4 // 3bd7 | cmp edx, edi // 72f2 | jb 0xfffffff4 // 81c138020000 | add ecx, 0x238 // 53 | push ebx // 8b01 | mov eax, dword ptr [ecx] // ff5010 | call dword ptr [eax + 0x10] $sequence_6 = { 0fb74114 0fb6d0 c1e808 83e001 89542414 89442440 } // n = 6, score = 700 // 0fb74114 | movzx eax, word ptr [ecx + 0x14] // 0fb6d0 | movzx edx, al // c1e808 | shr eax, 8 // 83e001 | and eax, 1 // 89542414 | mov dword ptr [esp + 0x14], edx // 89442440 | mov dword ptr [esp + 0x40], eax $sequence_7 = { ff760c ff7608 6a10 e8???????? 84c0 0f847a010000 8364241c00 } // n = 7, score = 700 // ff760c | push dword ptr [esi + 0xc] // ff7608 | push dword ptr [esi + 8] // 6a10 | push 0x10 // e8???????? | // 84c0 | test al, al // 0f847a010000 | je 0x180 // 8364241c00 | and dword ptr [esp + 0x1c], 0 $sequence_8 = { e8???????? 885e10 895e08 895e0c 5e 5b } // n = 6, score = 700 // e8???????? | // 885e10 | mov byte ptr [esi + 0x10], bl // 895e08 | mov dword ptr [esi + 8], ebx // 895e0c | mov dword ptr [esi + 0xc], ebx // 5e | pop esi // 5b | pop ebx $sequence_9 = { f7730c 41 4d 75e9 5f 5d 8bc6 } // n = 7, score = 700 // f7730c | div dword ptr [ebx + 0xc] // 41 | inc ecx // 4d | dec ebp // 75e9 | jne 0xffffffeb // 5f | pop edi // 5d | pop ebp // 8bc6 | mov eax, esi condition: 7 of them and filesize < 540672 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY