There is no description at this point.
There are currently no references.
rule win_gameover_dga_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.gameover_dga." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff15???????? b301 68???????? ff15???????? 5f 5e } // n = 6, score = 700 // ff15???????? | // b301 | mov bl, 1 // 68???????? | // ff15???????? | // 5f | pop edi // 5e | pop esi $sequence_1 = { 8bcf 50 53 ff742428 e8???????? 8bf0 89742418 } // n = 7, score = 700 // 8bcf | mov ecx, edi // 50 | push eax // 53 | push ebx // ff742428 | push dword ptr [esp + 0x28] // e8???????? | // 8bf0 | mov esi, eax // 89742418 | mov dword ptr [esp + 0x18], esi $sequence_2 = { a1???????? 51 83c074 8bce 68???????? 50 e8???????? } // n = 7, score = 700 // a1???????? | // 51 | push ecx // 83c074 | add eax, 0x74 // 8bce | mov ecx, esi // 68???????? | // 50 | push eax // e8???????? | $sequence_3 = { c20400 81ec28010000 53 55 8bac2434010000 56 57 } // n = 7, score = 700 // c20400 | ret 4 // 81ec28010000 | sub esp, 0x128 // 53 | push ebx // 55 | push ebp // 8bac2434010000 | mov ebp, dword ptr [esp + 0x134] // 56 | push esi // 57 | push edi $sequence_4 = { 8bc2 c1e808 23c7 8984248c000000 8bc2 c1e80a } // n = 6, score = 700 // 8bc2 | mov eax, edx // c1e808 | shr eax, 8 // 23c7 | and eax, edi // 8984248c000000 | mov dword ptr [esp + 0x8c], eax // 8bc2 | mov eax, edx // c1e80a | shr eax, 0xa $sequence_5 = { 5d c3 56 8b35???????? 85f6 7415 8b4e04 } // n = 7, score = 700 // 5d | pop ebp // c3 | ret // 56 | push esi // 8b35???????? | // 85f6 | test esi, esi // 7415 | je 0x17 // 8b4e04 | mov ecx, dword ptr [esi + 4] $sequence_6 = { eb21 83f803 7518 6a07 8d942428010000 59 e8???????? } // n = 7, score = 700 // eb21 | jmp 0x23 // 83f803 | cmp eax, 3 // 7518 | jne 0x1a // 6a07 | push 7 // 8d942428010000 | lea edx, [esp + 0x128] // 59 | pop ecx // e8???????? | $sequence_7 = { 58 5f 5e 5d 5b 81c444010000 c21800 } // n = 7, score = 700 // 58 | pop eax // 5f | pop edi // 5e | pop esi // 5d | pop ebp // 5b | pop ebx // 81c444010000 | add esp, 0x144 // c21800 | ret 0x18 $sequence_8 = { 85f6 7433 8b442410 53 56 ff7510 8bc8 } // n = 7, score = 700 // 85f6 | test esi, esi // 7433 | je 0x35 // 8b442410 | mov eax, dword ptr [esp + 0x10] // 53 | push ebx // 56 | push esi // ff7510 | push dword ptr [ebp + 0x10] // 8bc8 | mov ecx, eax $sequence_9 = { 8bc8 e8???????? 83be8800000002 0f85a6000000 8d4e60 897de0 8b01 } // n = 7, score = 700 // 8bc8 | mov ecx, eax // e8???????? | // 83be8800000002 | cmp dword ptr [esi + 0x88], 2 // 0f85a6000000 | jne 0xac // 8d4e60 | lea ecx, [esi + 0x60] // 897de0 | mov dword ptr [ebp - 0x20], edi // 8b01 | mov eax, dword ptr [ecx] condition: 7 of them and filesize < 540672 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY