There is no description at this point.
There are currently no references.
rule win_gameover_dga_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-10-14" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" malpedia_rule_date = "20201014" malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9" malpedia_version = "20201014" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 84c0 7431 8d4dec e8???????? 8b06 8bce } // n = 7, score = 700 // e8???????? | // 84c0 | test al, al // 7431 | je 0x33 // 8d4dec | lea ecx, [ebp - 0x14] // e8???????? | // 8b06 | mov eax, dword ptr [esi] // 8bce | mov ecx, esi $sequence_1 = { 5b 83c47c c3 55 8bec 83e4f8 83ec70 } // n = 7, score = 700 // 5b | pop ebx // 83c47c | add esp, 0x7c // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 83e4f8 | and esp, 0xfffffff8 // 83ec70 | sub esp, 0x70 $sequence_2 = { 8d44240c 50 51 e8???????? 84c0 7479 837d0800 } // n = 7, score = 700 // 8d44240c | lea eax, [esp + 0xc] // 50 | push eax // 51 | push ecx // e8???????? | // 84c0 | test al, al // 7479 | je 0x7b // 837d0800 | cmp dword ptr [ebp + 8], 0 $sequence_3 = { 0f84bf000000 8b4e14 8b07 03ce 8901 8b4704 } // n = 6, score = 700 // 0f84bf000000 | je 0xc5 // 8b4e14 | mov ecx, dword ptr [esi + 0x14] // 8b07 | mov eax, dword ptr [edi] // 03ce | add ecx, esi // 8901 | mov dword ptr [ecx], eax // 8b4704 | mov eax, dword ptr [edi + 4] $sequence_4 = { ff54241c 85c0 0f8ffe260000 0f88ea1b0000 83c506 e9???????? 8b84245c010000 } // n = 7, score = 700 // ff54241c | call dword ptr [esp + 0x1c] // 85c0 | test eax, eax // 0f8ffe260000 | jg 0x2704 // 0f88ea1b0000 | js 0x1bf0 // 83c506 | add ebp, 6 // e9???????? | // 8b84245c010000 | mov eax, dword ptr [esp + 0x15c] $sequence_5 = { 0f84db000000 33ff 8d4e70 33d2 39be88000000 57 0f44ca } // n = 7, score = 700 // 0f84db000000 | je 0xe1 // 33ff | xor edi, edi // 8d4e70 | lea ecx, [esi + 0x70] // 33d2 | xor edx, edx // 39be88000000 | cmp dword ptr [esi + 0x88], edi // 57 | push edi // 0f44ca | cmove ecx, edx $sequence_6 = { 6a08 ff7514 8d442428 50 ffd6 8b742410 8d442414 } // n = 7, score = 700 // 6a08 | push 8 // ff7514 | push dword ptr [ebp + 0x14] // 8d442428 | lea eax, [esp + 0x28] // 50 | push eax // ffd6 | call esi // 8b742410 | mov esi, dword ptr [esp + 0x10] // 8d442414 | lea eax, [esp + 0x14] $sequence_7 = { 8a03 3a472c 0f853b210000 33c0 40 3901 740c } // n = 7, score = 700 // 8a03 | mov al, byte ptr [ebx] // 3a472c | cmp al, byte ptr [edi + 0x2c] // 0f853b210000 | jne 0x2141 // 33c0 | xor eax, eax // 40 | inc eax // 3901 | cmp dword ptr [ecx], eax // 740c | je 0xe $sequence_8 = { 8b4734 8a0401 33c9 41 43 22c1 0f8540110000 } // n = 7, score = 700 // 8b4734 | mov eax, dword ptr [edi + 0x34] // 8a0401 | mov al, byte ptr [ecx + eax] // 33c9 | xor ecx, ecx // 41 | inc ecx // 43 | inc ebx // 22c1 | and al, cl // 0f8540110000 | jne 0x1146 $sequence_9 = { e8???????? 51 57 56 8d4df8 c645fc00 c745f8???????? } // n = 7, score = 700 // e8???????? | // 51 | push ecx // 57 | push edi // 56 | push esi // 8d4df8 | lea ecx, [ebp - 8] // c645fc00 | mov byte ptr [ebp - 4], 0 // c745f8???????? | condition: 7 of them and filesize < 540672 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY