There is no description at this point.
There are currently no references.
rule win_gameover_dga_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-11-21" version = "1" description = "Detects win.gameover_dga." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" malpedia_rule_date = "20221118" malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af" malpedia_version = "20221125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0f87a5000000 8b5d0c 83e301 750f e8???????? 8bf0 85f6 } // n = 7, score = 700 // 0f87a5000000 | ja 0xab // 8b5d0c | mov ebx, dword ptr [ebp + 0xc] // 83e301 | and ebx, 1 // 750f | jne 0x11 // e8???????? | // 8bf0 | mov esi, eax // 85f6 | test esi, esi $sequence_1 = { 0f42e8 8d44243c 6a14 50 6aff 33c9 } // n = 6, score = 700 // 0f42e8 | cmovb ebp, eax // 8d44243c | lea eax, [esp + 0x3c] // 6a14 | push 0x14 // 50 | push eax // 6aff | push -1 // 33c9 | xor ecx, ecx $sequence_2 = { 395f50 7450 3b7750 754b 8b442424 f7d8 c644241c01 } // n = 7, score = 700 // 395f50 | cmp dword ptr [edi + 0x50], ebx // 7450 | je 0x52 // 3b7750 | cmp esi, dword ptr [edi + 0x50] // 754b | jne 0x4d // 8b442424 | mov eax, dword ptr [esp + 0x24] // f7d8 | neg eax // c644241c01 | mov byte ptr [esp + 0x1c], 1 $sequence_3 = { 57 8bf2 8bf9 8b4d08 8d55c4 e8???????? 56 } // n = 7, score = 700 // 57 | push edi // 8bf2 | mov esi, edx // 8bf9 | mov edi, ecx // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 8d55c4 | lea edx, [ebp - 0x3c] // e8???????? | // 56 | push esi $sequence_4 = { 50 ff742450 ff770c ff15???????? 0fb64d01 83c40c 0fb64502 } // n = 7, score = 700 // 50 | push eax // ff742450 | push dword ptr [esp + 0x50] // ff770c | push dword ptr [edi + 0xc] // ff15???????? | // 0fb64d01 | movzx ecx, byte ptr [ebp + 1] // 83c40c | add esp, 0xc // 0fb64502 | movzx eax, byte ptr [ebp + 2] $sequence_5 = { ff742440 8bf8 ff15???????? ff742420 55 ff15???????? } // n = 6, score = 700 // ff742440 | push dword ptr [esp + 0x40] // 8bf8 | mov edi, eax // ff15???????? | // ff742420 | push dword ptr [esp + 0x20] // 55 | push ebp // ff15???????? | $sequence_6 = { 8b74242c 57 837b1400 8b3d???????? 7e36 f6461004 } // n = 6, score = 700 // 8b74242c | mov esi, dword ptr [esp + 0x2c] // 57 | push edi // 837b1400 | cmp dword ptr [ebx + 0x14], 0 // 8b3d???????? | // 7e36 | jle 0x38 // f6461004 | test byte ptr [esi + 0x10], 4 $sequence_7 = { 8b74242c 1bd5 8b6c2434 48 03f8 8bc1 0bc2 } // n = 7, score = 700 // 8b74242c | mov esi, dword ptr [esp + 0x2c] // 1bd5 | sbb edx, ebp // 8b6c2434 | mov ebp, dword ptr [esp + 0x34] // 48 | dec eax // 03f8 | add edi, eax // 8bc1 | mov eax, ecx // 0bc2 | or eax, edx $sequence_8 = { 8d4676 50 e8???????? 84c0 7520 8b4c242c e8???????? } // n = 7, score = 700 // 8d4676 | lea eax, [esi + 0x76] // 50 | push eax // e8???????? | // 84c0 | test al, al // 7520 | jne 0x22 // 8b4c242c | mov ecx, dword ptr [esp + 0x2c] // e8???????? | $sequence_9 = { 0fb60b 8b4730 0fb60401 39442414 7408 43 42 } // n = 7, score = 700 // 0fb60b | movzx ecx, byte ptr [ebx] // 8b4730 | mov eax, dword ptr [edi + 0x30] // 0fb60401 | movzx eax, byte ptr [ecx + eax] // 39442414 | cmp dword ptr [esp + 0x14], eax // 7408 | je 0xa // 43 | inc ebx // 42 | inc edx condition: 7 of them and filesize < 540672 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY