SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gameover_p2p (Back to overview)

Gameover P2P

aka: GOZ, Mapp, ZeuS P2P

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

References
2021-02-08Lawfare BlogDavid Hechler
@online{hechler:20210208:what:f742cf1, author = {David Hechler}, title = {{What Is the Point of These Nation-State Indictments?}}, date = {2021-02-08}, organization = {Lawfare Blog}, url = {https://www.lawfareblog.com/what-point-these-nation-state-indictments}, language = {English}, urldate = {2021-02-18} } What Is the Point of These Nation-State Indictments?
Gameover P2P Nymaim
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2019-12-19KrebsOnSecurityBrian Krebs
@online{krebs:20191219:inside:c7595ad, author = {Brian Krebs}, title = {{Inside ‘Evil Corp,’ a $100M Cybercrime Menace}}, date = {2019-12-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/}, language = {English}, urldate = {2020-11-02} } Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2017-03-21WiredGarrett M. Graff
@online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } Inside the Hunt for Russia's Most Notorious Hacker
Gameover P2P
2015-12CERT.PLCERT.PL
@techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } ZeuS-P2P monitoring and analysis
Gameover P2P
2015-08-05Black HatMichael Sandee, Tillmann Werner, Elliott Peterson
@techreport{sandee:20150805:gameover:fa47096, author = {Michael Sandee and Tillmann Werner and Elliott Peterson}, title = {{Gameover Zeus – Bad Guys and Backends}}, date = {2015-08-05}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf}, language = {English}, urldate = {2020-01-06} } Gameover Zeus – Bad Guys and Backends
Gameover P2P
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-14SymantecSymantec Security Response
@online{response:20141014:security:81c5ea5, author = {Symantec Security Response}, title = {{Security vendors take action against Hidden Lynx malware}}, date = {2014-10-14}, organization = {Symantec}, url = {https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware}, language = {English}, urldate = {2020-04-21} } Security vendors take action against Hidden Lynx malware
Gameover P2P HiKit Shylock Aurora Panda
2013-10MALWARE ConferenceDennis Andriesse, Christian Rossow, Brett Stone-Gross, Daniel Plohmann, Herbert Bos
@techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus
Gameover P2P
Yara Rules
[TLP:WHITE] win_gameover_p2p_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_gameover_p2p_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5f 5e 5b c9 c20800 85c9 7423 }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   85c9                 | test                ecx, ecx
            //   7423                 | je                  0x25

        $sequence_1 = { 8d44240c 50 51 e8???????? 84c0 0f84a0000000 837d0800 }
            // n = 7, score = 100
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f84a0000000         | je                  0xa6
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0

        $sequence_2 = { b301 c745ec844d3902 8d4dd0 e8???????? 8b45d4 48 7403 }
            // n = 7, score = 100
            //   b301                 | mov                 bl, 1
            //   c745ec844d3902       | mov                 dword ptr [ebp - 0x14], 0x2394d84
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   48                   | dec                 eax
            //   7403                 | je                  5

        $sequence_3 = { 7618 0fb6442416 83e50f c1e806 c1e502 0bc5 8aa898903902 }
            // n = 7, score = 100
            //   7618                 | jbe                 0x1a
            //   0fb6442416           | movzx               eax, byte ptr [esp + 0x16]
            //   83e50f               | and                 ebp, 0xf
            //   c1e806               | shr                 eax, 6
            //   c1e502               | shl                 ebp, 2
            //   0bc5                 | or                  eax, ebp
            //   8aa898903902         | mov                 ch, byte ptr [eax + 0x2399098]

        $sequence_4 = { 57 ff75fc bf04010000 68???????? 53 8d85f0fdffff 57 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   bf04010000           | mov                 edi, 0x104
            //   68????????           |                     
            //   53                   | push                ebx
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   57                   | push                edi

        $sequence_5 = { ff7704 ff15???????? 85c0 7519 807f0d01 750f }
            // n = 6, score = 100
            //   ff7704               | push                dword ptr [edi + 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7519                 | jne                 0x1b
            //   807f0d01             | cmp                 byte ptr [edi + 0xd], 1
            //   750f                 | jne                 0x11

        $sequence_6 = { 8d442420 ff742418 ff742420 ff74241c 50 57 8d44245c }
            // n = 7, score = 100
            //   8d442420             | lea                 eax, [esp + 0x20]
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   50                   | push                eax
            //   57                   | push                edi
            //   8d44245c             | lea                 eax, [esp + 0x5c]

        $sequence_7 = { 55 8bec 83e4f8 81eca0080000 53 55 56 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8
            //   81eca0080000         | sub                 esp, 0x8a0
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   56                   | push                esi

        $sequence_8 = { 57 6a33 8d542458 59 e8???????? 8d542468 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   6a33                 | push                0x33
            //   8d542458             | lea                 edx, [esp + 0x58]
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   8d542468             | lea                 edx, [esp + 0x68]

        $sequence_9 = { 8d8c24b8000000 e8???????? 84c0 0f859e000000 807f1065 7423 6a5f }
            // n = 7, score = 100
            //   8d8c24b8000000       | lea                 ecx, [esp + 0xb8]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f859e000000         | jne                 0xa4
            //   807f1065             | cmp                 byte ptr [edi + 0x10], 0x65
            //   7423                 | je                  0x25
            //   6a5f                 | push                0x5f

    condition:
        7 of them and filesize < 598016
}
Download all Yara Rules