SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gameover_p2p (Back to overview)

Gameover P2P

aka: GOZ, Gameover ZeuS, Mapp, ZeuS P2P
VTCollection    

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

References
2023-08-23Zeus MuseumDennis Schwarz
Historical Gameover Deep Dive
Gameover P2P
2022-04-27ANSSIANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2021-09-09Recorded FutureInsikt Group
Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-06-08Intel 471Intel 471
The blurry boundaries between nation-state actors and the cybercrime underground
Dridex Gameover P2P
2021-02-08Lawfare BlogDavid Hechler
What Is the Point of These Nation-State Indictments?
Gameover P2P Nymaim
2020-07-17CERT-FRCERT-FR
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2019-12-19KrebsOnSecurityBrian Krebs
Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2017-05-15SecureworksCounter Threat Unit ResearchTeam
Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN
2017-03-21WiredGarrett M. Graff
Inside the Hunt for Russia's Most Notorious Hacker
Gameover P2P
2017-03-21WiredChad Hagen, Garrett M. Graff
Inside the Hunt for Russia’s Most Notorious Hacker
Gameover P2P Murofet Zeus
2015-12-01CERT.PLCERT.PL
ZeuS-P2P monitoring and analysis
Gameover P2P
2015-09-03Johannes Bader's BlogJohannes Bader
Three Variants of Murofet's DGA
Gameover P2P Murofet
2015-08-05Black HatElliott Peterson, Michael Sandee, Tillmann Werner
Gameover Zeus – Bad Guys and Backends
Gameover P2P
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser MedusaHTTP Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-14SymantecSymantec Security Response
Security vendors take action against Hidden Lynx malware
Gameover P2P HiKit Shylock APT17
2013-10-01MALWARE ConferenceBrett Stone-Gross, Christian Rossow, Daniel Plohmann, Dennis Andriesse, Herbert Bos
Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus
Gameover P2P
Yara Rules
[TLP:WHITE] win_gameover_p2p_auto (20260504 | Detects win.gameover_p2p.)
rule win_gameover_p2p_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.gameover_p2p."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b44241c 33c9 66394c043c 0f84ef010000 fec3 66894c043c 885c2417 }
            // n = 7, score = 100
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   33c9                 | xor                 ecx, ecx
            //   66394c043c           | cmp                 word ptr [esp + eax + 0x3c], cx
            //   0f84ef010000         | je                  0x1f5
            //   fec3                 | inc                 bl
            //   66894c043c           | mov                 word ptr [esp + eax + 0x3c], cx
            //   885c2417             | mov                 byte ptr [esp + 0x17], bl

        $sequence_1 = { 84db 0f95c2 51 8b4dec 81c292000000 e8???????? }
            // n = 6, score = 100
            //   84db                 | test                bl, bl
            //   0f95c2               | setne               dl
            //   51                   | push                ecx
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   81c292000000         | add                 edx, 0x92
            //   e8????????           |                     

        $sequence_2 = { 8d3c9548373d02 8b0f 334f04 23cb 330f 8bc1 83e001 }
            // n = 7, score = 100
            //   8d3c9548373d02       | lea                 edi, [edx*4 + 0x23d3748]
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   334f04               | xor                 ecx, dword ptr [edi + 4]
            //   23cb                 | and                 ecx, ebx
            //   330f                 | xor                 ecx, dword ptr [edi]
            //   8bc1                 | mov                 eax, ecx
            //   83e001               | and                 eax, 1

        $sequence_3 = { 8d4c2448 c7442448307f3902 895c2450 e8???????? 8b6c2450 b8???????? }
            // n = 6, score = 100
            //   8d4c2448             | lea                 ecx, [esp + 0x48]
            //   c7442448307f3902     | mov                 dword ptr [esp + 0x48], 0x2397f30
            //   895c2450             | mov                 dword ptr [esp + 0x50], ebx
            //   e8????????           |                     
            //   8b6c2450             | mov                 ebp, dword ptr [esp + 0x50]
            //   b8????????           |                     

        $sequence_4 = { 8a5603 80fa0e 0f87eef7ffff 0fb6c2 3a884c903902 0f85dff7ffff 8a4c2413 }
            // n = 7, score = 100
            //   8a5603               | mov                 dl, byte ptr [esi + 3]
            //   80fa0e               | cmp                 dl, 0xe
            //   0f87eef7ffff         | ja                  0xfffff7f4
            //   0fb6c2               | movzx               eax, dl
            //   3a884c903902         | cmp                 cl, byte ptr [eax + 0x239904c]
            //   0f85dff7ffff         | jne                 0xfffff7e5
            //   8a4c2413             | mov                 cl, byte ptr [esp + 0x13]

        $sequence_5 = { 8a1428 8a2438 3ad4 7505 80c308 eb3d }
            // n = 6, score = 100
            //   8a1428               | mov                 dl, byte ptr [eax + ebp]
            //   8a2438               | mov                 ah, byte ptr [eax + edi]
            //   3ad4                 | cmp                 dl, ah
            //   7505                 | jne                 7
            //   80c308               | add                 bl, 8
            //   eb3d                 | jmp                 0x3f

        $sequence_6 = { 8d4c2468 c744241494913902 e8???????? 6800100000 8d4c2478 e8???????? ff7510 }
            // n = 7, score = 100
            //   8d4c2468             | lea                 ecx, [esp + 0x68]
            //   c744241494913902     | mov                 dword ptr [esp + 0x14], 0x2399194
            //   e8????????           |                     
            //   6800100000           | push                0x1000
            //   8d4c2478             | lea                 ecx, [esp + 0x78]
            //   e8????????           |                     
            //   ff7510               | push                dword ptr [ebp + 0x10]

        $sequence_7 = { 5e c20400 56 51 8bf2 ff15???????? ba04010000 }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   51                   | push                ecx
            //   8bf2                 | mov                 esi, edx
            //   ff15????????         |                     
            //   ba04010000           | mov                 edx, 0x104

        $sequence_8 = { 56 ff15???????? 33d2 8bf2 85f6 0f8453020000 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   8bf2                 | mov                 esi, edx
            //   85f6                 | test                esi, esi
            //   0f8453020000         | je                  0x259

        $sequence_9 = { 0f95c0 84c0 7404 b001 eb2d 833d????????ff 740d }
            // n = 7, score = 100
            //   0f95c0               | setne               al
            //   84c0                 | test                al, al
            //   7404                 | je                  6
            //   b001                 | mov                 al, 1
            //   eb2d                 | jmp                 0x2f
            //   833d????????ff       |                     
            //   740d                 | je                  0xf

    condition:
        7 of them and filesize < 598016
}
Download all Yara Rules