SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gameover_p2p (Back to overview)

Gameover P2P

aka: GOZ, Mapp, ZeuS P2P

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

References
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2017-03-21WiredGarrett M. Graff
@online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } Inside the Hunt for Russia's Most Notorious Hacker
Gameover P2P
2015-12CERT.PLCERT.PL
@techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } ZeuS-P2P monitoring and analysis
Gameover P2P
2015-08-05Black HatMichael Sandee, Tillmann Werner, Elliott Peterson
@techreport{sandee:20150805:gameover:fa47096, author = {Michael Sandee and Tillmann Werner and Elliott Peterson}, title = {{Gameover Zeus – Bad Guys and Backends}}, date = {2015-08-05}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf}, language = {English}, urldate = {2020-01-06} } Gameover Zeus – Bad Guys and Backends
Gameover P2P
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-14SymantecSymantec Security Response
@online{response:20141014:security:81c5ea5, author = {Symantec Security Response}, title = {{Security vendors take action against Hidden Lynx malware}}, date = {2014-10-14}, organization = {Symantec}, url = {https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware}, language = {English}, urldate = {2020-04-21} } Security vendors take action against Hidden Lynx malware
Gameover P2P HiKit Shylock Aurora Panda
2013-10MALWARE ConferenceDennis Andriesse, Christian Rossow, Brett Stone-Gross, Daniel Plohmann, Herbert Bos
@techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus
Gameover P2P
Yara Rules
[TLP:WHITE] win_gameover_p2p_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_gameover_p2p_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? ff770c 8b4f04 6830750000 6a04 8d4508 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ff770c               | push                dword ptr [edi + 0xc]
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   6830750000           | push                0x7530
            //   6a04                 | push                4
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax

        $sequence_1 = { 50 57 ff75f4 56 ff15???????? 85c0 7409 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb

        $sequence_2 = { e8???????? 8065fcfe 8d4588 6801010000 50 6802000080 8d4df8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8065fcfe             | and                 byte ptr [ebp - 4], 0xfe
            //   8d4588               | lea                 eax, [ebp - 0x78]
            //   6801010000           | push                0x101
            //   50                   | push                eax
            //   6802000080           | push                0x80000002
            //   8d4df8               | lea                 ecx, [ebp - 8]

        $sequence_3 = { 8bf2 663939 7406 83c102 4a 75f5 b957000780 }
            // n = 7, score = 100
            //   8bf2                 | mov                 esi, edx
            //   663939               | cmp                 word ptr [ecx], di
            //   7406                 | je                  8
            //   83c102               | add                 ecx, 2
            //   4a                   | dec                 edx
            //   75f5                 | jne                 0xfffffff7
            //   b957000780           | mov                 ecx, 0x80070057

        $sequence_4 = { 8bda c1eb08 81e3ff000000 33049de8333902 8bda c1eb18 33049de82b3902 }
            // n = 7, score = 100
            //   8bda                 | mov                 ebx, edx
            //   c1eb08               | shr                 ebx, 8
            //   81e3ff000000         | and                 ebx, 0xff
            //   33049de8333902       | xor                 eax, dword ptr [ebx*4 + 0x23933e8]
            //   8bda                 | mov                 ebx, edx
            //   c1eb18               | shr                 ebx, 0x18
            //   33049de82b3902       | xor                 eax, dword ptr [ebx*4 + 0x2392be8]

        $sequence_5 = { 7e52 33ed 8b16 6a00 ff742448 03d5 ff742448 }
            // n = 7, score = 100
            //   7e52                 | jle                 0x54
            //   33ed                 | xor                 ebp, ebp
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   6a00                 | push                0
            //   ff742448             | push                dword ptr [esp + 0x48]
            //   03d5                 | add                 edx, ebp
            //   ff742448             | push                dword ptr [esp + 0x48]

        $sequence_6 = { 85db 7441 53 55 57 ff74241c ff15???????? }
            // n = 7, score = 100
            //   85db                 | test                ebx, ebx
            //   7441                 | je                  0x43
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   57                   | push                edi
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   ff15????????         |                     

        $sequence_7 = { 81c41c040000 c20800 55 8bec 83ec14 53 56 }
            // n = 7, score = 100
            //   81c41c040000         | add                 esp, 0x41c
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_8 = { 50 8bcf e8???????? 84c0 742b 8d542454 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   742b                 | je                  0x2d
            //   8d542454             | lea                 edx, [esp + 0x54]

        $sequence_9 = { 83c40c 8b44241c 85c0 7410 6a1c 50 8d4754 }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12
            //   6a1c                 | push                0x1c
            //   50                   | push                eax
            //   8d4754               | lea                 eax, [edi + 0x54]

    condition:
        7 of them and filesize < 598016
}
Download all Yara Rules