SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gameover_p2p (Back to overview)

Gameover P2P

aka: GOZ, Mapp, ZeuS P2P

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

References
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2019-12-19KrebsOnSecurityBrian Krebs
@online{krebs:20191219:inside:c7595ad, author = {Brian Krebs}, title = {{Inside ‘Evil Corp,’ a $100M Cybercrime Menace}}, date = {2019-12-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/}, language = {English}, urldate = {2020-11-02} } Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2017-03-21WiredGarrett M. Graff
@online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } Inside the Hunt for Russia's Most Notorious Hacker
Gameover P2P
2015-12CERT.PLCERT.PL
@techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } ZeuS-P2P monitoring and analysis
Gameover P2P
2015-08-05Black HatMichael Sandee, Tillmann Werner, Elliott Peterson
@techreport{sandee:20150805:gameover:fa47096, author = {Michael Sandee and Tillmann Werner and Elliott Peterson}, title = {{Gameover Zeus – Bad Guys and Backends}}, date = {2015-08-05}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf}, language = {English}, urldate = {2020-01-06} } Gameover Zeus – Bad Guys and Backends
Gameover P2P
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-14SymantecSymantec Security Response
@online{response:20141014:security:81c5ea5, author = {Symantec Security Response}, title = {{Security vendors take action against Hidden Lynx malware}}, date = {2014-10-14}, organization = {Symantec}, url = {https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware}, language = {English}, urldate = {2020-04-21} } Security vendors take action against Hidden Lynx malware
Gameover P2P HiKit Shylock Aurora Panda
2013-10MALWARE ConferenceDennis Andriesse, Christian Rossow, Brett Stone-Gross, Daniel Plohmann, Herbert Bos
@techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus
Gameover P2P
Yara Rules
[TLP:WHITE] win_gameover_p2p_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_gameover_p2p_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd6 55 89542418 8944241c 85ff 0f8412010000 8d442414 }
            // n = 7, score = 100
            //   8bd6                 | mov                 edx, esi
            //   55                   | push                ebp
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   85ff                 | test                edi, edi
            //   0f8412010000         | je                  0x118
            //   8d442414             | lea                 eax, [esp + 0x14]

        $sequence_1 = { ffd6 ff742420 ffd6 e9???????? 81ec1c020000 53 55 }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   ffd6                 | call                esi
            //   e9????????           |                     
            //   81ec1c020000         | sub                 esp, 0x21c
            //   53                   | push                ebx
            //   55                   | push                ebp

        $sequence_2 = { 56 ff7508 8d8df8feffff e8???????? 0fb6856af9ffff 8d4ed4 3bc8 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   e8????????           |                     
            //   0fb6856af9ffff       | movzx               eax, byte ptr [ebp - 0x696]
            //   8d4ed4               | lea                 ecx, [esi - 0x2c]
            //   3bc8                 | cmp                 ecx, eax

        $sequence_3 = { 8b08 83f938 720a 85f6 }
            // n = 4, score = 100
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83f938               | cmp                 ecx, 0x38
            //   720a                 | jb                  0xc
            //   85f6                 | test                esi, esi

        $sequence_4 = { 0fb7f1 57 8bfa 33c0 33d2 663b04f59a613902 7324 }
            // n = 7, score = 100
            //   0fb7f1               | movzx               esi, cx
            //   57                   | push                edi
            //   8bfa                 | mov                 edi, edx
            //   33c0                 | xor                 eax, eax
            //   33d2                 | xor                 edx, edx
            //   663b04f59a613902     | cmp                 ax, word ptr [esi*8 + 0x239619a]
            //   7324                 | jae                 0x26

        $sequence_5 = { 0fb6d0 663b54241c 0fb6f1 6a30 59 0fb7c5 0f47c8 }
            // n = 7, score = 100
            //   0fb6d0               | movzx               edx, al
            //   663b54241c           | cmp                 dx, word ptr [esp + 0x1c]
            //   0fb6f1               | movzx               esi, cl
            //   6a30                 | push                0x30
            //   59                   | pop                 ecx
            //   0fb7c5               | movzx               eax, bp
            //   0f47c8               | cmova               ecx, eax

        $sequence_6 = { 8d542458 59 e8???????? 8d542468 6a34 59 e8???????? }
            // n = 7, score = 100
            //   8d542458             | lea                 edx, [esp + 0x58]
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   8d542468             | lea                 edx, [esp + 0x68]
            //   6a34                 | push                0x34
            //   59                   | pop                 ecx
            //   e8????????           |                     

        $sequence_7 = { 58 668945ec 6a00 8d85e0fdffff 50 51 51 }
            // n = 7, score = 100
            //   58                   | pop                 eax
            //   668945ec             | mov                 word ptr [ebp - 0x14], ax
            //   6a00                 | push                0
            //   8d85e0fdffff         | lea                 eax, [ebp - 0x220]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   51                   | push                ecx

        $sequence_8 = { 50 8d542458 b901000080 c744242804010000 e8???????? 85c0 7520 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d542458             | lea                 edx, [esp + 0x58]
            //   b901000080           | mov                 ecx, 0x80000001
            //   c744242804010000     | mov                 dword ptr [esp + 0x28], 0x104
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7520                 | jne                 0x22

        $sequence_9 = { ff15???????? 83c40c 33c0 6689443c60 c644241301 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax
            //   6689443c60           | mov                 word ptr [esp + edi + 0x60], ax
            //   c644241301           | mov                 byte ptr [esp + 0x13], 1

    condition:
        7 of them and filesize < 598016
}
Download all Yara Rules