win.gameover_p2p (Back to overview)

Gameover P2P

aka: GOZ, Mapp, ZeuS P2P

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

References
2017-03-21 ⋅ WiredGarrett M. Graff
@online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } Inside the Hunt for Russia's Most Notorious Hacker
Gameover P2P
2015-12 ⋅ CERT.PLCERT.PL
@techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } ZeuS-P2P monitoring and analysis
Gameover P2P
2015-08-05 ⋅ Black HatMichael Sandee, Tillmann Werner, Elliott Peterson
@techreport{sandee:20150805:gameover:fa47096, author = {Michael Sandee and Tillmann Werner and Elliott Peterson}, title = {{Gameover Zeus – Bad Guys and Backends}}, date = {2015-08-05}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf}, language = {English}, urldate = {2020-01-06} } Gameover Zeus – Bad Guys and Backends
Gameover P2P
2013-10 ⋅ MALWARE ConferenceDennis Andriesse, Christian Rossow, Brett Stone-Gross, Daniel Plohmann, Herbert Bos
@techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus
Gameover P2P
Yara Rules
[TLP:WHITE] win_gameover_p2p_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_gameover_p2p_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { e9???????? 8d4c2410 e8???????? 8bf0 85f6 74ea }
            // n = 6, score = 100
            //   e9????????           |                     
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   74ea                 | je                  0xffffffec

        $sequence_1 = { 6a10 8d4108 50 6810923902 ff15???????? 83c40c f7d8 }
            // n = 7, score = 100
            //   6a10                 | push                0x10
            //   8d4108               | lea                 eax, [ecx + 8]
            //   50                   | push                eax
            //   6810923902           | push                0x2399210
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   f7d8                 | neg                 eax

        $sequence_2 = { 8bce e8???????? 8d8590faffff 686c050000 6a00 50 ff15???????? }
            // n = 7, score = 100
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8d8590faffff         | lea                 eax, [ebp - 0x570]
            //   686c050000           | push                0x56c
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { 0f8566020000 ff742430 8bcf e8???????? 8b442418 8a58ff }
            // n = 6, score = 100
            //   0f8566020000         | jne                 0x26c
            //   ff742430             | push                dword ptr [esp + 0x30]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8a58ff               | mov                 bl, byte ptr [eax - 1]

        $sequence_4 = { 33db 57 8be9 8bfa }
            // n = 4, score = 100
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   8be9                 | mov                 ebp, ecx
            //   8bfa                 | mov                 edi, edx

        $sequence_5 = { 56 68a0543c02 50 50 ff15???????? 8bf8 85ff }
            // n = 7, score = 100
            //   56                   | push                esi
            //   68a0543c02           | push                0x23c54a0
            //   50                   | push                eax
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi

        $sequence_6 = { 730e 895108 6bd20c 83c104 e8???????? c20400 f644240401 }
            // n = 7, score = 100
            //   730e                 | jae                 0x10
            //   895108               | mov                 dword ptr [ecx + 8], edx
            //   6bd20c               | imul                edx, edx, 0xc
            //   83c104               | add                 ecx, 4
            //   e8????????           |                     
            //   c20400               | ret                 4
            //   f644240401           | test                byte ptr [esp + 4], 1

        $sequence_7 = { 66d3e2 660990b8160000 034df8 8988bc160000 8b1cbdb0213902 8b55fc }
            // n = 6, score = 100
            //   66d3e2               | shl                 dx, cl
            //   660990b8160000       | or                  word ptr [eax + 0x16b8], dx
            //   034df8               | add                 ecx, dword ptr [ebp - 8]
            //   8988bc160000         | mov                 dword ptr [eax + 0x16bc], ecx
            //   8b1cbdb0213902       | mov                 ebx, dword ptr [edi*4 + 0x23921b0]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_8 = { 53 e8???????? 50 68d87b3902 }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   e8????????           |                     
            //   50                   | push                eax
            //   68d87b3902           | push                0x2397bd8

        $sequence_9 = { 837c240400 7506 83c8ff c20400 e9???????? 51 a1???????? }
            // n = 7, score = 100
            //   837c240400           | cmp                 dword ptr [esp + 4], 0
            //   7506                 | jne                 8
            //   83c8ff               | or                  eax, 0xffffffff
            //   c20400               | ret                 4
            //   e9????????           |                     
            //   51                   | push                ecx
            //   a1????????           |                     

    condition:
        7 of them
}
Download all Yara Rules