SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gameover_p2p (Back to overview)

Gameover P2P

aka: GOZ, Mapp, ZeuS P2P

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

References
2017-03-21WiredGarrett M. Graff
@online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } Inside the Hunt for Russia's Most Notorious Hacker
Gameover P2P
2015-12CERT.PLCERT.PL
@techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } ZeuS-P2P monitoring and analysis
Gameover P2P
2015-08-05Black HatMichael Sandee, Tillmann Werner, Elliott Peterson
@techreport{sandee:20150805:gameover:fa47096, author = {Michael Sandee and Tillmann Werner and Elliott Peterson}, title = {{Gameover Zeus – Bad Guys and Backends}}, date = {2015-08-05}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf}, language = {English}, urldate = {2020-01-06} } Gameover Zeus – Bad Guys and Backends
Gameover P2P
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-14SymantecSymantec Security Response
@online{response:20141014:security:81c5ea5, author = {Symantec Security Response}, title = {{Security vendors take action against Hidden Lynx malware}}, date = {2014-10-14}, organization = {Symantec}, url = {https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware}, language = {English}, urldate = {2020-04-21} } Security vendors take action against Hidden Lynx malware
Gameover P2P HiKit Shylock Aurora Panda
2013-10MALWARE ConferenceDennis Andriesse, Christian Rossow, Brett Stone-Gross, Daniel Plohmann, Herbert Bos
@techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus
Gameover P2P
Yara Rules
[TLP:WHITE] win_gameover_p2p_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_gameover_p2p_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85ff 7e17 8b54240c 57 8d0411 50 52 }
            // n = 7, score = 100
            //   85ff                 | test                edi, edi
            //   7e17                 | jle                 0x19
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   57                   | push                edi
            //   8d0411               | lea                 eax, [ecx + edx]
            //   50                   | push                eax
            //   52                   | push                edx

        $sequence_1 = { 85ff 0f841a010000 8d55c4 b9d3000000 e8???????? 8d5594 6a22 }
            // n = 7, score = 100
            //   85ff                 | test                edi, edi
            //   0f841a010000         | je                  0x120
            //   8d55c4               | lea                 edx, [ebp - 0x3c]
            //   b9d3000000           | mov                 ecx, 0xd3
            //   e8????????           |                     
            //   8d5594               | lea                 edx, [ebp - 0x6c]
            //   6a22                 | push                0x22

        $sequence_2 = { 8906 e8???????? 84c0 743e 8b07 8a4801 }
            // n = 6, score = 100
            //   8906                 | mov                 dword ptr [esi], eax
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   743e                 | je                  0x40
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8a4801               | mov                 cl, byte ptr [eax + 1]

        $sequence_3 = { 48 7405 83c8ff eb70 8b4d10 56 8b7508 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   7405                 | je                  7
            //   83c8ff               | or                  eax, 0xffffffff
            //   eb70                 | jmp                 0x72
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_4 = { ffd7 6a38 8d54241c 59 8bf8 }
            // n = 5, score = 100
            //   ffd7                 | call                edi
            //   6a38                 | push                0x38
            //   8d54241c             | lea                 edx, [esp + 0x1c]
            //   59                   | pop                 ecx
            //   8bf8                 | mov                 edi, eax

        $sequence_5 = { 4a 33c9 85d2 7e12 3b7c2418 7322 8a440c20 }
            // n = 7, score = 100
            //   4a                   | dec                 edx
            //   33c9                 | xor                 ecx, ecx
            //   85d2                 | test                edx, edx
            //   7e12                 | jle                 0x14
            //   3b7c2418             | cmp                 edi, dword ptr [esp + 0x18]
            //   7322                 | jae                 0x24
            //   8a440c20             | mov                 al, byte ptr [esp + ecx + 0x20]

        $sequence_6 = { b9a6000000 8d5588 e8???????? e8???????? 8bc8 e8???????? }
            // n = 6, score = 100
            //   b9a6000000           | mov                 ecx, 0xa6
            //   8d5588               | lea                 edx, [ebp - 0x78]
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_7 = { 5e 68???????? ba???????? b9???????? e8???????? 84c0 }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   68????????           |                     
            //   ba????????           |                     
            //   b9????????           |                     
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_8 = { c1e104 0bc1 88542424 8a4c2424 8a8098903902 8b542418 83c303 }
            // n = 7, score = 100
            //   c1e104               | shl                 ecx, 4
            //   0bc1                 | or                  eax, ecx
            //   88542424             | mov                 byte ptr [esp + 0x24], dl
            //   8a4c2424             | mov                 cl, byte ptr [esp + 0x24]
            //   8a8098903902         | mov                 al, byte ptr [eax + 0x2399098]
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]
            //   83c303               | add                 ebx, 3

        $sequence_9 = { 84c0 0f84a7020000 33db 43 }
            // n = 4, score = 100
            //   84c0                 | test                al, al
            //   0f84a7020000         | je                  0x2ad
            //   33db                 | xor                 ebx, ebx
            //   43                   | inc                 ebx

    condition:
        7 of them and filesize < 598016
}
Download all Yara Rules