SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gameover_p2p (Back to overview)

Gameover P2P

aka: GOZ, Mapp, ZeuS P2P

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

References
2023-08-23Zeus MuseumDennis Schwarz
@online{schwarz:20230823:historical:eca3b13, author = {Dennis Schwarz}, title = {{Historical Gameover Deep Dive}}, date = {2023-08-23}, organization = {Zeus Museum}, url = {https://nbviewer.org/github/tildedennis/zeusmuseum/blob/master/jupyter_notebooks/gameover/2014-05-28/Gameover%20version%202014-05-28.ipynb}, language = {English}, urldate = {2023-08-24} } Historical Gameover Deep Dive
Gameover P2P
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2021-09-09Recorded FutureInsikt Group
@techreport{group:20210909:dark:cd6bb6a, author = {Insikt Group}, title = {{Dark Covenant: Connections Between the Russian State and Criminal Actors}}, date = {2021-09-09}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf}, language = {English}, urldate = {2021-09-10} } Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-06-08Intel 471Intel 471
@online{471:20210608:blurry:5b278e5, author = {Intel 471}, title = {{The blurry boundaries between nation-state actors and the cybercrime underground}}, date = {2021-06-08}, organization = {Intel 471}, url = {https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state}, language = {English}, urldate = {2021-06-16} } The blurry boundaries between nation-state actors and the cybercrime underground
Dridex Gameover P2P
2021-02-08Lawfare BlogDavid Hechler
@online{hechler:20210208:what:f742cf1, author = {David Hechler}, title = {{What Is the Point of These Nation-State Indictments?}}, date = {2021-02-08}, organization = {Lawfare Blog}, url = {https://www.lawfareblog.com/what-point-these-nation-state-indictments}, language = {English}, urldate = {2021-02-18} } What Is the Point of These Nation-State Indictments?
Gameover P2P Nymaim
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2019-12-19KrebsOnSecurityBrian Krebs
@online{krebs:20191219:inside:c7595ad, author = {Brian Krebs}, title = {{Inside ‘Evil Corp,’ a $100M Cybercrime Menace}}, date = {2019-12-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/}, language = {English}, urldate = {2020-11-02} } Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2017-05-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20170515:evolution:d0e74ea, author = {Counter Threat Unit ResearchTeam}, title = {{Evolution of the GOLD EVERGREEN Threat Group}}, date = {2017-05-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group}, language = {English}, urldate = {2021-05-28} } Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN
2017-03-21WiredGarrett M. Graff
@online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } Inside the Hunt for Russia's Most Notorious Hacker
Gameover P2P
2017-03-21WiredGarrett M. Graff, Chad Hagen
@online{graff:20170321:inside:3dc9a2d, author = {Garrett M. Graff and Chad Hagen}, title = {{Inside the Hunt for Russia’s Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/2017/03/russian-hacker-spy-botnet/}, language = {English}, urldate = {2021-07-20} } Inside the Hunt for Russia’s Most Notorious Hacker
Gameover P2P Murofet Zeus
2015-12CERT.PLCERT.PL
@techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } ZeuS-P2P monitoring and analysis
Gameover P2P
2015-08-05Black HatMichael Sandee, Tillmann Werner, Elliott Peterson
@techreport{sandee:20150805:gameover:fa47096, author = {Michael Sandee and Tillmann Werner and Elliott Peterson}, title = {{Gameover Zeus – Bad Guys and Backends}}, date = {2015-08-05}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf}, language = {English}, urldate = {2020-01-06} } Gameover Zeus – Bad Guys and Backends
Gameover P2P
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-14SymantecSymantec Security Response
@online{response:20141014:security:81c5ea5, author = {Symantec Security Response}, title = {{Security vendors take action against Hidden Lynx malware}}, date = {2014-10-14}, organization = {Symantec}, url = {https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware}, language = {English}, urldate = {2020-04-21} } Security vendors take action against Hidden Lynx malware
Gameover P2P HiKit Shylock APT17
2013-10MALWARE ConferenceDennis Andriesse, Christian Rossow, Brett Stone-Gross, Daniel Plohmann, Herbert Bos
@techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus
Gameover P2P
Yara Rules
[TLP:WHITE] win_gameover_p2p_auto (20230808 | Detects win.gameover_p2p.)
rule win_gameover_p2p_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.gameover_p2p."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b01 8975dc 85c0 740f ffb09c010000 8d45d4 50 }
            // n = 7, score = 100
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8975dc               | mov                 dword ptr [ebp - 0x24], esi
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   ffb09c010000         | push                dword ptr [eax + 0x19c]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax

        $sequence_1 = { 8d873c010000 50 889f38010000 ffd6 }
            // n = 4, score = 100
            //   8d873c010000         | lea                 eax, [edi + 0x13c]
            //   50                   | push                eax
            //   889f38010000         | mov                 byte ptr [edi + 0x138], bl
            //   ffd6                 | call                esi

        $sequence_2 = { ba???????? 8d8d70fdffff e8???????? 85c0 0f95c0 84c0 7509 }
            // n = 7, score = 100
            //   ba????????           |                     
            //   8d8d70fdffff         | lea                 ecx, [ebp - 0x290]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f95c0               | setne               al
            //   84c0                 | test                al, al
            //   7509                 | jne                 0xb

        $sequence_3 = { 743f 53 8d442420 50 57 56 ff742428 }
            // n = 7, score = 100
            //   743f                 | je                  0x41
            //   53                   | push                ebx
            //   8d442420             | lea                 eax, [esp + 0x20]
            //   50                   | push                eax
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff742428             | push                dword ptr [esp + 0x28]

        $sequence_4 = { 7769 8a442412 0fb6c0 668901 8a442413 0fb6c0 66894102 }
            // n = 7, score = 100
            //   7769                 | ja                  0x6b
            //   8a442412             | mov                 al, byte ptr [esp + 0x12]
            //   0fb6c0               | movzx               eax, al
            //   668901               | mov                 word ptr [ecx], ax
            //   8a442413             | mov                 al, byte ptr [esp + 0x13]
            //   0fb6c0               | movzx               eax, al
            //   66894102             | mov                 word ptr [ecx + 2], ax

        $sequence_5 = { 7415 ff770c 8d442418 51 }
            // n = 4, score = 100
            //   7415                 | je                  0x17
            //   ff770c               | push                dword ptr [edi + 0xc]
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   51                   | push                ecx

        $sequence_6 = { e8???????? 8bf8 689a000000 8bd3 8bce 897c242c }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   689a000000           | push                0x9a
            //   8bd3                 | mov                 edx, ebx
            //   8bce                 | mov                 ecx, esi
            //   897c242c             | mov                 dword ptr [esp + 0x2c], edi

        $sequence_7 = { b9a6000000 8d5588 e8???????? e8???????? 8bc8 e8???????? 8b750c }
            // n = 7, score = 100
            //   b9a6000000           | mov                 ecx, 0xa6
            //   8d5588               | lea                 edx, [ebp - 0x78]
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]

        $sequence_8 = { 85c0 7548 68???????? ff35???????? ffd6 85c0 7537 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7548                 | jne                 0x4a
            //   68????????           |                     
            //   ff35????????         |                     
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7537                 | jne                 0x39

        $sequence_9 = { f3ab 33db 6818010000 66ab 8d842410010000 53 50 }
            // n = 7, score = 100
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   33db                 | xor                 ebx, ebx
            //   6818010000           | push                0x118
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   8d842410010000       | lea                 eax, [esp + 0x110]
            //   53                   | push                ebx
            //   50                   | push                eax

    condition:
        7 of them and filesize < 598016
}
Download all Yara Rules