Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.
rule win_gootkit_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.gootkit." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b4dec 8d3c81 8bc7 5e eb02 } // n = 5, score = 1700 // 8b4dec | mov ecx, dword ptr [ebp - 0x14] // 8d3c81 | lea edi, [ecx + eax*4] // 8bc7 | mov eax, edi // 5e | pop esi // eb02 | jmp 4 $sequence_1 = { 8d45f8 c745f804000000 50 33c9 } // n = 4, score = 1700 // 8d45f8 | lea eax, [ebp - 8] // c745f804000000 | mov dword ptr [ebp - 8], 4 // 50 | push eax // 33c9 | xor ecx, ecx $sequence_2 = { 6a00 8bce e8???????? 8b7dfc 59 59 } // n = 6, score = 1700 // 6a00 | push 0 // 8bce | mov ecx, esi // e8???????? | // 8b7dfc | mov edi, dword ptr [ebp - 4] // 59 | pop ecx // 59 | pop ecx $sequence_3 = { 8d45fc 50 56 ff15???????? f7d8 } // n = 5, score = 1700 // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // 56 | push esi // ff15???????? | // f7d8 | neg eax $sequence_4 = { 51 51 53 8b593c } // n = 4, score = 1700 // 51 | push ecx // 51 | push ecx // 53 | push ebx // 8b593c | mov ebx, dword ptr [ecx + 0x3c] $sequence_5 = { 8b593c 03d9 8955fc 56 } // n = 4, score = 1700 // 8b593c | mov ebx, dword ptr [ecx + 0x3c] // 03d9 | add ebx, ecx // 8955fc | mov dword ptr [ebp - 4], edx // 56 | push esi $sequence_6 = { 8b483c 8d51ff 035710 8d41ff f7d0 23d0 } // n = 6, score = 1700 // 8b483c | mov ecx, dword ptr [eax + 0x3c] // 8d51ff | lea edx, [ecx - 1] // 035710 | add edx, dword ptr [edi + 0x10] // 8d41ff | lea eax, [ecx - 1] // f7d0 | not eax // 23d0 | and edx, eax $sequence_7 = { 0f84af000000 2bc6 8bce 8bd0 e8???????? 8945f8 85c0 } // n = 7, score = 1700 // 0f84af000000 | je 0xb5 // 2bc6 | sub eax, esi // 8bce | mov ecx, esi // 8bd0 | mov edx, eax // e8???????? | // 8945f8 | mov dword ptr [ebp - 8], eax // 85c0 | test eax, eax $sequence_8 = { 52 50 8b4510 99 52 50 8b450c } // n = 7, score = 1400 // 52 | push edx // 50 | push eax // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 99 | cdq // 52 | push edx // 50 | push eax // 8b450c | mov eax, dword ptr [ebp + 0xc] $sequence_9 = { f3aa 68???????? ff15???????? 50 } // n = 4, score = 1200 // f3aa | rep stosb byte ptr es:[edi], al // 68???????? | // ff15???????? | // 50 | push eax $sequence_10 = { 8b7df4 32c0 8b4de4 f3aa } // n = 4, score = 1200 // 8b7df4 | mov edi, dword ptr [ebp - 0xc] // 32c0 | xor al, al // 8b4de4 | mov ecx, dword ptr [ebp - 0x1c] // f3aa | rep stosb byte ptr es:[edi], al $sequence_11 = { 50 68???????? ff15???????? 85c0 7505 e8???????? } // n = 6, score = 1100 // 50 | push eax // 68???????? | // ff15???????? | // 85c0 | test eax, eax // 7505 | jne 7 // e8???????? | $sequence_12 = { 50 e8???????? 83c40c 68fd000000 } // n = 4, score = 1100 // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 68fd000000 | push 0xfd $sequence_13 = { 8b4508 8b00 99 52 } // n = 4, score = 1000 // 8b4508 | mov eax, dword ptr [ebp + 8] // 8b00 | mov eax, dword ptr [eax] // 99 | cdq // 52 | push edx $sequence_14 = { 7514 c705????????01000000 c705????????02000000 8be5 5d c3 } // n = 6, score = 900 // 7514 | jne 0x16 // c705????????01000000 | // c705????????02000000 | // 8be5 | mov esp, ebp // 5d | pop ebp // c3 | ret $sequence_15 = { e8???????? 6a0c 6a08 ff15???????? } // n = 4, score = 800 // e8???????? | // 6a0c | push 0xc // 6a08 | push 8 // ff15???????? | $sequence_16 = { 833d????????00 750a 6a32 ff15???????? } // n = 4, score = 800 // 833d????????00 | // 750a | jne 0xc // 6a32 | push 0x32 // ff15???????? | $sequence_17 = { 6808020000 6a00 ff15???????? 50 ff15???????? } // n = 5, score = 800 // 6808020000 | push 0x208 // 6a00 | push 0 // ff15???????? | // 50 | push eax // ff15???????? | $sequence_18 = { 8d45fc 50 6a01 6a01 6a00 6800000002 } // n = 6, score = 600 // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // 6a01 | push 1 // 6a01 | push 1 // 6a00 | push 0 // 6800000002 | push 0x2000000 $sequence_19 = { e8???????? 85c0 750c c705????????03000000 } // n = 4, score = 500 // e8???????? | // 85c0 | test eax, eax // 750c | jne 0xe // c705????????03000000 | $sequence_20 = { 53 53 53 8901 } // n = 4, score = 300 // 53 | push ebx // 53 | push ebx // 53 | push ebx // 8901 | mov dword ptr [ecx], eax $sequence_21 = { 68???????? 51 51 ff15???????? 50 } // n = 5, score = 300 // 68???????? | // 51 | push ecx // 51 | push ecx // ff15???????? | // 50 | push eax $sequence_22 = { 7550 ff15???????? 8bf8 893d???????? } // n = 4, score = 200 // 7550 | jne 0x52 // ff15???????? | // 8bf8 | mov edi, eax // 893d???????? | $sequence_23 = { 83ec0c ba???????? b9???????? e8???????? 3935???????? } // n = 5, score = 200 // 83ec0c | sub esp, 0xc // ba???????? | // b9???????? | // e8???????? | // 3935???????? | $sequence_24 = { 85c0 7510 8d4864 ff15???????? } // n = 4, score = 200 // 85c0 | test eax, eax // 7510 | jne 0x12 // 8d4864 | lea ecx, [eax + 0x64] // ff15???????? | $sequence_25 = { 50 ff15???????? ba???????? 8935???????? 8935???????? } // n = 5, score = 200 // 50 | push eax // ff15???????? | // ba???????? | // 8935???????? | // 8935???????? | $sequence_26 = { 8d45f4 50 8d55f8 8d4dfc } // n = 4, score = 200 // 8d45f4 | lea eax, [ebp - 0xc] // 50 | push eax // 8d55f8 | lea edx, [ebp - 8] // 8d4dfc | lea ecx, [ebp - 4] $sequence_27 = { 03d1 813a50450000 7541 8b82d8000000 03c1 3bd8 } // n = 6, score = 200 // 03d1 | add edx, ecx // 813a50450000 | cmp dword ptr [edx], 0x4550 // 7541 | jne 0x43 // 8b82d8000000 | mov eax, dword ptr [edx + 0xd8] // 03c1 | add eax, ecx // 3bd8 | cmp ebx, eax $sequence_28 = { 8b4c2434 ff15???????? 0fb74c2432 ff15???????? } // n = 4, score = 200 // 8b4c2434 | mov ecx, dword ptr [esp + 0x34] // ff15???????? | // 0fb74c2432 | movzx ecx, word ptr [esp + 0x32] // ff15???????? | $sequence_29 = { a3???????? 391d???????? 7428 85c0 7424 } // n = 5, score = 200 // a3???????? | // 391d???????? | // 7428 | je 0x2a // 85c0 | test eax, eax // 7424 | je 0x26 $sequence_30 = { ff15???????? ffc3 83fb0a 7cd5 33c0 } // n = 5, score = 200 // ff15???????? | // ffc3 | inc ebx // 83fb0a | cmp ebx, 0xa // 7cd5 | jl 0xffffffd7 // 33c0 | xor eax, eax $sequence_31 = { 0f110f 0f104820 0f114710 0f104030 0f114f20 0f104840 0f114730 } // n = 7, score = 200 // 0f110f | movups xmmword ptr [edi], xmm1 // 0f104820 | movups xmm1, xmmword ptr [eax + 0x20] // 0f114710 | movups xmmword ptr [edi + 0x10], xmm0 // 0f104030 | movups xmm0, xmmword ptr [eax + 0x30] // 0f114f20 | movups xmmword ptr [edi + 0x20], xmm1 // 0f104840 | movups xmm1, xmmword ptr [eax + 0x40] // 0f114730 | movups xmmword ptr [edi + 0x30], xmm0 $sequence_32 = { 0f114f50 0f104060 0f114760 8b4070 894770 be01000000 } // n = 6, score = 200 // 0f114f50 | movups xmmword ptr [edi + 0x50], xmm1 // 0f104060 | movups xmm0, xmmword ptr [eax + 0x60] // 0f114760 | movups xmmword ptr [edi + 0x60], xmm0 // 8b4070 | mov eax, dword ptr [eax + 0x70] // 894770 | mov dword ptr [edi + 0x70], eax // be01000000 | mov esi, 1 $sequence_33 = { 47 83ff02 7c89 5f } // n = 4, score = 200 // 47 | inc edi // 83ff02 | cmp edi, 2 // 7c89 | jl 0xffffff8b // 5f | pop edi $sequence_34 = { 0f114730 0f104050 0f114f40 0f104860 0f114750 0f114f60 b801000000 } // n = 7, score = 200 // 0f114730 | movups xmmword ptr [edi + 0x30], xmm0 // 0f104050 | movups xmm0, xmmword ptr [eax + 0x50] // 0f114f40 | movups xmmword ptr [edi + 0x40], xmm1 // 0f104860 | movups xmm1, xmmword ptr [eax + 0x60] // 0f114750 | movups xmmword ptr [edi + 0x50], xmm0 // 0f114f60 | movups xmmword ptr [edi + 0x60], xmm1 // b801000000 | mov eax, 1 $sequence_35 = { 750c 807b01ff 7506 807b0225 } // n = 4, score = 200 // 750c | jne 0xe // 807b01ff | cmp byte ptr [ebx + 1], 0xff // 7506 | jne 8 // 807b0225 | cmp byte ptr [ebx + 2], 0x25 condition: 7 of them and filesize < 516096 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY