Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.
rule win_gootkit_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-05-30" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit" malpedia_rule_date = "20200529" malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8" malpedia_version = "20200529" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f7f1 81c260ea0000 52 ff15???????? } // n = 4, score = 2000 // f7f1 | div ecx // 81c260ea0000 | add edx, 0xea60 // 52 | push edx // ff15???????? | $sequence_1 = { 137de0 eb06 8b7dd8 8b75d4 } // n = 4, score = 1700 // 137de0 | adc edi, dword ptr [ebp - 0x20] // eb06 | jmp 8 // 8b7dd8 | mov edi, dword ptr [ebp - 0x28] // 8b75d4 | mov esi, dword ptr [ebp - 0x2c] $sequence_2 = { 7510 33c9 41 e8???????? 8ad8 f6db 1adb } // n = 7, score = 1700 // 7510 | jne 0x12 // 33c9 | xor ecx, ecx // 41 | inc ecx // e8???????? | // 8ad8 | mov bl, al // f6db | neg bl // 1adb | sbb bl, bl $sequence_3 = { 0fb75738 8bf0 8b4f3c d1ea } // n = 4, score = 1700 // 0fb75738 | movzx edx, word ptr [edi + 0x38] // 8bf0 | mov esi, eax // 8b4f3c | mov ecx, dword ptr [edi + 0x3c] // d1ea | shr edx, 1 $sequence_4 = { 50 ffd6 ff75ec 6a00 ff15???????? 50 ffd6 } // n = 7, score = 1700 // 50 | push eax // ffd6 | call esi // ff75ec | push dword ptr [ebp - 0x14] // 6a00 | push 0 // ff15???????? | // 50 | push eax // ffd6 | call esi $sequence_5 = { 8bd6 8bcb e8???????? 53 6a00 8945fc } // n = 6, score = 1700 // 8bd6 | mov edx, esi // 8bcb | mov ecx, ebx // e8???????? | // 53 | push ebx // 6a00 | push 0 // 8945fc | mov dword ptr [ebp - 4], eax $sequence_6 = { ff75f8 ff15???????? 8bd8 85db 7431 3bfb 752d } // n = 7, score = 1700 // ff75f8 | push dword ptr [ebp - 8] // ff15???????? | // 8bd8 | mov ebx, eax // 85db | test ebx, ebx // 7431 | je 0x33 // 3bfb | cmp edi, ebx // 752d | jne 0x2f $sequence_7 = { 895df8 0fb74314 8d7b18 0fb75b06 03f8 33f6 } // n = 6, score = 1700 // 895df8 | mov dword ptr [ebp - 8], ebx // 0fb74314 | movzx eax, word ptr [ebx + 0x14] // 8d7b18 | lea edi, [ebx + 0x18] // 0fb75b06 | movzx ebx, word ptr [ebx + 6] // 03f8 | add edi, eax // 33f6 | xor esi, esi $sequence_8 = { 52 50 8b4510 99 52 50 8b450c } // n = 7, score = 1400 // 52 | push edx // 50 | push eax // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 99 | cdq // 52 | push edx // 50 | push eax // 8b450c | mov eax, dword ptr [ebp + 0xc] $sequence_9 = { f3aa 68???????? ff15???????? 50 } // n = 4, score = 1200 // f3aa | rep stosb byte ptr es:[edi], al // 68???????? | // ff15???????? | // 50 | push eax $sequence_10 = { 8b7df4 32c0 8b4de4 f3aa } // n = 4, score = 1200 // 8b7df4 | mov edi, dword ptr [ebp - 0xc] // 32c0 | xor al, al // 8b4de4 | mov ecx, dword ptr [ebp - 0x1c] // f3aa | rep stosb byte ptr es:[edi], al $sequence_11 = { 68???????? ff15???????? 85c0 7405 e8???????? } // n = 5, score = 1100 // 68???????? | // ff15???????? | // 85c0 | test eax, eax // 7405 | je 7 // e8???????? | $sequence_12 = { 50 e8???????? 83c40c 68fd000000 } // n = 4, score = 1100 // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 68fd000000 | push 0xfd $sequence_13 = { 8b4508 8b00 99 52 } // n = 4, score = 1000 // 8b4508 | mov eax, dword ptr [ebp + 8] // 8b00 | mov eax, dword ptr [eax] // 99 | cdq // 52 | push edx $sequence_14 = { c705????????02000000 8be5 5d c3 55 8bec } // n = 6, score = 900 // c705????????02000000 | // 8be5 | mov esp, ebp // 5d | pop ebp // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp $sequence_15 = { 7514 c705????????01000000 c705????????02000000 8be5 } // n = 4, score = 900 // 7514 | jne 0x16 // c705????????01000000 | // c705????????02000000 | // 8be5 | mov esp, ebp $sequence_16 = { e8???????? 6a0c 6a08 ff15???????? 50 } // n = 5, score = 800 // e8???????? | // 6a0c | push 0xc // 6a08 | push 8 // ff15???????? | // 50 | push eax $sequence_17 = { 53 53 53 8901 } // n = 4, score = 300 // 53 | push ebx // 53 | push ebx // 53 | push ebx // 8901 | mov dword ptr [ecx], eax $sequence_18 = { 0f114f50 0f104060 0f114760 8b4070 894770 be01000000 } // n = 6, score = 200 // 0f114f50 | movups xmmword ptr [edi + 0x50], xmm1 // 0f104060 | movups xmm0, xmmword ptr [eax + 0x60] // 0f114760 | movups xmmword ptr [edi + 0x60], xmm0 // 8b4070 | mov eax, dword ptr [eax + 0x70] // 894770 | mov dword ptr [edi + 0x70], eax // be01000000 | mov esi, 1 $sequence_19 = { ff15???????? 8bd0 83fa01 7e18 } // n = 4, score = 200 // ff15???????? | // 8bd0 | mov edx, eax // 83fa01 | cmp edx, 1 // 7e18 | jle 0x1a $sequence_20 = { ffc3 83fb0a 7cd5 33c0 } // n = 4, score = 200 // ffc3 | inc ebx // 83fb0a | cmp ebx, 0xa // 7cd5 | jl 0xffffffd7 // 33c0 | xor eax, eax $sequence_21 = { 0f104010 0f110f 0f104820 0f114710 0f104030 0f114f20 0f104840 } // n = 7, score = 200 // 0f104010 | movups xmm0, xmmword ptr [eax + 0x10] // 0f110f | movups xmmword ptr [edi], xmm1 // 0f104820 | movups xmm1, xmmword ptr [eax + 0x20] // 0f114710 | movups xmmword ptr [edi + 0x10], xmm0 // 0f104030 | movups xmm0, xmmword ptr [eax + 0x30] // 0f114f20 | movups xmmword ptr [edi + 0x20], xmm1 // 0f104840 | movups xmm1, xmmword ptr [eax + 0x40] $sequence_22 = { 83faff 7508 ff15???????? 8bd0 } // n = 4, score = 200 // 83faff | cmp edx, -1 // 7508 | jne 0xa // ff15???????? | // 8bd0 | mov edx, eax $sequence_23 = { 0f104860 0f114750 0f114f60 b801000000 } // n = 4, score = 200 // 0f104860 | movups xmm1, xmmword ptr [eax + 0x60] // 0f114750 | movups xmmword ptr [edi + 0x50], xmm0 // 0f114f60 | movups xmmword ptr [edi + 0x60], xmm1 // b801000000 | mov eax, 1 $sequence_24 = { 55 8bec 837d1010 7508 8b4d0c } // n = 5, score = 200 // 55 | push ebp // 8bec | mov ebp, esp // 837d1010 | cmp dword ptr [ebp + 0x10], 0x10 // 7508 | jne 0xa // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] $sequence_25 = { 85c0 7510 8d4864 ff15???????? } // n = 4, score = 200 // 85c0 | test eax, eax // 7510 | jne 0x12 // 8d4864 | lea ecx, [eax + 0x64] // ff15???????? | $sequence_26 = { 3bc8 7344 2bca 898de4fdffff } // n = 4, score = 200 // 3bc8 | cmp ecx, eax // 7344 | jae 0x46 // 2bca | sub ecx, edx // 898de4fdffff | mov dword ptr [ebp - 0x21c], ecx $sequence_27 = { 8d4dd0 e8???????? 5f 5e 8be5 } // n = 5, score = 200 // 8d4dd0 | lea ecx, [ebp - 0x30] // e8???????? | // 5f | pop edi // 5e | pop esi // 8be5 | mov esp, ebp $sequence_28 = { 8d852cfdffff 898de4fdffff 50 ff7704 ffd3 } // n = 5, score = 200 // 8d852cfdffff | lea eax, [ebp - 0x2d4] // 898de4fdffff | mov dword ptr [ebp - 0x21c], ecx // 50 | push eax // ff7704 | push dword ptr [edi + 4] // ffd3 | call ebx $sequence_29 = { 0f114730 0f104050 0f114f40 0f104860 } // n = 4, score = 200 // 0f114730 | movups xmmword ptr [edi + 0x30], xmm0 // 0f104050 | movups xmm0, xmmword ptr [eax + 0x50] // 0f114f40 | movups xmmword ptr [edi + 0x40], xmm1 // 0f104860 | movups xmm1, xmmword ptr [eax + 0x60] $sequence_30 = { 3bca 724b 8d4204 3bc8 } // n = 4, score = 200 // 3bca | cmp ecx, edx // 724b | jb 0x4d // 8d4204 | lea eax, [edx + 4] // 3bc8 | cmp ecx, eax $sequence_31 = { 8a06 3cff 7552 807e0125 754c } // n = 5, score = 200 // 8a06 | mov al, byte ptr [esi] // 3cff | cmp al, 0xff // 7552 | jne 0x54 // 807e0125 | cmp byte ptr [esi + 1], 0x25 // 754c | jne 0x4e $sequence_32 = { 3bd8 7323 8b33 eb19 3ce9 } // n = 5, score = 200 // 3bd8 | cmp ebx, eax // 7323 | jae 0x25 // 8b33 | mov esi, dword ptr [ebx] // eb19 | jmp 0x1b // 3ce9 | cmp al, 0xe9 $sequence_33 = { 7235 8b82dc000000 0382d8000000 03c1 3bd8 7323 } // n = 6, score = 200 // 7235 | jb 0x37 // 8b82dc000000 | mov eax, dword ptr [edx + 0xdc] // 0382d8000000 | add eax, dword ptr [edx + 0xd8] // 03c1 | add eax, ecx // 3bd8 | cmp ebx, eax // 7323 | jae 0x25 $sequence_34 = { 885dd0 8945fc 895df8 885de8 } // n = 4, score = 100 // 885dd0 | mov byte ptr [ebp - 0x30], bl // 8945fc | mov dword ptr [ebp - 4], eax // 895df8 | mov dword ptr [ebp - 8], ebx // 885de8 | mov byte ptr [ebp - 0x18], bl $sequence_35 = { 55 57 ff15???????? 89442414 85c0 75c4 } // n = 6, score = 100 // 55 | push ebp // 57 | push edi // ff15???????? | // 89442414 | mov dword ptr [esp + 0x14], eax // 85c0 | test eax, eax // 75c4 | jne 0xffffffc6 $sequence_36 = { 56 ff74240c ff742418 e8???????? 83c40c } // n = 5, score = 100 // 56 | push esi // ff74240c | push dword ptr [esp + 0xc] // ff742418 | push dword ptr [esp + 0x18] // e8???????? | // 83c40c | add esp, 0xc $sequence_37 = { 33db 56 57 ff742418 8b4c2420 53 } // n = 6, score = 100 // 33db | xor ebx, ebx // 56 | push esi // 57 | push edi // ff742418 | push dword ptr [esp + 0x18] // 8b4c2420 | mov ecx, dword ptr [esp + 0x20] // 53 | push ebx $sequence_38 = { c20400 8b01 56 8b742408 83660400 } // n = 5, score = 100 // c20400 | ret 4 // 8b01 | mov eax, dword ptr [ecx] // 56 | push esi // 8b742408 | mov esi, dword ptr [esp + 8] // 83660400 | and dword ptr [esi + 4], 0 $sequence_39 = { c20800 55 8bec 56 ff7508 8b750c 56 } // n = 7, score = 100 // c20800 | ret 8 // 55 | push ebp // 8bec | mov ebp, esp // 56 | push esi // ff7508 | push dword ptr [ebp + 8] // 8b750c | mov esi, dword ptr [ebp + 0xc] // 56 | push esi $sequence_40 = { e8???????? 8b4c2410 83c702 8803 } // n = 4, score = 100 // e8???????? | // 8b4c2410 | mov ecx, dword ptr [esp + 0x10] // 83c702 | add edi, 2 // 8803 | mov byte ptr [ebx], al condition: 7 of them and filesize < 527360 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY