Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.
rule win_gootkit_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-10-14" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit" malpedia_rule_date = "20201014" malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9" malpedia_version = "20201014" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f7f1 81c260ea0000 52 ff15???????? } // n = 4, score = 1900 // f7f1 | div ecx // 81c260ea0000 | add edx, 0xea60 // 52 | push edx // ff15???????? | $sequence_1 = { 53 57 8955f4 8bd9 } // n = 4, score = 1600 // 53 | push ebx // 57 | push edi // 8955f4 | mov dword ptr [ebp - 0xc], edx // 8bd9 | mov ebx, ecx $sequence_2 = { 6800040000 ff15???????? 8bf0 85f6 7419 8d45fc } // n = 6, score = 1600 // 6800040000 | push 0x400 // ff15???????? | // 8bf0 | mov esi, eax // 85f6 | test esi, esi // 7419 | je 0x1b // 8d45fc | lea eax, [ebp - 4] $sequence_3 = { 8b4dfc 83c602 8b45f8 83c104 40 894dfc 8945f8 } // n = 7, score = 1600 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 83c602 | add esi, 2 // 8b45f8 | mov eax, dword ptr [ebp - 8] // 83c104 | add ecx, 4 // 40 | inc eax // 894dfc | mov dword ptr [ebp - 4], ecx // 8945f8 | mov dword ptr [ebp - 8], eax $sequence_4 = { 8d4e08 8b75e4 0fb701 8bd8 } // n = 4, score = 1600 // 8d4e08 | lea ecx, [esi + 8] // 8b75e4 | mov esi, dword ptr [ebp - 0x1c] // 0fb701 | movzx eax, word ptr [ecx] // 8bd8 | mov ebx, eax $sequence_5 = { 2bf1 75d5 8b5df0 8b5508 } // n = 4, score = 1600 // 2bf1 | sub esi, ecx // 75d5 | jne 0xffffffd7 // 8b5df0 | mov ebx, dword ptr [ebp - 0x10] // 8b5508 | mov edx, dword ptr [ebp + 8] $sequence_6 = { 2bc6 8bce 8bd0 e8???????? 8945f8 } // n = 5, score = 1600 // 2bc6 | sub eax, esi // 8bce | mov ecx, esi // 8bd0 | mov edx, eax // e8???????? | // 8945f8 | mov dword ptr [ebp - 8], eax $sequence_7 = { 8bce e8???????? 59 85c0 0f84af000000 2bc6 8bce } // n = 7, score = 1600 // 8bce | mov ecx, esi // e8???????? | // 59 | pop ecx // 85c0 | test eax, eax // 0f84af000000 | je 0xb5 // 2bc6 | sub eax, esi // 8bce | mov ecx, esi $sequence_8 = { 52 50 8b4510 99 52 50 8b450c } // n = 7, score = 1300 // 52 | push edx // 50 | push eax // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 99 | cdq // 52 | push edx // 50 | push eax // 8b450c | mov eax, dword ptr [ebp + 0xc] $sequence_9 = { f3aa 68???????? ff15???????? 50 } // n = 4, score = 1200 // f3aa | rep stosb byte ptr es:[edi], al // 68???????? | // ff15???????? | // 50 | push eax $sequence_10 = { 8b7df4 32c0 8b4de4 f3aa } // n = 4, score = 1200 // 8b7df4 | mov edi, dword ptr [ebp - 0xc] // 32c0 | xor al, al // 8b4de4 | mov ecx, dword ptr [ebp - 0x1c] // f3aa | rep stosb byte ptr es:[edi], al $sequence_11 = { 50 e8???????? 83c40c 68fd000000 } // n = 4, score = 1100 // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 68fd000000 | push 0xfd $sequence_12 = { 68???????? ff15???????? 85c0 7405 e8???????? } // n = 5, score = 1000 // 68???????? | // ff15???????? | // 85c0 | test eax, eax // 7405 | je 7 // e8???????? | $sequence_13 = { 7514 c705????????01000000 c705????????02000000 8be5 } // n = 4, score = 900 // 7514 | jne 0x16 // c705????????01000000 | // c705????????02000000 | // 8be5 | mov esp, ebp $sequence_14 = { 50 8b4508 8b00 99 } // n = 4, score = 900 // 50 | push eax // 8b4508 | mov eax, dword ptr [ebp + 8] // 8b00 | mov eax, dword ptr [eax] // 99 | cdq $sequence_15 = { c705????????02000000 8be5 5d c3 55 8bec } // n = 6, score = 900 // c705????????02000000 | // 8be5 | mov esp, ebp // 5d | pop ebp // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp $sequence_16 = { e8???????? 6a0c 6a08 ff15???????? } // n = 4, score = 700 // e8???????? | // 6a0c | push 0xc // 6a08 | push 8 // ff15???????? | $sequence_17 = { 68???????? 51 51 ff15???????? 50 } // n = 5, score = 300 // 68???????? | // 51 | push ecx // 51 | push ecx // ff15???????? | // 50 | push eax $sequence_18 = { 53 53 53 8901 } // n = 4, score = 300 // 53 | push ebx // 53 | push ebx // 53 | push ebx // 8901 | mov dword ptr [ecx], eax $sequence_19 = { 807e0125 754c 8b5e02 8d45e4 6a1c 50 } // n = 6, score = 200 // 807e0125 | cmp byte ptr [esi + 1], 0x25 // 754c | jne 0x4e // 8b5e02 | mov ebx, dword ptr [esi + 2] // 8d45e4 | lea eax, [ebp - 0x1c] // 6a1c | push 0x1c // 50 | push eax $sequence_20 = { ffd7 8bf0 8d4602 50 } // n = 4, score = 200 // ffd7 | call edi // 8bf0 | mov esi, eax // 8d4602 | lea eax, [esi + 2] // 50 | push eax $sequence_21 = { 0f104860 0f114750 0f114f60 b801000000 } // n = 4, score = 200 // 0f104860 | movups xmm1, xmmword ptr [eax + 0x60] // 0f114750 | movups xmmword ptr [edi + 0x50], xmm0 // 0f114f60 | movups xmmword ptr [edi + 0x60], xmm1 // b801000000 | mov eax, 1 $sequence_22 = { 7414 57 8bce e8???????? 56 8b35???????? ffd6 } // n = 7, score = 200 // 7414 | je 0x16 // 57 | push edi // 8bce | mov ecx, esi // e8???????? | // 56 | push esi // 8b35???????? | // ffd6 | call esi $sequence_23 = { 0f104060 0f114760 8b4070 894770 be01000000 ff15???????? } // n = 6, score = 200 // 0f104060 | movups xmm0, xmmword ptr [eax + 0x60] // 0f114760 | movups xmmword ptr [edi + 0x60], xmm0 // 8b4070 | mov eax, dword ptr [eax + 0x70] // 894770 | mov dword ptr [edi + 0x70], eax // be01000000 | mov esi, 1 // ff15???????? | $sequence_24 = { 53 56 57 8d8558feffff 8955ec } // n = 5, score = 200 // 53 | push ebx // 56 | push esi // 57 | push edi // 8d8558feffff | lea eax, [ebp - 0x1a8] // 8955ec | mov dword ptr [ebp - 0x14], edx $sequence_25 = { 0f104010 0f110f 0f104820 0f114710 0f104030 0f114f20 0f104840 } // n = 7, score = 200 // 0f104010 | movups xmm0, xmmword ptr [eax + 0x10] // 0f110f | movups xmmword ptr [edi], xmm1 // 0f104820 | movups xmm1, xmmword ptr [eax + 0x20] // 0f114710 | movups xmmword ptr [edi + 0x10], xmm0 // 0f104030 | movups xmm0, xmmword ptr [eax + 0x30] // 0f114f20 | movups xmmword ptr [edi + 0x20], xmm1 // 0f104840 | movups xmm1, xmmword ptr [eax + 0x40] $sequence_26 = { 50 ff15???????? ba???????? 8935???????? 8935???????? } // n = 5, score = 200 // 50 | push eax // ff15???????? | // ba???????? | // 8935???????? | // 8935???????? | $sequence_27 = { 7510 8d4864 ff15???????? ffc3 83fb0a } // n = 5, score = 200 // 7510 | jne 0x12 // 8d4864 | lea ecx, [eax + 0x64] // ff15???????? | // ffc3 | inc ebx // 83fb0a | cmp ebx, 0xa $sequence_28 = { 85c0 7550 ff15???????? 8bf8 893d???????? } // n = 5, score = 200 // 85c0 | test eax, eax // 7550 | jne 0x52 // ff15???????? | // 8bf8 | mov edi, eax // 893d???????? | $sequence_29 = { 0f104030 0f114f20 0f104840 0f114730 0f104050 0f114f40 0f104860 } // n = 7, score = 200 // 0f104030 | movups xmm0, xmmword ptr [eax + 0x30] // 0f114f20 | movups xmmword ptr [edi + 0x20], xmm1 // 0f104840 | movups xmm1, xmmword ptr [eax + 0x40] // 0f114730 | movups xmmword ptr [edi + 0x30], xmm0 // 0f104050 | movups xmm0, xmmword ptr [eax + 0x50] // 0f114f40 | movups xmmword ptr [edi + 0x40], xmm1 // 0f104860 | movups xmm1, xmmword ptr [eax + 0x60] $sequence_30 = { ffc3 83fb0a 7cd5 33c0 } // n = 4, score = 200 // ffc3 | inc ebx // 83fb0a | cmp ebx, 0xa // 7cd5 | jl 0xffffffd7 // 33c0 | xor eax, eax $sequence_31 = { b9???????? e8???????? 3935???????? 7412 83ec0c ba???????? b9???????? } // n = 7, score = 200 // b9???????? | // e8???????? | // 3935???????? | // 7412 | je 0x14 // 83ec0c | sub esp, 0xc // ba???????? | // b9???????? | $sequence_32 = { ff15???????? 8bd0 83fa01 7e18 } // n = 4, score = 200 // ff15???????? | // 8bd0 | mov edx, eax // 83fa01 | cmp edx, 1 // 7e18 | jle 0x1a condition: 7 of them and filesize < 516096 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY