SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gophe (Back to overview)

Gophe

There is no description at this point.

References
2020-02-08FireEyeMichael Bailey
@online{bailey:20200208:reversing:b033cdc, author = {Michael Bailey}, title = {{Reversing the Gophe SPambot: Confronting COM Code and Surmounting STL Snags}}, date = {2020-02-08}, organization = {FireEye}, url = {https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville}, language = {English}, urldate = {2020-10-05} } Reversing the Gophe SPambot: Confronting COM Code and Surmounting STL Snags
Gophe
2015-10-08ProofpointProofpoint Staff
@online{staff:20151008:dyre:7773d32, author = {Proofpoint Staff}, title = {{Dyre Malware Campaigners Innovate with Distribution Techniques}}, date = {2015-10-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques}, language = {English}, urldate = {2020-03-04} } Dyre Malware Campaigners Innovate with Distribution Techniques
Gophe
Yara Rules
[TLP:WHITE] win_gophe_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_gophe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gophe"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 45334318 4533d0 418bc2 c1e810 }
            // n = 4, score = 200
            //   45334318             | mov                 edx, dword ptr [ebx]
            //   4533d0               | jmp                 5
            //   418bc2               | dec                 eax
            //   c1e810               | mov                 edx, ebx

        $sequence_1 = { 488bcb 488d4310 488b18 488930 488b01 ba01000000 }
            // n = 6, score = 200
            //   488bcb               | mov                 edx, dword ptr [eax + 0x14]
            //   488d4310             | dec                 eax
            //   488b18               | test                esi, esi
            //   488930               | je                  0x11
            //   488b01               | mov                 dword ptr [esi], edx
            //   ba01000000           | ret                 

        $sequence_2 = { 7407 e8???????? eb05 e8???????? b8???????? c3 }
            // n = 6, score = 200
            //   7407                 | mov                 eax, dword ptr [esi + 0x14]
            //   e8????????           |                     
            //   eb05                 | test                eax, eax
            //   e8????????           |                     
            //   b8????????           |                     
            //   c3                   | je                  0x11

        $sequence_3 = { 57 68???????? c70605000000 e8???????? 68???????? }
            // n = 5, score = 200
            //   57                   | push                eax
            //   68????????           |                     
            //   c70605000000         | pop                 esi
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_4 = { 4c8b4310 4883f810 7205 488b0b }
            // n = 4, score = 200
            //   4c8b4310             | inc                 ebp
            //   4883f810             | xor                 eax, dword ptr [ebx + 0x40]
            //   7205                 | inc                 ebp
            //   488b0b               | xor                 edx, eax

        $sequence_5 = { 7518 488bce e8???????? ff4e1c b001 }
            // n = 5, score = 200
            //   7518                 | mov                 eax, dword ptr [ecx]
            //   488bce               | mov                 edx, 1
            //   e8????????           |                     
            //   ff4e1c               | jb                  7
            //   b001                 | dec                 eax

        $sequence_6 = { ff15???????? 83c408 894614 8b4614 85c0 740a }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   83c408               | inc                 ebp
            //   894614               | xor                 edx, eax
            //   8b4614               | inc                 ecx
            //   85c0                 | mov                 eax, edx
            //   740a                 | shr                 eax, 0x10

        $sequence_7 = { 668379300b 750d 6683793800 0f95842490000000 }
            // n = 4, score = 200
            //   668379300b           | mov                 eax, dword ptr [eax]
            //   750d                 | push                ecx
            //   6683793800           | push                0
            //   0f95842490000000     | add                 dword ptr [edi + 0x1c], esi

        $sequence_8 = { 5e 5d c3 e8???????? 8b4d10 }
            // n = 5, score = 200
            //   5e                   | test                al, al
            //   5d                   | je                  0xe
            //   c3                   | jmp                 0xe
            //   e8????????           |                     
            //   8b4d10               | cmp                 dword ptr [ecx], 2

        $sequence_9 = { c3 803b00 74f1 807b1000 }
            // n = 4, score = 200
            //   c3                   | mov                 ecx, dword ptr [ebx]
            //   803b00               | dec                 eax
            //   74f1                 | mov                 eax, dword ptr [edi]
            //   807b1000             | mov                 dword ptr [edi + 8], 0xffffffff

        $sequence_10 = { 8b00 51 6a00 6a00 6a00 }
            // n = 5, score = 200
            //   8b00                 | sete                al
            //   51                   | test                al, al
            //   6a00                 | je                  0xb
            //   6a00                 | cmp                 dword ptr [ecx], 2
            //   6a00                 | sete                al

        $sequence_11 = { e8???????? 488b07 c74708ffffffff 8b5014 4885f6 7402 8916 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488b07               | dec                 esp
            //   c74708ffffffff       | mov                 eax, dword ptr [ebx + 0x10]
            //   8b5014               | dec                 eax
            //   4885f6               | cmp                 eax, 0x10
            //   7402                 | jb                  0xb
            //   8916                 | dec                 eax

        $sequence_12 = { 4533848b58080000 45038483580c0000 45334340 4533d0 }
            // n = 4, score = 200
            //   4533848b58080000     | inc                 ebp
            //   45038483580c0000     | xor                 eax, dword ptr [ebx + ecx*4 + 0x858]
            //   45334340             | inc                 ebp
            //   4533d0               | add                 eax, dword ptr [ebx + eax*4 + 0xc58]

        $sequence_13 = { 01771c 83c40c 8bc6 33d2 }
            // n = 4, score = 200
            //   01771c               | je                  0xe
            //   83c40c               | jmp                 0xe
            //   8bc6                 | add                 esp, 8
            //   33d2                 | mov                 dword ptr [esi + 0x14], eax

        $sequence_14 = { 833902 0f94c0 84c0 7407 e8???????? }
            // n = 5, score = 200
            //   833902               | cmp                 dword ptr [ecx], 2
            //   0f94c0               | sete                al
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   e8????????           |                     

        $sequence_15 = { 751b 8b4508 a3???????? b801000000 }
            // n = 4, score = 200
            //   751b                 | mov                 eax, dword ptr [eax]
            //   8b4508               | push                ecx
            //   a3????????           |                     
            //   b801000000           | push                0

        $sequence_16 = { b896ffffff 5f 5e 5b 8be5 }
            // n = 5, score = 200
            //   b896ffffff           | add                 esp, 8
            //   5f                   | mov                 dword ptr [esi + 0x14], eax
            //   5e                   | mov                 eax, dword ptr [esi + 0x14]
            //   5b                   | test                eax, eax
            //   8be5                 | je                  0x11

    condition:
        7 of them and filesize < 1582080
}
Download all Yara Rules