win_lockergoga_auto
YARA-2024-0181
Medium
general
Active
Detects win.lockergoga.
win_lockergoga_auto.yar
Valid Syntax
rule win_lockergoga_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2024-10-31"
version = "1"
description = "Detects win.lockergoga."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
malpedia_rule_date = "20241030"
malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
malpedia_version = "20241030"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { e8???????? e9???????? c16d0c1f 8bc1 99 8bc8 c745d40f000000 }
// n = 7, score = 400
// e8???????? |
// e9???????? |
// c16d0c1f | shr dword ptr [ebp + 0xc], 0x1f
// 8bc1 | mov eax, ecx
// 99 | cdq
// 8bc8 | mov ecx, eax
// c745d40f000000 | mov dword ptr [ebp - 0x2c], 0xf
$sequence_1 = { 6a01 895dec e8???????? 8d4b08 c703???????? c6411900 c74120ffffffff }
// n = 7, score = 400
// 6a01 | push 1
// 895dec | mov dword ptr [ebp - 0x14], ebx
// e8???????? |
// 8d4b08 | lea ecx, [ebx + 8]
// c703???????? |
// c6411900 | mov byte ptr [ecx + 0x19], 0
// c74120ffffffff | mov dword ptr [ecx + 0x20], 0xffffffff
$sequence_2 = { e8???????? 8be5 5d c20c00 ffb51cffffff 8bcf e8???????? }
// n = 7, score = 400
// e8???????? |
// 8be5 | mov esp, ebp
// 5d | pop ebp
// c20c00 | ret 0xc
// ffb51cffffff | push dword ptr [ebp - 0xe4]
// 8bcf | mov ecx, edi
// e8???????? |
$sequence_3 = { ff10 8b4e3c 83f910 722c 8b4628 41 81f900100000 }
// n = 7, score = 400
// ff10 | call dword ptr [eax]
// 8b4e3c | mov ecx, dword ptr [esi + 0x3c]
// 83f910 | cmp ecx, 0x10
// 722c | jb 0x2e
// 8b4628 | mov eax, dword ptr [esi + 0x28]
// 41 | inc ecx
// 81f900100000 | cmp ecx, 0x1000
$sequence_4 = { 8d45f4 64a300000000 8bf1 8b06 ff90a4000000 85c0 7423 }
// n = 7, score = 400
// 8d45f4 | lea eax, [ebp - 0xc]
// 64a300000000 | mov dword ptr fs:[0], eax
// 8bf1 | mov esi, ecx
// 8b06 | mov eax, dword ptr [esi]
// ff90a4000000 | call dword ptr [eax + 0xa4]
// 85c0 | test eax, eax
// 7423 | je 0x25
$sequence_5 = { f7ea 035584 c1fa05 8bc2 c1e81f 03c2 7458 }
// n = 7, score = 400
// f7ea | imul edx
// 035584 | add edx, dword ptr [ebp - 0x7c]
// c1fa05 | sar edx, 5
// 8bc2 | mov eax, edx
// c1e81f | shr eax, 0x1f
// 03c2 | add eax, edx
// 7458 | je 0x5a
$sequence_6 = { eb0f 57 8d4dc8 e8???????? 8b45cc 8945f0 807d0700 }
// n = 7, score = 400
// eb0f | jmp 0x11
// 57 | push edi
// 8d4dc8 | lea ecx, [ebp - 0x38]
// e8???????? |
// 8b45cc | mov eax, dword ptr [ebp - 0x34]
// 8945f0 | mov dword ptr [ebp - 0x10], eax
// 807d0700 | cmp byte ptr [ebp + 7], 0
$sequence_7 = { 8b4830 85c9 7409 8b11 83c028 50 ff521c }
// n = 7, score = 400
// 8b4830 | mov ecx, dword ptr [eax + 0x30]
// 85c9 | test ecx, ecx
// 7409 | je 0xb
// 8b11 | mov edx, dword ptr [ecx]
// 83c028 | add eax, 0x28
// 50 | push eax
// ff521c | call dword ptr [edx + 0x1c]
$sequence_8 = { e8???????? 807e1000 7562 8b4e04 8bc7 8a10 3a11 }
// n = 7, score = 400
// e8???????? |
// 807e1000 | cmp byte ptr [esi + 0x10], 0
// 7562 | jne 0x64
// 8b4e04 | mov ecx, dword ptr [esi + 4]
// 8bc7 | mov eax, edi
// 8a10 | mov dl, byte ptr [eax]
// 3a11 | cmp dl, byte ptr [ecx]
$sequence_9 = { e8???????? 8d4dbc e8???????? 8d8d2cffffff e8???????? 8b4df4 64890d00000000 }
// n = 7, score = 400
// e8???????? |
// 8d4dbc | lea ecx, [ebp - 0x44]
// e8???????? |
// 8d8d2cffffff | lea ecx, [ebp - 0xd4]
// e8???????? |
// 8b4df4 | mov ecx, dword ptr [ebp - 0xc]
// 64890d00000000 | mov dword ptr fs:[0], ecx
condition:
7 of them and filesize < 2588672
}Rule Metadata
author
Felix Bilstein - yara-signator at cocacoding dot com
date
2024-10-31
version
1
description
Detects win.lockergoga.
info
autogenerated rule brought to you by yara-signator
tool
yara-signator v0.6.0
signator_config
callsandjumps;datarefs;binvalue
malpedia_reference
https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga
malpedia_rule_date
20241030
malpedia_hash
26e26953c49c8efafbf72a38076855d578e0a2e4
malpedia_version
20241030
malpedia_license
CC BY-SA 4.0
malpedia_sharing
TLP:WHITE
String Definitions
{"name":"$sequence_0","value":"{ e8???????? e9???????? c16d0c1f 8bc1 99 8bc8 c745d40f000000 }\n \/\/ n = 7, score = 400\n \/\/ e8???????? | \n \/\/ e9???????? | \n \/\/ c16d0c1f | shr dword ptr [ebp + 0xc], 0x1f\n \/\/ 8bc1 | mov eax, ecx\n \/\/ 99 | cdq \n \/\/ 8bc8 | mov ecx, eax\n \/\/ c745d40f000000 | mov dword ptr [ebp - 0x2c], 0xf"}
{"name":"$sequence_1","value":"{ 6a01 895dec e8???????? 8d4b08 c703???????? c6411900 c74120ffffffff }\n \/\/ n = 7, score = 400\n \/\/ 6a01 | push 1\n \/\/ 895dec | mov dword ptr [ebp - 0x14], ebx\n \/\/ e8???????? | \n \/\/ 8d4b08 | lea ecx, [ebx + 8]\n \/\/ c703???????? | \n \/\/ c6411900 | mov byte ptr [ecx + 0x19], 0\n \/\/ c74120ffffffff | mov dword ptr [ecx + 0x20], 0xffffffff"}
{"name":"$sequence_2","value":"{ e8???????? 8be5 5d c20c00 ffb51cffffff 8bcf e8???????? }\n \/\/ n = 7, score = 400\n \/\/ e8???????? | \n \/\/ 8be5 | mov esp, ebp\n \/\/ 5d | pop ebp\n \/\/ c20c00 | ret 0xc\n \/\/ ffb51cffffff | push dword ptr [ebp - 0xe4]\n \/\/ 8bcf | mov ecx, edi\n \/\/ e8???????? |"}
{"name":"$sequence_3","value":"{ ff10 8b4e3c 83f910 722c 8b4628 41 81f900100000 }\n \/\/ n = 7, score = 400\n \/\/ ff10 | call dword ptr [eax]\n \/\/ 8b4e3c | mov ecx, dword ptr [esi + 0x3c]\n \/\/ 83f910 | cmp ecx, 0x10\n \/\/ 722c | jb 0x2e\n \/\/ 8b4628 | mov eax, dword ptr [esi + 0x28]\n \/\/ 41 | inc ecx\n \/\/ 81f900100000 | cmp ecx, 0x1000"}
{"name":"$sequence_4","value":"{ 8d45f4 64a300000000 8bf1 8b06 ff90a4000000 85c0 7423 }\n \/\/ n = 7, score = 400\n \/\/ 8d45f4 | lea eax, [ebp - 0xc]\n \/\/ 64a300000000 | mov dword ptr fs:[0], eax\n \/\/ 8bf1 | mov esi, ecx\n \/\/ 8b06 | mov eax, dword ptr [esi]\n \/\/ ff90a4000000 | call dword ptr [eax + 0xa4]\n \/\/ 85c0 | test eax, eax\n \/\/ 7423 | je 0x25"}
{"name":"$sequence_5","value":"{ f7ea 035584 c1fa05 8bc2 c1e81f 03c2 7458 }\n \/\/ n = 7, score = 400\n \/\/ f7ea | imul edx\n \/\/ 035584 | add edx, dword ptr [ebp - 0x7c]\n \/\/ c1fa05 | sar edx, 5\n \/\/ 8bc2 | mov eax, edx\n \/\/ c1e81f | shr eax, 0x1f\n \/\/ 03c2 | add eax, edx\n \/\/ 7458 | je 0x5a"}
{"name":"$sequence_6","value":"{ eb0f 57 8d4dc8 e8???????? 8b45cc 8945f0 807d0700 }\n \/\/ n = 7, score = 400\n \/\/ eb0f | jmp 0x11\n \/\/ 57 | push edi\n \/\/ 8d4dc8 | lea ecx, [ebp - 0x38]\n \/\/ e8???????? | \n \/\/ 8b45cc | mov eax, dword ptr [ebp - 0x34]\n \/\/ 8945f0 | mov dword ptr [ebp - 0x10], eax\n \/\/ 807d0700 | cmp byte ptr [ebp + 7], 0"}
{"name":"$sequence_7","value":"{ 8b4830 85c9 7409 8b11 83c028 50 ff521c }\n \/\/ n = 7, score = 400\n \/\/ 8b4830 | mov ecx, dword ptr [eax + 0x30]\n \/\/ 85c9 | test ecx, ecx\n \/\/ 7409 | je 0xb\n \/\/ 8b11 | mov edx, dword ptr [ecx]\n \/\/ 83c028 | add eax, 0x28\n \/\/ 50 | push eax\n \/\/ ff521c | call dword ptr [edx + 0x1c]"}
{"name":"$sequence_8","value":"{ e8???????? 807e1000 7562 8b4e04 8bc7 8a10 3a11 }\n \/\/ n = 7, score = 400\n \/\/ e8???????? | \n \/\/ 807e1000 | cmp byte ptr [esi + 0x10], 0\n \/\/ 7562 | jne 0x64\n \/\/ 8b4e04 | mov ecx, dword ptr [esi + 4]\n \/\/ 8bc7 | mov eax, edi\n \/\/ 8a10 | mov dl, byte ptr [eax]\n \/\/ 3a11 | cmp dl, byte ptr [ecx]"}
{"name":"$sequence_9","value":"{ e8???????? 8d4dbc e8???????? 8d8d2cffffff e8???????? 8b4df4 64890d00000000 }\n \/\/ n = 7, score = 400\n \/\/ e8???????? | \n \/\/ 8d4dbc | lea ecx, [ebp - 0x44]\n \/\/ e8???????? | \n \/\/ 8d8d2cffffff | lea ecx, [ebp - 0xd4]\n \/\/ e8???????? | \n \/\/ 8b4df4 | mov ecx, dword ptr [ebp - 0xc]\n \/\/ 64890d00000000 | mov dword ptr fs:[0], ecx"}
Threat Analysis
This YARA rule is designed to detect general threats.
Severity Level: Medium
The rule uses pattern matching to identify specific byte sequences, strings, or behavioral patterns associated with malicious activity.
Detection Capabilities
- File-based detection for executables and documents
- Memory scanning for running processes
- Network traffic analysis support
Command Line Usage
# Scan a single file yara win_lockergoga_auto.yar /path/to/suspicious/file # Scan a directory recursively yara -r win_lockergoga_auto.yar /path/to/directory/ # Scan with metadata output yara -m win_lockergoga_auto.yar target_file # Scan process memory (Linux) yara win_lockergoga_auto.yar /proc/[pid]/exe
Integration Examples
Python (yara-python)
import yara
rules = yara.compile(filepath='win_lockergoga_auto.yar')
matches = rules.match('/path/to/file')
ClamAV Integration
clamscan --yara-rules=win_lockergoga_auto.yar /path/to/scan
Rule Information
YARA ID
YARA-2024-0181
Repository
Created
August 19, 2025
Last Updated
August 19, 2025
Last Imported
Never
Threat Intelligence
Risk Level
Medium
Category
general
Detection Confidence
Analysis Pending
False Positive Rate
Not Available
Last Seen in Wild
No Data
Related Rules
Export Options
Similar Rules in general
YARA-2023-0001
CRI
Detect_Mimic_Ransomware
Detect_Mimic_Ransomware
YARA-2023-0002
MED
SystemBC_malware
Detect_SystemBC
YARA-2023-0003
MED
detect_catB
detect_CatB_ransomware
YARA-2022-0001
MED
detect_Typhon_Stealer
detect_Typhon_Stealer
YARA-2023-0004
MED
Nosu_stealer
Detect_Nosu_stealer
YARA-2022-0002
MED
detect_Lumma_stealer
detect_Lumma_stealer
YARA-2022-0003
MED
detect_StrelaStealer
detect_StrelaStealer
YARA-2022-0004
MED
detect_silence_Downloader
detect_silence_Downloader