SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tofsee (Back to overview)

Tofsee

aka: Gheg
URLhaus    

There is no description at this point.

References
2017-10-19CERT.PLJarosław Jedynak
@online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } A deeper look at Tofsee modules
Tofsee
2017-10-06CERT.PLMaciej Kotowicz, Jarosław Jedynak
@techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee
2017-03-24Zerophage
@online{zerophage:20170324:terror:b7e48b2, author = {Zerophage}, title = {{Terror EK via Malvertising delivers Tofsee Spambot}}, date = {2017-03-24}, url = {https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/}, language = {English}, urldate = {2020-01-05} } Terror EK via Malvertising delivers Tofsee Spambot
Tofsee
2016-09-16CERT.PLAdam Krasuski
@online{krasuski:20160916:tofsee:79a1d35, author = {Adam Krasuski}, title = {{Tofsee – modular spambot}}, date = {2016-09-16}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/tofsee-en/}, language = {English}, urldate = {2020-01-13} } Tofsee – modular spambot
Tofsee
Yara Rules
[TLP:WHITE] win_tofsee_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_tofsee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 e8???????? 8d85f0f7ffff 50 6800040000 ff15???????? }
            // n = 6, score = 400
            //   57                   | push                edi
            //   e8????????           |                     
            //   8d85f0f7ffff         | lea                 eax, [ebp - 0x810]
            //   50                   | push                eax
            //   6800040000           | push                0x400
            //   ff15????????         |                     

        $sequence_1 = { e8???????? 80782451 0f84cf040000 57 8bcb }
            // n = 5, score = 400
            //   e8????????           |                     
            //   80782451             | cmp                 byte ptr [eax + 0x24], 0x51
            //   0f84cf040000         | je                  0x4d5
            //   57                   | push                edi
            //   8bcb                 | mov                 ecx, ebx

        $sequence_2 = { 80f95a 7f16 80f961 7c06 8b5208 8002e0 8b4e24 }
            // n = 7, score = 400
            //   80f95a               | cmp                 cl, 0x5a
            //   7f16                 | jg                  0x18
            //   80f961               | cmp                 cl, 0x61
            //   7c06                 | jl                  8
            //   8b5208               | mov                 edx, dword ptr [edx + 8]
            //   8002e0               | add                 byte ptr [edx], 0xe0
            //   8b4e24               | mov                 ecx, dword ptr [esi + 0x24]

        $sequence_3 = { 53 e8???????? 83c40c 6683631000 8d4f30 6a12 5e }
            // n = 7, score = 400
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6683631000           | and                 word ptr [ebx + 0x10], 0
            //   8d4f30               | lea                 ecx, [edi + 0x30]
            //   6a12                 | push                0x12
            //   5e                   | pop                 esi

        $sequence_4 = { 6a40 8d4580 50 ff75fc 8975ec 8975e8 }
            // n = 6, score = 400
            //   6a40                 | push                0x40
            //   8d4580               | lea                 eax, [ebp - 0x80]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi

        $sequence_5 = { 8945ec ff15???????? 3bc7 8945f4 7507 33c0 5f }
            // n = 7, score = 400
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   ff15????????         |                     
            //   3bc7                 | cmp                 eax, edi
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi

        $sequence_6 = { 3bf7 8945f8 897dfc 7507 33c0 e9???????? 6a10 }
            // n = 7, score = 400
            //   3bf7                 | cmp                 esi, edi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   6a10                 | push                0x10

        $sequence_7 = { 8d45e8 57 50 e8???????? 83c40c ff750c ff15???????? }
            // n = 7, score = 400
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff15????????         |                     

        $sequence_8 = { 57 8b7d08 8d5f04 68???????? }
            // n = 4, score = 400
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8d5f04               | lea                 ebx, [edi + 4]
            //   68????????           |                     

        $sequence_9 = { 57 ff75ec 897df0 ff75e8 e8???????? 83c40c }
            // n = 6, score = 400
            //   57                   | push                edi
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 147456
}
[TLP:WHITE] win_tofsee_w0   (20171121 | No description)
rule win_tofsee_w0 {
    meta:
        author="akrasuski1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20171121"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:

        $decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
        $xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
        $xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}

        $string_res1 = "loader_id"
        $string_res2 = "born_date"
        $string_res3 = "work_srv"
        $string_res4 = "flags_upd"
        $string_res5 = "lid_file_upd"
        $string_res6 = "localcfg"

        $string_var0 = "%RND_NUM"
        $string_var1 = "%SYS_JR"
        $string_var2 = "%SYS_N"
        $string_var3 = "%SYS_RN"
        $string_var4 = "%RND_SPACE"
        $string_var5 = "%RND_DIGIT"
        $string_var6 = "%RND_HEX"
        $string_var7 = "%RND_hex"
        $string_var8 = "%RND_char"
        $string_var9 = "%RND_CHAR"

    condition:
        (7 of ($string_var*) and 4 of ($string_res*))
        or
        (7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
        or
        (4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
}
Download all Yara Rules