win.tofsee (Back to overview)

Tofsee

aka: Gheg
URLhaus    

There is no description at this point.

References
https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/
https://www.cert.pl/en/news/single/tofsee-en/
https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/
Yara Rules
[TLP:WHITE] win_tofsee_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_tofsee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 66895808 a1???????? 6689580a 8b15???????? 83c20c 33c0 33c9 }
            // n = 7, score = 400
            //   66895808             | mov                 word ptr [eax + 8], bx
            //   a1????????           |                     
            //   6689580a             | mov                 word ptr [eax + 0xa], bx
            //   8b15????????         |                     
            //   83c20c               | add                 edx, 0xc
            //   33c0                 | xor                 eax, eax
            //   33c9                 | xor                 ecx, ecx

        $sequence_1 = { 03c1 2bd1 8b4df4 8d443030 52 50 8b45f0 }
            // n = 7, score = 400
            //   03c1                 | add                 eax, ecx
            //   2bd1                 | sub                 edx, ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8d443030             | lea                 eax, [eax + esi + 0x30]
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_2 = { 33c9 837d0c03 894df4 0f8????????? 8b4718 33d2 3bc1 }
            // n = 7, score = 400
            //   33c9                 | xor                 ecx, ecx
            //   837d0c03             | cmp                 dword ptr [ebp + 0xc], 3
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   0f8?????????         |                     
            //   8b4718               | mov                 eax, dword ptr [edi + 0x18]
            //   33d2                 | xor                 edx, edx
            //   3bc1                 | cmp                 eax, ecx

        $sequence_3 = { e8???????? 8b03 83c40c 85f6 c6040600 7e?? }
            // n = 6, score = 400
            //   e8????????           |                     
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   c6040600             | mov                 byte ptr [esi + eax], 0
            //   7e??                 |                     

        $sequence_4 = { 0f8????????? 8b7510 85f6 74?? 8d85a0feffff 50 6a00 }
            // n = 7, score = 400
            //   0f8?????????         |                     
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   85f6                 | test                esi, esi
            //   74??                 |                     
            //   8d85a0feffff         | lea                 eax, [ebp - 0x160]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_5 = { 59 894608 8b4604 59 eb?? 8b4e08 83248100 }
            // n = 7, score = 400
            //   59                   | pop                 ecx
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   59                   | pop                 ecx
            //   eb??                 |                     
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   83248100             | and                 dword ptr [ecx + eax*4], 0

        $sequence_6 = { 6a0a ff75f0 8975e8 ff75fc e8???????? 83c40c 8d45e8 }
            // n = 7, score = 400
            //   6a0a                 | push                0xa
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_7 = { 55 8bec 51 56 8b35???????? 57 bf64006400 }
            // n = 7, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   56                   | push                esi
            //   8b35????????         |                     
            //   57                   | push                edi
            //   bf64006400           | mov                 edi, 0x640064

        $sequence_8 = { 83c030 3b450c 7f?? 8b4628 85c0 74?? 8bcb }
            // n = 7, score = 400
            //   83c030               | add                 eax, 0x30
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]
            //   7f??                 |                     
            //   8b4628               | mov                 eax, dword ptr [esi + 0x28]
            //   85c0                 | test                eax, eax
            //   74??                 |                     
            //   8bcb                 | mov                 ecx, ebx

        $sequence_9 = { 56 57 8b3d???????? ffd7 8b35???????? 8bd8 eb?? }
            // n = 7, score = 400
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   ffd7                 | call                edi
            //   8b35????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   eb??                 |                     

    condition:
        7 of them
}
[TLP:WHITE] win_tofsee_w0   (20171121 | No description)
rule win_tofsee_w0 {
    meta:
        author="akrasuski1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20171121"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:

        $decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
        $xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
        $xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}

        $string_res1 = "loader_id"
        $string_res2 = "born_date"
        $string_res3 = "work_srv"
        $string_res4 = "flags_upd"
        $string_res5 = "lid_file_upd"
        $string_res6 = "localcfg"

        $string_var0 = "%RND_NUM"
        $string_var1 = "%SYS_JR"
        $string_var2 = "%SYS_N"
        $string_var3 = "%SYS_RN"
        $string_var4 = "%RND_SPACE"
        $string_var5 = "%RND_DIGIT"
        $string_var6 = "%RND_HEX"
        $string_var7 = "%RND_hex"
        $string_var8 = "%RND_char"
        $string_var9 = "%RND_CHAR"

    condition:
        (7 of ($string_var*) and 4 of ($string_res*))
        or
        (7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
        or
        (4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
}
Download all Yara Rules