win.tofsee (Back to overview)

Tofsee

aka: Gheg
URLhaus    

There is no description at this point.

References
2017-10-19 ⋅ CERT.PLJarosław Jedynak
@online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } A deeper look at Tofsee modules
Tofsee
2017-03-24 ⋅ Zerophage
@online{zerophage:20170324:terror:b7e48b2, author = {Zerophage}, title = {{Terror EK via Malvertising delivers Tofsee Spambot}}, date = {2017-03-24}, url = {https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/}, language = {English}, urldate = {2020-01-05} } Terror EK via Malvertising delivers Tofsee Spambot
Tofsee
2016-09-16 ⋅ CERT.PLAdam Krasuski
@online{krasuski:20160916:tofsee:79a1d35, author = {Adam Krasuski}, title = {{Tofsee – modular spambot}}, date = {2016-09-16}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/tofsee-en/}, language = {English}, urldate = {2020-01-13} } Tofsee – modular spambot
Tofsee
Yara Rules
[TLP:WHITE] win_tofsee_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_tofsee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8b45f8 c9 c3 85c0 741a }
            // n = 5, score = 400
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   c9                   | leave               
            //   c3                   | ret                 
            //   85c0                 | test                eax, eax
            //   741a                 | je                  0x1c

        $sequence_1 = { 57 33c0 40 6a04 668945f4 8945f8 8d45f8 }
            // n = 7, score = 400
            //   57                   | push                edi
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   6a04                 | push                4
            //   668945f4             | mov                 word ptr [ebp - 0xc], ax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_2 = { 8945fc eb07 3c39 7f09 47 ff06 8a07 }
            // n = 7, score = 400
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   eb07                 | jmp                 9
            //   3c39                 | cmp                 al, 0x39
            //   7f09                 | jg                  0xb
            //   47                   | inc                 edi
            //   ff06                 | inc                 dword ptr [esi]
            //   8a07                 | mov                 al, byte ptr [edi]

        $sequence_3 = { 8b07 0fb70418 83c40c 50 ff15???????? ff742428 0fb7c0 }
            // n = 7, score = 400
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   0fb70418             | movzx               eax, word ptr [eax + ebx]
            //   83c40c               | add                 esp, 0xc
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff742428             | push                dword ptr [esp + 0x28]
            //   0fb7c0               | movzx               eax, ax

        $sequence_4 = { ff15???????? 85f6 8bc6 75e8 5e c3 }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   85f6                 | test                esi, esi
            //   8bc6                 | mov                 eax, esi
            //   75e8                 | jne                 0xffffffea
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_5 = { 50 68000000c0 8d8584feffff 50 ff15???????? 8bf0 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   68000000c0           | push                0xc0000000
            //   8d8584feffff         | lea                 eax, [ebp - 0x17c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_6 = { 8b1d???????? 57 8b4dfc 8b4508 8b0488 8b30 8b7edc }
            // n = 7, score = 400
            //   8b1d????????         |                     
            //   57                   | push                edi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b0488               | mov                 eax, dword ptr [eax + ecx*4]
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   8b7edc               | mov                 edi, dword ptr [esi - 0x24]

        $sequence_7 = { 50 eb30 8d4dd4 51 50 ff35???????? 8d45a4 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   eb30                 | jmp                 0x32
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff35????????         |                     
            //   8d45a4               | lea                 eax, [ebp - 0x5c]

        $sequence_8 = { 83c414 50 ff15???????? 57 6a00 56 e8???????? }
            // n = 7, score = 400
            //   83c414               | add                 esp, 0x14
            //   50                   | push                eax
            //   ff15????????         |                     
            //   57                   | push                edi
            //   6a00                 | push                0
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_9 = { ff70f4 50 e8???????? 83c410 894514 e8???????? }
            // n = 6, score = 400
            //   ff70f4               | push                dword ptr [eax - 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   894514               | mov                 dword ptr [ebp + 0x14], eax
            //   e8????????           |                     

    condition:
        7 of them
}
[TLP:WHITE] win_tofsee_w0   (20171121 | No description)
rule win_tofsee_w0 {
    meta:
        author="akrasuski1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20171121"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:

        $decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
        $xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
        $xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}

        $string_res1 = "loader_id"
        $string_res2 = "born_date"
        $string_res3 = "work_srv"
        $string_res4 = "flags_upd"
        $string_res5 = "lid_file_upd"
        $string_res6 = "localcfg"

        $string_var0 = "%RND_NUM"
        $string_var1 = "%SYS_JR"
        $string_var2 = "%SYS_N"
        $string_var3 = "%SYS_RN"
        $string_var4 = "%RND_SPACE"
        $string_var5 = "%RND_DIGIT"
        $string_var6 = "%RND_HEX"
        $string_var7 = "%RND_hex"
        $string_var8 = "%RND_char"
        $string_var9 = "%RND_CHAR"

    condition:
        (7 of ($string_var*) and 4 of ($string_res*))
        or
        (7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
        or
        (4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
}
Download all Yara Rules