There is no description at this point.
https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/ |
https://www.cert.pl/en/news/single/tofsee-en/ |
https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/ |
rule win_tofsee_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2018-11-23"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator 0.1a"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
malpedia_version = "20180607"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using yara-signator.
* The code and documentation / approach will be published in the near future here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 53 ff75dc 53 50 }
// n = 4, score = 3000
// 53 | push ebx
// ff75dc | push dword ptr [ebp - 0x24]
// 53 | push ebx
// 50 | push eax
$sequence_1 = { 34c6 41 3bce 72e8 }
// n = 4, score = 3000
// 34c6 | xor al, 0xc6
// 41 | inc ecx
// 3bce | cmp ecx, esi
// 72e8 | jb 0x97276
$sequence_2 = { 56 8b742408 394648 c7464401000000 }
// n = 4, score = 3000
// 56 | push esi
// 8b742408 | mov esi, dword ptr [esp + 8]
// 394648 | cmp dword ptr [esi + 0x48], eax
// c7464401000000 | mov dword ptr [esi + 0x44], 1
$sequence_3 = { 33c9 33c0 85f6 7e14 }
// n = 4, score = 3000
// 33c9 | xor ecx, ecx
// 33c0 | xor eax, eax
// 85f6 | test esi, esi
// 7e14 | jle 0x948e4
$sequence_4 = { 47 57 8bcb e8e5efffff }
// n = 4, score = 3000
// 47 | inc edi
// 57 | push edi
// 8bcb | mov ecx, ebx
// e8e5efffff | call 0x94283
$sequence_5 = { 0fbec0 25ff000080 7907 48 }
// n = 4, score = 3000
// 0fbec0 | movsx eax, al
// 25ff000080 | and eax, 0x800000ff
// 7907 | jns 0x972e3
// 48 | dec eax
$sequence_6 = { 57 8a11 0fb6fb 0fb6c2 }
// n = 4, score = 3000
// 57 | push edi
// 8a11 | mov dl, byte ptr [ecx]
// 0fb6fb | movzx edi, bl
// 0fb6c2 | movzx eax, dl
$sequence_7 = { 50 6803010000 53 68b7000000 }
// n = 4, score = 3000
// 50 | push eax
// 6803010000 | push 0x103
// 53 | push ebx
// 68b7000000 | push 0xb7
$sequence_8 = { 50 e855f7ffff 59 c3 }
// n = 4, score = 3000
// 50 | push eax
// e855f7ffff | call 0x91d09
// 59 | pop ecx
// c3 | ret
$sequence_9 = { 50 0fb64579 50 0fb6457a }
// n = 4, score = 3000
// 50 | push eax
// 0fb64579 | movzx eax, byte ptr [ebp + 0x79]
// 50 | push eax
// 0fb6457a | movzx eax, byte ptr [ebp + 0x7a]
condition:
7 of them
}
rule win_tofsee_w0 {
meta:
author="akrasuski1"
malpedia_version = "20171121"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
$xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
$xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}
$string_res1 = "loader_id"
$string_res2 = "born_date"
$string_res3 = "work_srv"
$string_res4 = "flags_upd"
$string_res5 = "lid_file_upd"
$string_res6 = "localcfg"
$string_var0 = "%RND_NUM"
$string_var1 = "%SYS_JR"
$string_var2 = "%SYS_N"
$string_var3 = "%SYS_RN"
$string_var4 = "%RND_SPACE"
$string_var5 = "%RND_DIGIT"
$string_var6 = "%RND_HEX"
$string_var7 = "%RND_hex"
$string_var8 = "%RND_char"
$string_var9 = "%RND_CHAR"
condition:
(7 of ($string_var*) and 4 of ($string_res*))
or
(7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
or
(4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
}