Add TSCookie Malware and RAT

2018-03-06 13:28:28 +01:00 · 2018-03-06 13:28:28 +01:00 · ee3c858e4f
parent f11846a842
commit ee3c858e4f
2 changed files with 20 additions and 2 deletions
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -7,7 +7,7 @@
  ],
  "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
  "uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
-  "version": 6,
+  "version": 7,
  "values": [
    {
      "meta": {
@ -2401,6 +2401,15 @@
        ]
      },
      "uuid": "696125b9-7a91-463a-9e6b-b4fc381b8833"
+    },
+    {
+      "description": "TSCookie provides parameters such as C&C server information when loading TSCookieRAT. Upon the execution, information of the infected host is sent with HTTP POST request to an external server. (The HTTP header format is the same as TSCookie.)\nThe data is RC4-encrypted from the beginning to 0x14 (the key is Date header value), which is followed by the information of the infected host (host name, user name, OS version, etc.). Please refer to Appendix C, Table C-1 for the data format.",
+      "value": "TSCookieRAT",
+      "meta": {
+        "refs": [
+          "http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html"
+        ]
+      }
    }
  ]
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -10,7 +10,7 @@
  ],
  "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
  "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 52,
+  "version": 53,
  "values": [
    {
      "meta": {
@ -3717,6 +3717,15 @@
        ]
      },
      "uuid": "d248a27c-d036-4032-bc70-803a1b0c8148"
+    },
+    {
+      "description": "TSCookie itself only serves as a downloader. It expands functionality by downloading modules from C&C servers. The sample that was examined downloaded a DLL file which has exfiltrating function among many others (hereafter “TSCookieRAT”). Downloaded modules only runs on memory.",
+      "value": "TSCookie",
+      "meta": {
+        "refs": [
+          "http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html"
+        ]
+      }
    }
  ]
 }