mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-27 01:07:18 +00:00
Merge pull request #163 from Delta-Sierra/master
Add TSCookie Malware and RAT
This commit is contained in:
commit
136763d2d8
2 changed files with 20 additions and 2 deletions
|
@ -7,7 +7,7 @@
|
||||||
],
|
],
|
||||||
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
|
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
|
||||||
"uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
|
"uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
|
||||||
"version": 6,
|
"version": 7,
|
||||||
"values": [
|
"values": [
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -2401,6 +2401,15 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "696125b9-7a91-463a-9e6b-b4fc381b8833"
|
"uuid": "696125b9-7a91-463a-9e6b-b4fc381b8833"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "TSCookie provides parameters such as C&C server information when loading TSCookieRAT. Upon the execution, information of the infected host is sent with HTTP POST request to an external server. (The HTTP header format is the same as TSCookie.)\nThe data is RC4-encrypted from the beginning to 0x14 (the key is Date header value), which is followed by the information of the infected host (host name, user name, OS version, etc.). Please refer to Appendix C, Table C-1 for the data format.",
|
||||||
|
"value": "TSCookieRAT",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
],
|
],
|
||||||
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
||||||
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
||||||
"version": 52,
|
"version": 53,
|
||||||
"values": [
|
"values": [
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -3717,6 +3717,15 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "d248a27c-d036-4032-bc70-803a1b0c8148"
|
"uuid": "d248a27c-d036-4032-bc70-803a1b0c8148"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "TSCookie itself only serves as a downloader. It expands functionality by downloading modules from C&C servers. The sample that was examined downloaded a DLL file which has exfiltrating function among many others (hereafter “TSCookieRAT”). Downloaded modules only runs on memory.",
|
||||||
|
"value": "TSCookie",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue