Merge pull request #163 from Delta-Sierra/master

Add TSCookie Malware and RAT
This commit is contained in:
Alexandre Dulaunoy 2018-03-06 15:39:25 +01:00 committed by GitHub
commit 136763d2d8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 2 deletions

View file

@ -7,7 +7,7 @@
], ],
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
"uuid": "312f8714-45cb-11e7-b898-135207cdceb9", "uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
"version": 6, "version": 7,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -2401,6 +2401,15 @@
] ]
}, },
"uuid": "696125b9-7a91-463a-9e6b-b4fc381b8833" "uuid": "696125b9-7a91-463a-9e6b-b4fc381b8833"
},
{
"description": "TSCookie provides parameters such as C&C server information when loading TSCookieRAT. Upon the execution, information of the infected host is sent with HTTP POST request to an external server. (The HTTP header format is the same as TSCookie.)\nThe data is RC4-encrypted from the beginning to 0x14 (the key is Date header value), which is followed by the information of the infected host (host name, user name, OS version, etc.). Please refer to Appendix C, Table C-1 for the data format.",
"value": "TSCookieRAT",
"meta": {
"refs": [
"http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html"
]
}
} }
] ]
} }

View file

@ -10,7 +10,7 @@
], ],
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"version": 52, "version": 53,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -3717,6 +3717,15 @@
] ]
}, },
"uuid": "d248a27c-d036-4032-bc70-803a1b0c8148" "uuid": "d248a27c-d036-4032-bc70-803a1b0c8148"
},
{
"description": "TSCookie itself only serves as a downloader. It expands functionality by downloading modules from C&C servers. The sample that was examined downloaded a DLL file which has exfiltrating function among many others (hereafter “TSCookieRAT”). Downloaded modules only runs on memory.",
"value": "TSCookie",
"meta": {
"refs": [
"http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html"
]
}
} }
] ]
} }