TSCookie — Malware Analysis Note
This note includes brief story of malware variant and my analysis result in my morning coffee time.
TSCookie was used by Chinese-Nexus APT group, BlackTech.
BlackTech is highly active in APAC region, especially Japan, Taiwan.
TSCookie is a post-intrusion malware which is loader typed.
This post will show you how to analyze TSCookie simply.
I analyzed old TSCookie(13c19132f7c0c2c02f4070eca9367bdf8ab2bf59c5993c6e853584ac215857c7) so I could not see network traffic which is woriking properly.
First, Let’s take a look at DIE(DetectItEasy)!
PE32, GUI, MFC is used.
Next, I launched CAPA to see what feature is implemented.
API Hashing used ADD and ROR13
RC4 is used. Chinese APT loves RC4.
Let’s take a look at binary code with Binary Ninja.
Resource number 0x84 is a something fun!
TSCookie has some encrypted binary.
TSCookie load this resource and decrypt with RC4 and get DLL and execute.
You can write decryption code or dynamically extract DLL.
I selected dynamic one because I don’t have time.
I mainly use x32/64dbg to dump memory region but at this time I used Hollows Hunter.
Extracted decrypted one is a DLL.
Export function name is Cancel.
This binary has many junk code.
GetTickCount things, not new.
This DLL downloads TSCookie Loader and TSCookie RAT.
As you can see with Fiddler, this dll tried to download TSCookie Loader.
I could not see TSCookie Loader because this sample and domain is dead already.
I could not obtain TSCookie Loader and TSCookie RAT.
However, I hope this article can reduce cost when malware analyst fight with them.
If you find some mistake, please let me know!
IoC
- 13c19132f7c0c2c02f4070eca9367bdf8ab2bf59c5993c6e853584ac215857c7 TSCookie
- f77ae57532aec74be19eb718b7874802a5ccfc9adb9d9e691237b1cbe035cbd4 TSCookie DLL
