TSCookie — Malware Analysis Note

morimolymoly
3 min readAug 27, 2023

This note includes brief story of malware variant and my analysis result in my morning coffee time.

TSCookie was used by Chinese-Nexus APT group, BlackTech.

BlackTech is highly active in APAC region, especially Japan, Taiwan.

TSCookie is a post-intrusion malware which is loader typed.

This post will show you how to analyze TSCookie simply.

I analyzed old TSCookie(13c19132f7c0c2c02f4070eca9367bdf8ab2bf59c5993c6e853584ac215857c7) so I could not see network traffic which is woriking properly.

First, Let’s take a look at DIE(DetectItEasy)!

PE32, GUI, MFC is used.

Next, I launched CAPA to see what feature is implemented.

API Hashing
API hashing

API Hashing used ADD and ROR13

RC4

RC4 is used. Chinese APT loves RC4.

Let’s take a look at binary code with Binary Ninja.

Resouce loading

Resource number 0x84 is a something fun!

Resource Hacker

TSCookie has some encrypted binary.

TSCookie load this resource and decrypt with RC4 and get DLL and execute.

DLL region is directly executed

You can write decryption code or dynamically extract DLL.

I selected dynamic one because I don’t have time.

I mainly use x32/64dbg to dump memory region but at this time I used Hollows Hunter.

Extracted decrypted one is a DLL.

DIE
Export

Export function name is Cancel.

Junk code

This binary has many junk code.

GetTickCount things, not new.

Junk

This DLL downloads TSCookie Loader and TSCookie RAT.

x64dbg to see before main routine
Fiddler

As you can see with Fiddler, this dll tried to download TSCookie Loader.

I could not see TSCookie Loader because this sample and domain is dead already.

I could not obtain TSCookie Loader and TSCookie RAT.

However, I hope this article can reduce cost when malware analyst fight with them.

If you find some mistake, please let me know!

IoC

  • 13c19132f7c0c2c02f4070eca9367bdf8ab2bf59c5993c6e853584ac215857c7 TSCookie
  • f77ae57532aec74be19eb718b7874802a5ccfc9adb9d9e691237b1cbe035cbd4 TSCookie DLL

--

--

morimolymoly

I am a Software Engineer, Malware Analyst. Feel free to reach me! Webpage: https://morimolymoly.com/