Skip to content

Hide Navigation Hide TOC

TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)

TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019)

Cluster A Galaxy A Cluster B Galaxy B Level
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware 1
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware 1
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace) Malware Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2