TicTacToe Dropper Malware

    Monday, August 26, 2024 In: Threat Research Print

    Date: 08/26/2024

    Severity: Medium

    Summary

    "TicTacToeDropper" is a type of malware that acts as a dropper, designed to deploy other malicious payloads onto an infected system. It typically operates by initially delivering a small, inconspicuous component that then downloads and installs additional malicious software. The name "TicTacToeDropper" may refer to its use of simple yet effective techniques for evasion and persistence. Once active, it can facilitate a range of malicious activities, including data theft, system compromise, or further infection.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://171.22.30.147/tony/five/fre.php

    http://64.227.48.212/project/five/fre.php

    IP Address

    171.22.30.147

    64.227.48.212

    Hash

    cb830bcfa53ec0aa6a60610f453e9759

af14b44a1bdbf96b8fec28236f152d410c91e807

90624ba95243c7ec20730a101cad6966e75df675

4a5b3465ef2298392b60ec78da233287185eb7dd

15b3c9768a67ce0d09807627f1939c7165a3fede

3af5c0843b016faa6129e40b696565d4117b48fd6750164ac4a0f307ef3d6a36

8fe52481cdabec8900f78cab1d673dbb1bde3366d9347a89c2ea8e2e74ab01b4

349fada4859b8ffa4c690af723daa16669d6fa2b9f5ec51111adee2e8cb63748

0239bc35516d6d3680c64f7a5a5a40801c7b0ea4db8a80718e4774687c565af3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "http://171.22.30.147/tony/five/fre.php" or url like "http://171.22.30.147/tony/five/fre.php" or userdomainname like "http://64.227.48.212/project/five/fre.php" or url like "http://64.227.48.212/project/five/fre.php"

    Detection Query 2

    dstipaddress IN ("171.22.30.147","64.227.48.212") or ipaddress IN ("171.22.30.147","64.227.48.212") or publicipaddress IN ("171.22.30.147","64.227.48.212") or srcipaddress IN ("171.22.30.147","64.227.48.212")

    Detection Query 3

    md5hash IN ("cb830bcfa53ec0aa6a60610f453e9759")

sha1hash IN ("af14b44a1bdbf96b8fec28236f152d410c91e807","90624ba95243c7ec20730a101cad6966e75df675","4a5b3465ef2298392b60ec78da233287185eb7dd","15b3c9768a67ce0d09807627f1939c7165a3fede")

sha256hash IN ("3af5c0843b016faa6129e40b696565d4117b48fd6750164ac4a0f307ef3d6a36","8fe52481cdabec8900f78cab1d673dbb1bde3366d9347a89c2ea8e2e74ab01b4","349fada4859b8ffa4c690af723daa16669d6fa2b9f5ec51111adee2e8cb63748","0239bc35516d6d3680c64f7a5a5a40801c7b0ea4db8a80718e4774687c565af3")

    Reference:

    https://gurucul.com/blog/tictactoe-malware-dropper

    https://otx.alienvault.com/pulse/65cf3c3e8a27ffb8384ffad6

     


     


    Tags

    MalwareGurucul

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.