TDTESS
TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. [1]
ID: S0164
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
If running as administrator, TDTESS installs itself as a new service named bmwappushservice to establish persistence.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
TDTESS creates then deletes log files during installation of itself as a service.[1] |
| .006 | 移除指标: Timestomp |
After creating a new service for persistence, TDTESS sets the file creation time for the service to the creation time of the victim's legitimate svchost.exe file.[1] |
||
| Enterprise | T1105 | 输入工具传输 |
TDTESS has a command to download and execute an additional file.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0052 | CopyKittens |