{ "id": "4a6463c4-b617-4789-b9bc-8aa918c8e2da", "created_at": "2026-04-06T01:30:24.604379Z", "updated_at": "2026-04-10T03:38:09.885923Z", "deleted_at": null, "sha1_hash": "5e014ab0be7b130fd0f2eca422d492bbcac02590", "title": "Detecting Datper Malware from Proxy Logs - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 155228, "plain_text": "Detecting Datper Malware from Proxy Logs - JPCERT/CC Eyes\r\nBy JPCERT/CC\r\nPublished: 2017-08-20 · Archived: 2026-04-06 00:21:29 UTC\r\nThis is Yu Nakamura from Analysis Center.\r\nThis entry is to explain features of Datper, malware used for targeted attacks against Japanese organisations and\r\nhow to detect it from the logs.\r\nJPCERT/CC has been observing attacks using Datper since around June 2016. Research reports on the adversary\r\nare published from LAC [1], SecureWorks [2] and Palo Alto Networks [3]. The adversary had also conducted\r\nattacks using Daserf malware in the past, and Symantec refers to them as “Tick” in their report [4].\r\nAttack vectors\r\nWe have confirmed that Datper infection occurs by:\r\nDrive-by download attacks\r\nExploiting vulnerabilities in asset management software\r\nIn the former attack vector, we observed that a vulnerability of Adobe Flash Player (CVE-2016-7892) was\r\nleveraged for downloading and executing Datper. For the latter, there were cases where devices also got infected\r\nwith a downloader called “wali”. Some analysis of this downloader has been published by Kaspersky [5] and\r\nCybereason [6]. We have seen that wali can download several types of malware, and Datper is one of them.\r\nDetailed behaviour\r\nDatper communicates with a C\u0026C server using HTTP protocol and operates based on the received commands.\r\nOne of the characteristics is that it only communicates within a specific period of time.\r\nHere below is a sample HTTP request that Datper sends to a C\u0026C server. User-Agent is hard-coded in the\r\nmalware.\r\nGET /hoge/index.php?fnyup=940785246f0c22b41joikeddfngjokyptui HTTP/1.1\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHost: [host name]\r\nPragma: no-cache\r\nConnection: close\r\nhttps://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html\r\nPage 1 of 5\n\nThe malware receives a command as a response to the above HTTP request, and it executes functions based on the\r\ncommands. Functions that Datper can execute are the following:\r\nObtain host names, OS versions etc.\r\nObtain drive information\r\nConfigure communication intervals\r\nSleep for a set period of time\r\nExecute a program\r\nOperate on files (Obtain file lists, download, upload, delete)\r\nExecute shell commands\r\nAfter executing these functions, Datper sends the results to a C\u0026C server.\r\nHow to detect Datper’s communication\r\nDatper sends HTTP GET requests with two types of query strings as in format 1 and 2 in the following figure.\r\nFigure 1: Query string formats\r\nAs in the Figure 1, \u003ca\u003e, \u003cb\u003e and \u003cc\u003e in the query strings vary for each communication. If the fixed value which\r\ncomes after \u003cc\u003e is “1” (as in format 1 in the Figure), it represents a request for commands, while those with “2”\r\n(format 2 in the Figure) are sent when sending command execution result to a C\u0026C server. Command execution\r\nresults are contained in the encrypted data. When the encrypted data is larger than 1024 bytes, POST method is\r\nused instead of GET.\r\nStrings as in the above Figure is typical for Datper’s communication and barely observed during usual web\r\nbrowsing. Based on the characteristics, it is possible to detect Datper’s communication by checking for logs that\r\nmatch the format - that strings are aligned in the order of \u003ca\u003e=\u003cb\u003e\u003cc\u003e format and \u003cb\u003e’s CRC32 value matches\r\n\u003cc\u003e. For easy verification, the following is an example of Python script for checking proxy server logs. Regular\r\nexpressions need to be modified according to the log format.\r\nhttps://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html\r\nPage 2 of 5\n\nimport re\r\nimport sys\r\nfrom binascii import crc32\r\nfrom ctypes import c_uint\r\nfilter_1 = re.compile('(http://[\\da-z\\.-]+\\.[a-z\\.]{2,6}/[\\/\\w_\\.-]+\\?[\\da-z]{3,8}=([\\da-f]{8})([\\da-f]{8})[1-2]\r\ndef main():\r\n for line in sys.stdin:\r\n m1 = filter_1.search(line)\r\n if m1:\r\n url = m1.group(1).lower()\r\n d1 = m1.group(2).lower()\r\n d2 = m1.group(3).lower()\r\n else:\r\n continue\r\n d1_crc32 = \"%08x\" % c_uint(crc32(d1)).value\r\n if d1_crc32 == d2:\r\n print \"hit: %s\" % line\r\nif __name__ == '__main__':\r\n main()\r\nChange in compression algorithm\r\nAs mentioned above, Datper’s communication contains encrypted data. More precisely, plain text data is\r\ncompressed, encrypted and then encoded. As for the compression algorithm, LZNT1 had been used, however, it\r\nwas replaced with LZRW1/KH around November 2016. Below is the list of compression and encryption methods\r\nthat Datper uses.\r\nTable 1: List of compression and encryption methods\r\n \r\nCompression\r\nalgorithm\r\nEncryption\r\nalgorithm\r\nEncode algorithm\r\nDatper (Until October 2016) LZNT1 RC4\r\nBase64 (alternative\r\ntable)\r\nDatper (After November\r\n2016)\r\nLZRW1/KH xor + RC4\r\nBase64 (alternative\r\ntable)\r\nThe adversary has often used LZNT1 for attacks using Datper and other types of malware (xxmm/Minzen). While\r\nLZNT1 is easy to use with a Windows API “RtlDecompressBuffer”, LZRW1/KH is not covered in Windows API.\r\nThe reason for this inconvenient choice is unclear, however, this change together with the slight update in the\r\nencryption algorithm may be due to the intention of the adversary to disturb the malware analysis processes.\r\nhttps://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html\r\nPage 3 of 5\n\nConclusion\r\nThe adversary using Datper had conducted targeted attacks using Daserf malware for a long period of time against\r\nJapanese organisations. Activity with Datper is also likely to continue for a while, and we will carefully watch the\r\nmalware and its attack activity.\r\n- Yu Nakamura\r\n(Translated by Yukako Uchida)\r\nReferences\r\n[1] CYBER GRID VIEW Vol.2 | Security Information | LAC Co. Ltd. (Japanese)\r\n  http://www.lac.co.jp/security/report/pdf/20160802_cgview_vol2_a001t.pdf\r\n[2] A whole picture of cyber attacks targeting Japanese companies – BRONZE BUTLER (Japanese)\r\nhttps://www.secureworks.jp/%7E/media/Files/JP/Reports/SecureWorksBronzeButlerReport.ashx\r\n[3] “Tick” Group Continues Attacks\r\n  https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\n[4] Tick cyberespionage group zeros in on Japan\r\n  https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan\r\n[5] Old Malware Tricks To Bypass Detection in the Age of Big Data – Securelist\r\n  https://securelist.com/blog/research/78010/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/\r\n[6] ShadowWali: New variant of the xxmm family of backdoors | Cybereason\r\n  https://www.cybereason.com/labs-blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nAppendix A SHA-256 Hash value of Datper Samples\r\nDatper(LZNT1)\r\nefa68fcbd455a72276062fb513b71547ea11fedf4db10a476cc6c9a2fa4f67f7\r\n12d9b4ec7f8ae42c67a6fd030efb027137dbe29e63f6f669eb932d0299fbe82f\r\n331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b\r\n90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2\r\n2384e8ad8eee6db1e69b3ee7b6b3d01ae09f99a86901a0a87fb2788c1115090c\r\nhttps://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html\r\nPage 4 of 5\n\n7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849\r\nDatper(LZRW1/KH)\r\n7bc042b9a599e1024a668b9921e2a42a02545429cf446d5b3d21f20185afa6ce\r\n1e511c32cdf8abe23d8ba7c39da5ce7fc6c87fdb551c9fc3265ee22ac4076e27\r\n2f6745ccebf8e1d9e3e5284a895206bbb4347cf7daa2371652423aa9b94dfd3d\r\nSource: https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html\r\nhttps://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html" ], "report_names": [ "detecting-datper-malware-from-proxy-logs.html" ], "threat_actors": [ { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439024, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e014ab0be7b130fd0f2eca422d492bbcac02590.pdf", "text": "https://archive.orkl.eu/5e014ab0be7b130fd0f2eca422d492bbcac02590.txt", "img": "https://archive.orkl.eu/5e014ab0be7b130fd0f2eca422d492bbcac02590.jpg" } }