Datper

Description

(JPCERT/CC) Datper communicates with a C&C server using HTTP protocol and operates based on the received commands. One of the characteristics is that it only communicates within a specific period of time.

The malware receives a command as a response to the above HTTP request, and it executes functions based on the commands. Functions that Datper can execute are the following: • Obtain host names, OS versions etc. • Obtain drive information • Configure communication intervals • Sleep for a set period of time • Execute a program • Operate on files (Obtain file lists, download, upload, delete) • Execute shell commands

After executing these functions, Datper sends the results to a C&C server.

Names

Name
Datper

Category

Malware

Type

• Reconnaissance
• Backdoor
• Info stealer
• Exfiltration

Information

• https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
• http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/
• https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.datper

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:Datper

Other Information

Uuid

26cad6ce-54da-4ad1-8f06-24d59dd4603d

Last Card Change

2020-05-13