Merge branch 'darkme2' into 'master'

New Query: DarkMe Malware Registry

See merge request malware-team/osquery_queries!320

packs/win_malware.conf

@@ -1853,6 +1853,15 @@
                 "windows"
             ]
         },
+        "malware_darkme_registry": {
+            "query": "SELECT key as reg_key, path, name, data, datetime(mtime, 'unixepoch', 'UTC') as last_modified FROM registry WHERE key LIKE 'HKEY_USERS\\S-%\\Software\\Classes\\CLSID\\%\\ProgID' AND data LIKE 'NoProjectName.familytool';",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "DarkMe is a remote access trojan (RAT) written in VB6. It is used by the Water Hydra threat actor group to access victim machines and registers the device to a remote command and control server.",
+            "platform": [
+                "windows"
+            ]
+        },
         "SugarGh0st RAT Registry Key Detected": {
             "query": "SELECT key, path, name, data, DATETIME(mtime, 'unixepoch', 'UTC') AS last_modified FROM registry WHERE key LIKE 'HKEY_USERS\\S-%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' AND name='CTFM0N.EXE';",
             "interval": 86400,

win_malware/malware_darkme_registry.yaml

@@ -0,0 +1,17 @@
+malware_darkme_registry:
+  query: 'SELECT key as reg_key, path, name, data, datetime(mtime, "unixepoch", "UTC") 
+        as last_modified FROM registry WHERE key LIKE "HKEY_USERS\S-%\Software\Classes\CLSID\%\ProgID" 
+        AND data LIKE "NoProjectName.familytool"'
+  interval: 86400
+  snapshot: true
+  description: DarkMe is a remote access trojan (RAT) written in VB6. It is used by the Water Hydra
+        threat actor group to access victim machines and registers the device to a remote command
+        and control server. 
+  references:
+  - https://www.virustotal.com/gui/file/d123d92346868aab77ac0fe4f7a1293ebb48cf5af1b01f85ffe7497af5b30738
+  mitre_tactics:
+  - Persistence: TA0003
+  mitre_techniques:
+  - Modify Registry: T1112
+  platform:
+  - windows