Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Trojan.Karagany

Trojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums. [1]

ID: S0094
Aliases: Trojan.Karagany
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1003Credential DumpingTrojan.Karagany can dump passwords and save them into \ProgramData\Mail\MailAg\pwds.txt.[1]
EnterpriseT1074Data StagedTrojan.Karagany can create a directory (C:\ProgramData\Mail\MailAg\gl) to use as a temporary directory for uploading files.[1]
EnterpriseT1057Process DiscoveryTrojan.Karagany can use tasklist to collect a list of running tasks.[1]
EnterpriseT1060Registry Run Keys / Startup FolderTrojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.[1]
EnterpriseT1105Remote File CopyTrojan.Karagany can upload, download, and execute files on the victim.[1]
EnterpriseT1113Screen CaptureTrojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png.[1]
EnterpriseT1045Software PackingTrojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[1]

Groups

Groups that use this software:

Dragonfly

References