JUST RELEASED: ATT&CK for Industrial Control Systems
SOFTWARE
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Trojan.Karagany

Trojan.Karagany

Trojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums. [1]

ID: S0094
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping

Trojan.Karagany can dump passwords and save them into \ProgramData\Mail\MailAg\pwds.txt.[1]
Enterprise T1074 Data Staged

Trojan.Karagany can create a directory (C:\ProgramData\Mail\MailAg\gl) to use as a temporary directory for uploading files.[1]
Enterprise T1057 Process Discovery

Trojan.Karagany can use tasklist to collect a list of running tasks.[1]
Enterprise T1060 Registry Run Keys / Startup Folder

Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.[1]
Enterprise T1105 Remote File Copy

Trojan.Karagany can upload, download, and execute files on the victim.[1]
Enterprise T1113 Screen Capture

Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png.[1]
Enterprise T1045 Software Packing

Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[1]

Groups That Use This Software

ID Name References
G0035 Dragonfly [1]

References

  1. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.