Trojan.Karagany
Trojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums. [1]
ID: S0094
Aliases: Trojan.Karagany
Type: MALWARE
Platforms: Windows
Version: 1.0
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1003 | Credential Dumping | Trojan.Karagany can dump passwords and save them into \ProgramData\Mail\MailAg\pwds.txt .[1] |
Enterprise | T1074 | Data Staged | Trojan.Karagany can create a directory (C:\ProgramData\Mail\MailAg\gl ) to use as a temporary directory for uploading files.[1] |
Enterprise | T1057 | Process Discovery | Trojan.Karagany can use tasklist to collect a list of running tasks.[1] |
Enterprise | T1060 | Registry Run Keys / Startup Folder | Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.[1] |
Enterprise | T1105 | Remote File Copy | Trojan.Karagany can upload, download, and execute files on the victim.[1] |
Enterprise | T1113 | Screen Capture | Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png .[1] |
Enterprise | T1045 | Software Packing | Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[1] |
Groups
Groups that use this software:
Dragonfly