DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. [1]

ID: S0255
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

DDKONG decodes an embedded configuration using XOR.[1]

Enterprise T1083 File and Directory Discovery

DDKONG lists files on the victim’s machine.[1]

Enterprise T1105 Ingress Tool Transfer

DDKONG downloads and uploads files on the victim’s machine.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.[1]

Groups That Use This Software

ID Name References
G0075 Rancor