Trojan.Karagany
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [1][2][3]
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Trojan.Karagany can steal data and credentials from browsers.[2] |
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
Trojan.Karagany can secure C2 communications with SSL and TLS.[2] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.[1][2] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.[2] |
| Enterprise | T1113 | 屏幕捕获 |
Trojan.Karagany can take a desktop screenshot and save the file into |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Trojan.Karagany can communicate with C2 via HTTP POST requests.[2] |
| Enterprise | T1010 | 应用窗口发现 |
Trojan.Karagany can monitor the titles of open windows to identify specific keywords.[2] |
|
| Enterprise | T1003 | 操作系统凭证转储 |
Trojan.Karagany can dump passwords and save them into |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.[1][2] |
| Enterprise | T1083 | 文件和目录发现 |
Trojan.Karagany can enumerate files and directories on a compromised host.[2] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.[2] |
|
| .002 | Software Packing |
Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[1][2] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Trojan.Karagany has used plugins with a self-delete capability.[2] |
| Enterprise | T1082 | 系统信息发现 |
Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration.[2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Trojan.Karagany can gather information about the user on a compromised host.[2] |
|
| Enterprise | T1049 | 系统网络连接发现 |
Trojan.Karagany can use netstat to collect a list of network connections.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Trojan.Karagany can gather information on the network configuration of a compromised host.[2] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.[2] |
| Enterprise | T1105 | 输入工具传输 |
Trojan.Karagany can upload, download, and execute files on the victim.[1][2] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Trojan.Karagany can capture keystrokes on a compromised host.[2] |
| Enterprise | T1057 | 进程发现 |
Trojan.Karagany can use Tasklist to collect a list of running tasks.[1][2] |
|
| Enterprise | T1055 | .003 | 进程注入: Thread Execution Hijacking |
Trojan.Karagany can inject a suspended thread of its own process into a new process and initiate via the |