Skip to content

S0094 Trojan.Karagany

Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. 321

Item Value
ID S0094
Associated Names xFrost, Karagany
Version 3.0
Created 31 May 2017
Last Modified 19 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
xFrost 2
Karagany 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Trojan.Karagany can communicate with C2 via HTTP POST requests.2
enterprise T1010 Application Window Discovery Trojan.Karagany can monitor the titles of open windows to identify specific keywords.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.32
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Trojan.Karagany can steal data and credentials from browsers.2
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.32
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Trojan.Karagany can secure C2 communications with SSL and TLS.2
enterprise T1083 File and Directory Discovery Trojan.Karagany can enumerate files and directories on a compromised host.2
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Trojan.Karagany has used plugins with a self-delete capability.2
enterprise T1105 Ingress Tool Transfer Trojan.Karagany can upload, download, and execute files on the victim.32
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Trojan.Karagany can capture keystrokes on a compromised host.2
enterprise T1027 Obfuscated Files or Information Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.2
enterprise T1027.002 Software Packing Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.32
enterprise T1003 OS Credential Dumping Trojan.Karagany can dump passwords and save them into \ProgramData\Mail\MailAg\pwds.txt.3
enterprise T1057 Process Discovery Trojan.Karagany can use Tasklist to collect a list of running tasks.32
enterprise T1055 Process Injection -
enterprise T1055.003 Thread Execution Hijacking Trojan.Karagany can inject a suspended thread of its own process into a new process and initiate via the ResumeThread API.2
enterprise T1113 Screen Capture Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png.32
enterprise T1082 System Information Discovery Trojan.Karagany can capture information regarding the victim’s OS, security, and hardware configuration.2
enterprise T1016 System Network Configuration Discovery Trojan.Karagany can gather information on the network configuration of a compromised host.2
enterprise T1049 System Network Connections Discovery Trojan.Karagany can use netstat to collect a list of network connections.2
enterprise T1033 System Owner/User Discovery Trojan.Karagany can gather information about the user on a compromised host.2
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.2

Groups That Use This Software

ID Name References
G0035 Dragonfly 324


Back to top