Skip to content


DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. 1

Item Value
ID S0255
Version 1.0
Created 17 October 2018
Last Modified 17 October 2018
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information DDKONG decodes an embedded configuration using XOR.1
enterprise T1083 File and Directory Discovery DDKONG lists files on the victim’s machine.1
enterprise T1105 Ingress Tool Transfer DDKONG downloads and uploads files on the victim’s machine.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.1

Groups That Use This Software

ID Name References
G0075 Rancor 1


Back to top