General

  • Target

    c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

  • Size

    3.1MB

  • Sample

    210618-f49n1ljv3n

  • MD5

    327090cbddf94fc901662f0e863ba0cb

  • SHA1

    fd357aad2d5529127d90757987a2c5ce88ea2a76

  • SHA256

    c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

  • SHA512

    16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

Malware Config

Targets

    • Target

      c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

    • Size

      3.1MB

    • MD5

      327090cbddf94fc901662f0e863ba0cb

    • SHA1

      fd357aad2d5529127d90757987a2c5ce88ea2a76

    • SHA256

      c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

    • SHA512

      16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

    • Klingon

      Klingon is a remote access trojan written in Golang with various capabilities.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks