Skip to content

Hide Navigation Hide TOC

Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f)

Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)

Cluster A Galaxy A Cluster B Galaxy B Level
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern 1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Doki - S0600 (4f1c389e-a80e-4a3e-9b0e-9be8c91df64f) Malware 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2