ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
ccf32 has used |
| Enterprise | T1119 | Automated Collection |
ccf32 can be used to automatically collect files from a compromised host.[1] |
|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
ccf32 has used |
| Enterprise | T1005 | Data from Local System | ||
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
ccf32 can temporarily store files in a hidden directory on the local host.[1] |
| .002 | Data Staged: Remote Data Staging |
ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.[1] |
||
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
ccf32 can upload collected data and files to an FTP server.[1] |
| Enterprise | T1083 | File and Directory Discovery |
ccf32 can parse collected files to identify specific file extensions.[1] |
|
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).[1] |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
ccf32 can delete files and folders from compromised machines.[1] |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | |
| Enterprise | T1124 | System Time Discovery | ||
Campaigns
| ID | Name | Description |
|---|---|---|
| C0007 | FunnyDream |
During FunnyDream, ccf32 was used to collect data.[1] |