ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]

ID: S1043
Platforms: Windows
Version: 1.0
Created: 22 September 2022
Last Modified: 10 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

ccf32 has used xcopy \\<target_host>\c$\users\public\path.7z c:\users\public\bin\<target_host>.7z /H /Y to archive collected files.[1]

Enterprise T1119 Automated Collection

ccf32 can be used to automatically collect files from a compromised host.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

ccf32 has used cmd.exe for archiving data and deleting files.[1]

Enterprise T1005 Data from Local System

ccf32 can collect files from a compromised host.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

ccf32 can temporarily store files in a hidden directory on the local host.[1]

.002 Data Staged: Remote Data Staging

ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.[1]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

ccf32 can upload collected data and files to an FTP server.[1]

Enterprise T1083 File and Directory Discovery

ccf32 can parse collected files to identify specific file extensions.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

ccf32 can delete files and folders from compromised machines.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

ccf32 can run on a daily basis using a scheduled task.[1]

Enterprise T1124 System Time Discovery

ccf32 can determine the local time on targeted machines.[1]


ID Name Description
C0007 FunnyDream

During FunnyDream, ccf32 was used to collect data.[1]