ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.
|Enterprise||T1560||.001||Archive Collected Data: Archive via Utility||
ccf32 has used
ccf32 can be used to automatically collect files from a compromised host.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell||
ccf32 has used
|Enterprise||T1005||Data from Local System|
|Enterprise||T1074||.001||Data Staged: Local Data Staging||
ccf32 can temporarily store files in a hidden directory on the local host.
|.002||Data Staged: Remote Data Staging||
ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.
|Enterprise||T1048||.003||Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol||
ccf32 can upload collected data and files to an FTP server.
|Enterprise||T1083||File and Directory Discovery||
ccf32 can parse collected files to identify specific file extensions.
|Enterprise||T1564||.001||Hide Artifacts: Hidden Files and Directories||
ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
ccf32 can delete files and folders from compromised machines.
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task|
|Enterprise||T1124||System Time Discovery|
During FunnyDream, ccf32 was used to collect data.