ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
ccf32 has used |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
ccf32 has used |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
ccf32 can temporarily store files in a hidden directory on the local host.[1] |
| .002 | 数据分段: Remote Data Staging |
ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.[1] |
||
| Enterprise | T1083 | 文件和目录发现 |
ccf32 can parse collected files to identify specific file extensions.[1] |
|
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
ccf32 can upload collected data and files to an FTP server.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
ccf32 can delete files and folders from compromised machines.[1] |
| Enterprise | T1124 | 系统时间发现 | ||
| Enterprise | T1119 | 自动化收集 |
ccf32 can be used to automatically collect files from a compromised host.[1] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).[1] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task | |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0007 | FunnyDream |
During FunnyDream, ccf32 was used to collect data.[1] |