S1043 ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.1
| Item | Value |
|---|---|
| ID | S1043 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 September 2022 |
| Last Modified | 10 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | ccf32 has used xcopy \\<target_host>\c$\users\public\path.7z c:\users\public\bin\<target_host>.7z /H /Y to archive collected files.1 |
| enterprise | T1119 | Automated Collection | ccf32 can be used to automatically collect files from a compromised host.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | ccf32 has used cmd.exe for archiving data and deleting files.1 |
| enterprise | T1005 | Data from Local System | ccf32 can collect files from a compromised host.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | ccf32 can temporarily store files in a hidden directory on the local host.1 |
| enterprise | T1074.002 | Remote Data Staging | ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.1 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | ccf32 can upload collected data and files to an FTP server.1 |
| enterprise | T1083 | File and Directory Discovery | ccf32 can parse collected files to identify specific file extensions.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ccf32 can delete files and folders from compromised machines.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | ccf32 can run on a daily basis using a scheduled task.1 |
| enterprise | T1124 | System Time Discovery | ccf32 can determine the local time on targeted machines.1 |