Skip to content

S1043 ccf32

ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.1

Item Value
ID S1043
Associated Names
Version 1.0
Created 22 September 2022
Last Modified 10 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility ccf32 has used xcopy \\<target_host>\c$\users\public\path.7z c:\users\public\bin\<target_host>.7z /H /Y to archive collected files.1
enterprise T1119 Automated Collection ccf32 can be used to automatically collect files from a compromised host.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell ccf32 has used cmd.exe for archiving data and deleting files.1
enterprise T1005 Data from Local System ccf32 can collect files from a compromised host.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging ccf32 can temporarily store files in a hidden directory on the local host.1
enterprise T1074.002 Remote Data Staging ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.1
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol ccf32 can upload collected data and files to an FTP server.1
enterprise T1083 File and Directory Discovery ccf32 can parse collected files to identify specific file extensions.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion ccf32 can delete files and folders from compromised machines.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task ccf32 can run on a daily basis using a scheduled task.1
enterprise T1124 System Time Discovery ccf32 can determine the local time on targeted machines.1