| enterprise |
T1010 |
Application Window Discovery |
FunnyDream has the ability to discover application windows via execution of EnumWindows. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.002 |
Archive via Library |
FunnyDream has compressed collected files with zLib. |
| enterprise |
T1560.003 |
Archive via Custom Method |
FunnyDream has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line or qwerasdf if the command line argument doesn’t contain the key. File names are obfuscated using XOR with the same key as the compressed file content. |
| enterprise |
T1119 |
Automated Collection |
FunnyDream can monitor files for changes and automatically collect them. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
FunnyDream can use a Registry Run Key and the Startup folder to establish persistence. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
FunnyDream can use cmd.exe for execution on remote hosts. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
FunnyDream has established persistence by running sc.exe and by setting the WSearch service to run automatically. |
| enterprise |
T1005 |
Data from Local System |
FunnyDream can upload files from victims’ machines. |
| enterprise |
T1025 |
Data from Removable Media |
The FunnyDream FilePakMonitor component has the ability to collect files from removable devices. |
| enterprise |
T1001 |
Data Obfuscation |
FunnyDream can send compressed and obfuscated packets to C2. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
FunnyDream can stage collected information including screen captures and logged keystrokes locally. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
FunnyDream can execute commands, including gathering user information, and send the results to C2. |
| enterprise |
T1083 |
File and Directory Discovery |
FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection. |
| enterprise |
T1070 |
Indicator Removal |
FunnyDream has the ability to clean traces of malware deployment. |
| enterprise |
T1070.004 |
File Deletion |
FunnyDream can delete files including its dropper component. |
| enterprise |
T1105 |
Ingress Tool Transfer |
FunnyDream can download additional files onto a compromised host. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
The FunnyDream Keyrecord component can capture keystrokes. |
| enterprise |
T1559 |
Inter-Process Communication |
- |
| enterprise |
T1559.001 |
Component Object Model |
FunnyDream can use com objects identified with CLSID_ShellLink(IShellLink and IPersistFile) and WScript.Shell(RegWrite method) to enable persistence mechanisms. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
FunnyDream has used a service named WSearch for execution. |
| enterprise |
T1106 |
Native API |
FunnyDream can use Native API for defense evasion, discovery, and collection. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
FunnyDream can communicate with C2 over TCP and UDP. |
| enterprise |
T1027 |
Obfuscated Files or Information |
FunnyDream can Base64 encode its C2 address stored in a template binary with the xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_- or |
xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_= character sets. |
|
|
|
| enterprise |
T1120 |
Peripheral Device Discovery |
The FunnyDream FilepakMonitor component can detect removable drive insertion. |
| enterprise |
T1057 |
Process Discovery |
FunnyDream has the ability to discover processes, including Bka.exe and BkavUtil.exe. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.001 |
Dynamic-link Library Injection |
The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the VirtualAllocEx, WriteProcessMemory and CreateRemoteThread APIs to load the DLL component. |
| enterprise |
T1572 |
Protocol Tunneling |
FunnyDream can connect to HTTP proxies via TCP to create a tunnel to C2. |
| enterprise |
T1090 |
Proxy |
FunnyDream can identify and use configured proxies in a compromised network for C2 communication. |
| enterprise |
T1012 |
Query Registry |
FunnyDream can check Software\Microsoft\Windows\CurrentVersion\Internet Settings to extract the ProxyServer string. |
| enterprise |
T1018 |
Remote System Discovery |
FunnyDream can collect information about hosts on the victim network. |
| enterprise |
T1113 |
Screen Capture |
The FunnyDream ScreenCap component can take screenshots on a compromised host. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
FunnyDream can identify the processes for Bkav antivirus. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.011 |
Rundll32 |
FunnyDream can use rundll32 for execution of its components. |
| enterprise |
T1082 |
System Information Discovery |
FunnyDream can enumerate all logical drives on a targeted machine. |
| enterprise |
T1016 |
System Network Configuration Discovery |
FunnyDream can parse the ProxyServer string in the Registry to discover http proxies. |
| enterprise |
T1033 |
System Owner/User Discovery |
FunnyDream has the ability to gather user information from the targeted system using whoami/upn&whoami/fqdn&whoami/logonid&whoami/all. |
| enterprise |
T1124 |
System Time Discovery |
FunnyDream can check system time to help determine when changes were made to specified files. |
| enterprise |
T1047 |
Windows Management Instrumentation |
FunnyDream can use WMI to open a Windows command shell on a remote machine. |