Skip to content

S1044 FunnyDream

FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.1

Item Value
ID S1044
Associated Names
Version 1.0
Created 23 September 2022
Last Modified 11 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1010 Application Window Discovery FunnyDream has the ability to discover application windows via execution of EnumWindows.1
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library FunnyDream has compressed collected files with zLib.1
enterprise T1560.003 Archive via Custom Method FunnyDream has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line or qwerasdf if the command line argument doesn’t contain the key. File names are obfuscated using XOR with the same key as the compressed file content.1
enterprise T1119 Automated Collection FunnyDream can monitor files for changes and automatically collect them.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell FunnyDream can use cmd.exe for execution on remote hosts.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service FunnyDream has established persistence by running sc.exe and by setting the WSearch service to run automatically.1
enterprise T1005 Data from Local System FunnyDream can upload files from victims’ machines.12
enterprise T1025 Data from Removable Media The FunnyDream FilePakMonitor component has the ability to collect files from removable devices.1
enterprise T1001 Data Obfuscation FunnyDream can send compressed and obfuscated packets to C2.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging FunnyDream can stage collected information including screen captures and logged keystrokes locally.1
enterprise T1041 Exfiltration Over C2 Channel FunnyDream can execute commands, including gathering user information, and send the results to C2.1
enterprise T1083 File and Directory Discovery FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.1
enterprise T1070 Indicator Removal FunnyDream has the ability to clean traces of malware deployment.1
enterprise T1070.004 File Deletion FunnyDream can delete files including its dropper component.1
enterprise T1105 Ingress Tool Transfer FunnyDream can download additional files onto a compromised host.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging The FunnyDream Keyrecord component can capture keystrokes.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model FunnyDream can use com objects identified with CLSID_ShellLink(IShellLink and IPersistFile) and WScript.Shell(RegWrite method) to enable persistence mechanisms.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service FunnyDream has used a service named WSearch for execution.1
enterprise T1106 Native API FunnyDream can use Native API for defense evasion, discovery, and collection.1
enterprise T1095 Non-Application Layer Protocol FunnyDream can communicate with C2 over TCP and UDP.1
enterprise T1027 Obfuscated Files or Information FunnyDream can Base64 encode its C2 address stored in a template binary with the xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_- or
xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_= character sets.1
enterprise T1120 Peripheral Device Discovery The FunnyDream FilepakMonitor component can detect removable drive insertion.1
enterprise T1057 Process Discovery FunnyDream has the ability to discover processes, including Bka.exe and BkavUtil.exe.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the VirtualAllocEx, WriteProcessMemory and CreateRemoteThread APIs to load the DLL component.1
enterprise T1572 Protocol Tunneling FunnyDream can connect to HTTP proxies via TCP to create a tunnel to C2.1
enterprise T1090 Proxy FunnyDream can identify and use configured proxies in a compromised network for C2 communication.1
enterprise T1012 Query Registry FunnyDream can check Software\Microsoft\Windows\CurrentVersion\Internet Settings to extract the ProxyServer string.1
enterprise T1018 Remote System Discovery FunnyDream can collect information about hosts on the victim network.2
enterprise T1113 Screen Capture The FunnyDream ScreenCap component can take screenshots on a compromised host.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery FunnyDream can identify the processes for Bkav antivirus.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 FunnyDream can use rundll32 for execution of its components.1
enterprise T1082 System Information Discovery FunnyDream can enumerate all logical drives on a targeted machine.1
enterprise T1016 System Network Configuration Discovery FunnyDream can parse the ProxyServer string in the Registry to discover http proxies.1
enterprise T1033 System Owner/User Discovery FunnyDream has the ability to gather user information from the targeted system using whoami/upn&whoami/fqdn&whoami/logonid&whoami/all.1
enterprise T1124 System Time Discovery FunnyDream can check system time to help determine when changes were made to specified files.1
enterprise T1047 Windows Management Instrumentation FunnyDream can use WMI to open a Windows command shell on a remote machine.1