Skip to content

S1050 PcShare

PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.21

Item Value
ID S1050
Associated Names
Type TOOL
Version 1.0
Created 13 October 2022
Last Modified 13 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols PcShare has used HTTP for C2 communication.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell PcShare can execute cmd commands on a compromised host.2
enterprise T1005 Data from Local System PcShare can collect files and information from a compromised host.2
enterprise T1140 Deobfuscate/Decode Files or Information PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.2
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking PcShare has created the HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32 Registry key for persistence.2
enterprise T1041 Exfiltration Over C2 Channel PcShare can upload files and information from a compromised host to its C2 servers.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion PcShare has deleted its files and components from a compromised host.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging PcShare has the ability to capture keystrokes.2
enterprise T1036 Masquerading -
enterprise T1036.001 Invalid Code Signature PcShare has used an invalid certificate in attempt to appear legitimate.2
enterprise T1036.005 Match Legitimate Name or Location PcShare has been named wuauclt.exe to appear as the legitimate Windows Update AutoUpdate Client.2
enterprise T1112 Modify Registry PcShare can delete its persistence mechanisms from the registry.2
enterprise T1106 Native API PcShare has used a variety of Windows API functions.2
enterprise T1027 Obfuscated Files or Information PcShare has been encrypted with XOR using different 32-long Base16 strings and compressed with LZW algorithm.2
enterprise T1057 Process Discovery PcShare can obtain a list of running processes on a compromised host.2
enterprise T1055 Process Injection The PcShare payload has been injected into the logagent.exe and rdpclip.exe processes.2
enterprise T1012 Query Registry PcShare can search the registry files of a compromised host.2
enterprise T1113 Screen Capture PcShare can take screen shots of a compromised machine.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 PcShare has used rundll32.exe for execution.2
enterprise T1016 System Network Configuration Discovery PcShare can obtain the proxy settings of a compromised machine using InternetQueryOptionA and its IP address by running nslookup myip.opendns.comresolver1.opendns.com\r\n.2
enterprise T1125 Video Capture PcShare can capture camera video as part of its collection process.2

References

  1. LiveMirror. (2014, September 17). PcShare. Retrieved October 11, 2022. 

  2. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.