Currently viewing ATT&CK v17.1 which is the current version of ATT&CK. Learn more about the versioning system or see the live site.

ccf32

ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]

ID: S1043
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 September 2022
Last Modified: 16 April 2025

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

ccf32 has used xcopy \\<target_host>\c$\users\public\path.7z c:\users\public\bin\<target_host>.7z /H /Y to archive collected files.[1]

Enterprise T1119 Automated Collection

ccf32 can be used to automatically collect files from a compromised host.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

ccf32 has used cmd.exe for archiving data and deleting files.[1]

Enterprise T1005 Data from Local System

ccf32 can collect files from a compromised host.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

ccf32 can temporarily store files in a hidden directory on the local host.[1]

.002 Data Staged: Remote Data Staging

ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.[1]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

ccf32 can upload collected data and files to an FTP server.[1]

Enterprise T1083 File and Directory Discovery

ccf32 can parse collected files to identify specific file extensions.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

ccf32 can delete files and folders from compromised machines.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

ccf32 can run on a daily basis using a scheduled task.[1]

Enterprise T1124 System Time Discovery

ccf32 can determine the local time on targeted machines.[1]

Campaigns

ID Name Description
C0007 FunnyDream

During FunnyDream, ccf32 was used to collect data.[1]

References