{"description": "Enterprise techniques used by ccf32, ATT&CK software S1043 (v1.0)", "name": "ccf32 (S1043)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[ccf32](https://attack.mitre.org/software/S1043) has used `xcopy \\\\\\c$\\users\\public\\path.7z c:\\users\\public\\bin\\.7z /H /Y` to archive collected files.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[ccf32](https://attack.mitre.org/software/S1043) can be used to automatically collect files from a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[ccf32](https://attack.mitre.org/software/S1043) has used `cmd.exe` for archiving data and deleting files.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[ccf32](https://attack.mitre.org/software/S1043) can collect files from a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[ccf32](https://attack.mitre.org/software/S1043) can temporarily store files in a hidden directory on the local host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074.002", "comment": "[ccf32](https://attack.mitre.org/software/S1043) has copied files to a remote machine infected with [Chinoxy](https://attack.mitre.org/software/S1041) or another backdoor.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[ccf32](https://attack.mitre.org/software/S1043) can upload collected data and files to an FTP server.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[ccf32](https://attack.mitre.org/software/S1043) can parse collected files to identify specific file extensions.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[ccf32](https://attack.mitre.org/software/S1043) has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[ccf32](https://attack.mitre.org/software/S1043) can delete files and folders from compromised machines.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[ccf32](https://attack.mitre.org/software/S1043) can run on a daily basis using a scheduled task.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "[ccf32](https://attack.mitre.org/software/S1043) can determine the local time on targeted machines.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ccf32", "color": "#66b1ff"}]}