{"description": "Enterprise techniques used by FunnyDream, ATT&CK software S1044 (v1.1)", "name": "FunnyDream (S1044)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1010", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) has the ability to discover application windows via execution of `EnumWindows`.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) has compressed collected files with zLib.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line or `qwerasdf` if the command line argument doesn\u2019t contain the key. File names are obfuscated using XOR with the same key as the compressed file content.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can monitor files for changes and automatically collect them.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can use a Registry Run Key and the Startup folder to establish persistence.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can use `cmd.exe` for execution on remote hosts.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) has established persistence by running `sc.exe` and by setting the `WSearch` service to run automatically.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can upload files from victims' machines.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: Kaspersky APT Trends Q1 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "The [FunnyDream](https://attack.mitre.org/software/S1044) FilePakMonitor component has the ability to collect files from removable devices.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can send compressed and obfuscated packets to C2.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can stage collected information including screen captures and logged keystrokes locally.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can execute commands, including gathering user information, and send the results to C2.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) has the ability to clean traces of malware deployment.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can delete files including its dropper component.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can download additional files onto a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "The [FunnyDream](https://attack.mitre.org/software/S1044) Keyrecord component can capture keystrokes.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can use com objects identified with `CLSID_ShellLink`(`IShellLink` and `IPersistFile`) and `WScript.Shell`(`RegWrite` method) to enable persistence mechanisms.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) has used a service named `WSearch` for execution.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can use Native API for defense evasion, discovery, and collection.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can communicate with C2 over TCP and UDP.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can Base64 encode its C2 address stored in a template binary with the `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_-` or\n`xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_=` character sets.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "The [FunnyDream](https://attack.mitre.org/software/S1044) FilepakMonitor component can detect removable drive insertion.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) has the ability to discover processes, including `Bka.exe` and `BkavUtil.exe`.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "The [FunnyDream](https://attack.mitre.org/software/S1044) FilepakMonitor component can inject into the Bka.exe process using the `VirtualAllocEx`, `WriteProcessMemory` and `CreateRemoteThread` APIs to load the DLL component.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can connect to HTTP proxies via TCP to create a tunnel to C2.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can identify and use configured proxies in a compromised network for C2 communication.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can check `Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings` to extract the `ProxyServer` string.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can collect information about hosts on the victim network.(Citation: Kaspersky APT Trends Q1 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "The [FunnyDream](https://attack.mitre.org/software/S1044) ScreenCap component can take screenshots on a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can identify the processes for Bkav antivirus.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can use `rundll32` for execution of its components.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can enumerate all logical drives on a targeted machine.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can parse the `ProxyServer` string in the Registry to discover http proxies.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) has the ability to gather user information from the targeted system using `whoami/upn&whoami/fqdn&whoami/logonid&whoami/all`.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can check system time to help determine when changes were made to specified files.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[FunnyDream](https://attack.mitre.org/software/S1044) can use WMI to open a Windows command shell on a remote machine.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FunnyDream", "color": "#66b1ff"}]}