FunnyDream has the ability to discover application windows via execution ofEnumWindows.^[1]

FunnyDream has compressed collected files with zLib.^[1]

FunnyDream has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line orqwerasdf if the command line argument doesn’t contain the key. File names are obfuscated using XOR with the same key as the compressed file content.^[1]

FunnyDream can monitor files for changes and automatically collect them.^[1]

FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.^[1]

FunnyDream can usecmd.exe for execution on remote hosts.^[1]

FunnyDream has established persistence by runningsc.exe and by setting theWSearch service to run automatically.^[1]

FunnyDream can upload files from victims' machines.^[1][2]

TheFunnyDream FilePakMonitor component has the ability to collect files from removable devices.^[1]

FunnyDream can send compressed and obfuscated packets to C2.^[1]

FunnyDream can stage collected information including screen captures and logged keystrokes locally.^[1]

FunnyDream can execute commands, including gathering user information, and send the results to C2.^[1]

FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.^[1]

FunnyDream has the ability to clean traces of malware deployment.^[1]

FunnyDream can delete files including its dropper component.^[1]

FunnyDream can download additional files onto a compromised host.^[1]

TheFunnyDream Keyrecord component can capture keystrokes.^[1]

FunnyDream can use com objects identified withCLSID_ShellLink(IShellLink andIPersistFile) andWScript.Shell(RegWrite method) to enable persistence mechanisms.^[1]

FunnyDream can enumerate all logical drives on a targeted machine.^[1]

FunnyDream has used a service namedWSearch for execution.^[1]

FunnyDream can use Native API for defense evasion, discovery, and collection.^[1]

FunnyDream can communicate with C2 over TCP and UDP.^[1]

FunnyDream can Base64 encode its C2 address stored in a template binary with thexyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_- or
xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_= character sets.^[1]

TheFunnyDream FilepakMonitor component can detect removable drive insertion.^[1]

FunnyDream has the ability to discover processes, includingBka.exe andBkavUtil.exe.^[1]

TheFunnyDream FilepakMonitor component can inject into the Bka.exe process using theVirtualAllocEx,WriteProcessMemory andCreateRemoteThread APIs to load the DLL component.^[1]

FunnyDream can connect to HTTP proxies via TCP to create a tunnel to C2.^[1]

FunnyDream can identify and use configured proxies in a compromised network for C2 communication.^[1]

FunnyDream can checkSoftware\Microsoft\Windows\CurrentVersion\Internet Settings to extract theProxyServer string.^[1]

FunnyDream can collect information about hosts on the victim network.^[2]

TheFunnyDream ScreenCap component can take screenshots on a compromised host.^[1]

FunnyDream can identify the processes for Bkav antivirus.^[1]

FunnyDream can userundll32 for execution of its components.^[1]

FunnyDream can parse theProxyServer string in the Registry to discover http proxies.^[1]

FunnyDream has the ability to gather user information from the targeted system usingwhoami/upn&whoami/fqdn&whoami/logonid&whoami/all.^[1]

FunnyDream can check system time to help determine when changes were made to specified files.^[1]

FunnyDream can use WMI to open a Windows command shell on a remote machine.^[1]

During theFunnyDream campaign, theFunnyDream backdoor was used to execute multiple components and exfiltrate files.^[1]