1. Home
  2. Software
  3. PcShare

PcShare

PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.[1][2]

ID: S1050
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 13 October 2022
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .015 事件触发执行: Component Object Model Hijacking

PcShare has created the HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32 Registry key for persistence.[1]
Enterprise T1005 从本地系统获取数据

PcShare can collect files and information from a compromised host.[1]
Enterprise T1036 .001 伪装: Invalid Code Signature

PcShare has used an invalid certificate in attempt to appear legitimate.[1]
.005 伪装: Match Legitimate Name or Location

PcShare has been named wuauclt.exe to appear as the legitimate Windows Update AutoUpdate Client.[1]
Enterprise T1112 修改注册表

PcShare can delete its persistence mechanisms from the registry.[1]
Enterprise T1140 反混淆/解码文件或信息

PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

PcShare can execute cmd commands on a compromised host.[1]
Enterprise T1113 屏幕捕获

PcShare can take screen shots of a compromised machine.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

PcShare has used HTTP for C2 communication.[1]
Enterprise T1106 本机API

PcShare has used a variety of Windows API functions.[1]
Enterprise T1012 查询注册表

PcShare can search the registry files of a compromised host.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

PcShare has been encrypted with XOR using different 32-long Base16 strings and compressed with LZW algorithm.[1]
Enterprise T1070 .004 移除指标: File Deletion

PcShare has deleted its files and components from a compromised host.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

PcShare has used rundll32.exe for execution.[1]
Enterprise T1016 系统网络配置发现

PcShare can obtain the proxy settings of a compromised machine using InternetQueryOptionA and its IP address by running nslookup myip.opendns.comresolver1.opendns.com\r\n.[1]
Enterprise T1125 视频捕获

PcShare can capture camera video as part of its collection process.[1]
Enterprise T1056 .001 输入捕获: Keylogging

PcShare has the ability to capture keystrokes.[1]
Enterprise T1057 进程发现

PcShare can obtain a list of running processes on a compromised host.[1]
Enterprise T1055 进程注入

The PcShare payload has been injected into the logagent.exe and rdpclip.exe processes.[1]
Enterprise T1041 通过C2信道渗出

PcShare can upload files and information from a compromised host to its C2 servers.[1]

Groups That Use This Software

ID Name References
G1023 APT5

[3]

Campaigns

ID Name Description
C0007 FunnyDream

During FunnyDream the threat actors used a customized version of PcShare.[1]

References

  1. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  2. LiveMirror. (2014, September 17). PcShare. Retrieved October 11, 2022.
  1. Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.