Open Hunting - Threat Library

Openhunting Threat Library

PCShare

(Type: Backdoor)

A Chinese open-source backdoor.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year

Trend Per Month

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

2/36

persistence

1/113

privilege escalation

2/96

defense evasion

8/184

credential access

1/63

discovery

3/44

lateral movement

0/22

collection

4/37

command and control

1/39

exfiltration

1/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.003 Command And Scripting Interpreter : Windows Command Shell T1106 Native Api	T1546.015 Event Triggered Execution : Component Object Model Hijacking	T1546.015 Event Triggered Execution : Component Object Model Hijacking T1055 Process Injection	T1140 Deobfuscate/decode Files Or Information T1070.004 Indicator Removal : File Deletion T1036.001 Masquerading : Invalid Code Signature T1036.005 Masquerading : Match Legitimate Name Or Location T1112 Modify Registry T1027 Obfuscated Files Or Information T1055 Process Injection T1218.011 System Binary Proxy Execution : Rundll32	T1056.001 Input Capture : Keylogging	T1057 Process Discovery T1012 Query Registry T1016 System Network Configuration Discovery		T1005 Data From Local System T1056.001 Input Capture : Keylogging T1113 Screen Capture T1125 Video Capture	T1071.001 Application Layer Protocol : Web Protocols	T1041 Exfiltration Over C2 Channel

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

Basic Information (Credit @etda.or.th)

Tool: PCShare

Names: PCShare

Description: A Chinese open-source backdoor.

Category: Tools

Type: Backdoor

Information: https://github.com/LiveMirror/pcshare

Information: https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf

Mitre-attack: https://attack.mitre.org/software/S1050/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:PcShare

Last-card-change: 2022-12-30

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL pcshare can execute cmd commands on a compromised host. T1106 NATIVE API pcshare has used a variety of windows api functions.	T1546.015 EVENT TRIGGERED EXECUTION : COMPONENT OBJECT MODEL HIJACKING pcshare has created the hkcu\\software\\classes\\clsid\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\inprocserver32 registry key for persistence.	T1546.015 EVENT TRIGGERED EXECUTION : COMPONENT OBJECT MODEL HIJACKING pcshare has created the hkcu\\software\\classes\\clsid\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\inprocserver32 registry key for persistence. T1055 PROCESS INJECTION the pcshare payload has been injected into the logagent.exe and rdpclip.exe processes.	T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION pcshare has decrypted its strings by applying a xor operation and a decompression using a custom implemented lzm algorithm. T1070.004 INDICATOR REMOVAL : FILE DELETION pcshare has deleted its files and components from a compromised host. T1036.001 MASQUERADING : INVALID CODE SIGNATURE pcshare has used an invalid certificate in attempt to appear legitimate. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION pcshare has been named wuauclt.exe to appear as the legitimate windows update autoupdate client. T1112 MODIFY REGISTRY pcshare can delete its persistence mechanisms from the registry. T1027 OBFUSCATED FILES OR INFORMATION pcshare has been encrypted with xor using different 32-long base16 strings and compressed with lzw algorithm. T1055 PROCESS INJECTION the pcshare payload has been injected into the logagent.exe and rdpclip.exe processes. T1218.011 SYSTEM BINARY PROXY EXECUTION : RUNDLL32 pcshare has used rundll32.exe for execution.	T1056.001 INPUT CAPTURE : KEYLOGGING pcshare has the ability to capture keystrokes.	T1057 PROCESS DISCOVERY pcshare can obtain a list of running processes on a compromised host. T1012 QUERY REGISTRY pcshare can search the registry files of a compromised host. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY pcshare can obtain the proxy settings of a compromised machine using internetqueryoptiona and its ip address by running nslookup myip.opendns.comresolver1.opendns.com\r\n.		T1005 DATA FROM LOCAL SYSTEM pcshare can collect files and information from a compromised host. T1056.001 INPUT CAPTURE : KEYLOGGING pcshare has the ability to capture keystrokes. T1113 SCREEN CAPTURE pcshare can take screen shots of a compromised machine. T1125 VIDEO CAPTURE pcshare can capture camera video as part of its collection process.	T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS pcshare has used http for c2 communication.	T1041 EXFILTRATION OVER C2 CHANNEL pcshare can upload files and information from a compromised host to its c2 servers.