1. Home
  2. Software
  3. PcShare

PcShare

PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.[1][2]

ID: S1050
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 13 October 2022
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PcShare has used HTTP for C2 communication.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PcShare can execute cmd commands on a compromised host.[1]
Enterprise T1005 Data from Local System

PcShare can collect files and information from a compromised host.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.[1]
Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

PcShare has created the HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32 Registry key for persistence.[1]
Enterprise T1041 Exfiltration Over C2 Channel

PcShare can upload files and information from a compromised host to its C2 servers.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

PcShare has deleted its files and components from a compromised host.[1]
Enterprise T1056 .001 Input Capture: Keylogging

PcShare has the ability to capture keystrokes.[1]
Enterprise T1036 .001 Masquerading: Invalid Code Signature

PcShare has used an invalid certificate in attempt to appear legitimate.[1]
.005 Masquerading: Match Legitimate Name or Location

PcShare has been named wuauclt.exe to appear as the legitimate Windows Update AutoUpdate Client.[1]
Enterprise T1112 Modify Registry

PcShare can delete its persistence mechanisms from the registry.[1]
Enterprise T1106 Native API

PcShare has used a variety of Windows API functions.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

PcShare has been encrypted with XOR using different 32-long Base16 strings and compressed with LZW algorithm.[1]
Enterprise T1057 Process Discovery

PcShare can obtain a list of running processes on a compromised host.[1]
Enterprise T1055 Process Injection

The PcShare payload has been injected into the logagent.exe and rdpclip.exe processes.[1]
Enterprise T1012 Query Registry

PcShare can search the registry files of a compromised host.[1]
Enterprise T1113 Screen Capture

PcShare can take screen shots of a compromised machine.[1]
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

PcShare has used rundll32.exe for execution.[1]
Enterprise T1016 System Network Configuration Discovery

PcShare can obtain the proxy settings of a compromised machine using InternetQueryOptionA and its IP address by running nslookup myip.opendns.comresolver1.opendns.com\r\n.[1]
Enterprise T1125 Video Capture

PcShare can capture camera video as part of its collection process.[1]

Groups That Use This Software

ID Name References
G1023 APT5

[3]

Campaigns

ID Name Description
C0007 FunnyDream

During FunnyDream the threat actors used a customized version of PcShare.[1]

References

  1. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  2. LiveMirror. (2014, September 17). PcShare. Retrieved October 11, 2022.
  1. Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.