Skip to content

Latest commit

 

History

History
130 lines (111 loc) · 11.4 KB

file-and-directory-discovery.md

File metadata and controls

130 lines (111 loc) · 11.4 KB
ID E1083
Objective(s) Discovery
Related ATT&CK Techniques File and Directory Discovery (T1083)
Version 2.3
Created 2 August 2022
Last Modified 30 April 2024

File and Directory Discovery

Malware may enumerate files and directories or may search for specific files or in specific locations.

Methods

Name ID Description
Log File E1083.m01 Malware may look for system log files.
Filter by Extension E1083.m02 Malware may filter by extension (common in ransomware).

Use in Malware

Name Date Method Description
CryptoWall 2014 -- The malware searches for user files before encrypting them. [1]
CryptoLocker 2013 -- The malware searches for user files before encrypting them. [2]
TrickBot 2016 -- The malware collects machine information and local files with specified file extensions. [3]
Matanbuchus 2021 -- Malware verifies that the folder from the first stage loader exists on the system. The malware also checks for the path for the Opera web browser. If it exists, the malware exits. [4] [5]
GravityRAT 2018 -- GravityRAT enumerates files on Windows. [6]
Hupigon 2013 -- Hupigon enumerates files recursively. [6]
Hupigon 2013 E1083.m01 Hupigon accesses the Windows event log. [6]
Kovter 2016 -- Kovter gets file version info. [6]
Kovter 2016 E1083.m01 Kovter accesses the Windows event log. [6]
SamSam 2015 -- SamSam enumerates files on Windows. [6]
UP007 2016 -- The malware enumerates files on Windows. [6]
BlackEnergy 2007 -- The malware gets the common file path. [6]
Dark Comet 2008 -- The malware gets file version info. [6]
Gamut 2014 -- Gamut gets the common file path. [6]
GoBotKR 2019 -- GoBotKR checks if a file exists. [6]
Locky Bart 2017 -- The malware gets a file size. [6]
Mebromi 2011 -- Mebromi gets a file size. [6]
Redhip 2011 -- Redhip gets a file size. [6]
Rombertik 2015 -- The malware gets the file version info. [6]
Shamoon 2012 -- Shamoon gets a common file path. [6]
ElectroRAT 2020 -- ElectroRat looks for wallets to steal cryptocurrency. [7]

Detection

Tool: capa Mapping APIs
get common file path File and Directory Discovery (E1083) kernel32.GetTempPath, kernel32.GetTempFileName, kernel32.GetSystemDirectory, kernel32.GetWindowsDirectory, kernel32.GetSystemWow64Directory, GetAllUsersProfileDirectory, GetAppContainerFolderPath, GetCurrentDirectory, GetDefaultUserProfileDirectory, GetProfilesDirectory, GetUserProfileDirectory, SHGetFolderPathAndSubDir, shell32.SHGetFolderPath, shell32.SHGetFolderLocation, shell32.SHGetKnownFolderPath, shell32.SHGetSpecialFolderPath, shell32.SHGetSpecialFolderLocation, System.IO.Directory::GetCurrentDirectory, System.Environment::GetFolderPath
get file version info File and Directory Discovery (E1083) version.GetFileVersionInfo, version.GetFileVersionInfoEx, System.Diagnostics.FileVersionInfo::GetVersionInfo, version.VerQueryValue, version.GetFileVersionInfoSize, version.GetFileVersionInfoSizeEx
get file size File and Directory Discovery (E1083) kernel32.GetFileSize, kernel32.GetFileSizeEx
check if file exists File and Directory Discovery (E1083) kernel32.GetFileAttributes, kernel32.GetLastError, shlwapi.PathFileExists, System.IO.File::Exists
enumerate files on Linux File and Directory Discovery (E1083) getdents, getdents64, opendir, readdir
enumerate files on Windows File and Directory Discovery (E1083) kernel32.FindFirstFile, kernel32.FindFirstFileEx, kernel32.FindFirstFileTransacted, kernel32.FindFirstFileName, kernel32.FindFirstFileNameTransacted, kernel32.FindNextFile, kernel32.FindNextFileName, kernel32.FindClose, ntdll.NtOpenDirectoryObject, ntdll.NtQueryDirectoryObject, RtlAllocateHeap, System.IO.DirectoryInfo::GetFiles, System.IO.DirectoryInfo::EnumerateFiles, System.IO.Directory::GetFiles, System.IO.Directory::EnumerateFiles, System.IO.Directory::EnumerateFileSystemEntries, System.IO.DirectoryInfo::GetDirectories, System.IO.DirectoryInfo::EnumerateDirectories, System.IO.Directory::GetDirectories, System.IO.Directory::EnumerateDirectories
enumerate files recursively File and Directory Discovery (E1083) --
read data from CLFS log container File and Directory Discovery::Log File (E1083.m01) clfsw32.CreateLogFile, clfsw32.CreateLogMarshallingArea, clfsw32.ReadLogRecord, clfsw32.ReadNextLogRecord
access the Windows event log File and Directory Discovery::Log File (E1083.m01) OpenEventLog, ClearEventLog, OpenBackupEventLog, ReportEvent
Tool: CAPE Mapping APIs
antisandbox_cuckoo_files File and Directory Discovery (E1083) --
antisandbox_threattrack_files File and Directory Discovery (E1083) --
antivm_directory_objects File and Directory Discovery (E1083) NtQueryDirectoryObject, NtOpenDirectoryObject
antivm_vmware_events File and Directory Discovery (E1083) NtOpenEvent, NtCreateEvent
antivm_vmware_events File and Directory Discovery::Log File (E1083.m01) NtOpenEvent, NtCreateEvent
antivm_vbox_devices File and Directory Discovery (E1083) --
antivm_vmware_devices File and Directory Discovery (E1083) --
antivm_vbox_files File and Directory Discovery (E1083) --
antivm_vmware_libs File and Directory Discovery (E1083) LdrLoadDll
antiav_detectfile File and Directory Discovery (E1083) --
antivm_vpc_files File and Directory Discovery (E1083) --
antivm_vbox_libs File and Directory Discovery (E1083) LdrLoadDll
driver_filtermanager File and Directory Discovery (E1083) --
antisandbox_joe_anubis_files File and Directory Discovery (E1083) --
antivm_vmware_files File and Directory Discovery (E1083) --
antisandbox_fortinet_files File and Directory Discovery (E1083) --
antisandbox_sunbelt_files File and Directory Discovery (E1083) --
antianalysis_detectfile File and Directory Discovery (E1083) --

E1083 Snippet

Discovery::File and Directory Discovery SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6 Location: 0x409A62 
push    eax     ; argument to function containing file path to search
call    KERNEL32.DLL::GetFileAttributesA        ; Function to retrieve file attributes for file path indicated by eax
cmp     eax, -0x1       ; Test if function returned an error
jz      lab_00409a71    ; If the function failed (the file's attributes were not retrieved and the return value is -1), jump to the specified address to continue execution
test    al, 0x10        ; Test the lower 8 bits of the return value to check if the file is a directory
jnz     lab_00409a75    ; If the returned result is not a directory, jump to the specified address to continue execution

References

[1] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/

[2] https://www.secureworks.com/research/cryptolocker-ransomware

[3] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf

[4] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/

[5] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader

[6] capa v4.0, analyzed at MITRE on 10/12/2022

[7] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/