Self Deletion
April 3, 2025 ยท View on GitHub
| ID | F0007 |
| Objective(s) | Defense Evasion |
| Related ATT&CK Techniques | Indicator Removal on Host: Uninstall Malicious Application (T1630.001), Indicator Removal on Host: File Deletion (T1070.004) |
| Version | 2.3 |
| Created | 14 August 2020 |
| Last Modified | 28 April 2024 |
Self Deletion
Malware may remove itself from an infected system, typically after it has achieved its primary objective. This is done to evade detection, remove evidence of its presence, and make forensic analysis more difficult. The malware may use built-in commands, scripts, or other methods to delete its files, processes, or registry entries.
See ATT&CK: Indicator Removal on Host: Uninstall Malicious Application (T1630.001), Indicator Removal on Host: File Deletion (T1070.004).
Methods
| Name | ID | Description |
|---|---|---|
| COMSPEC Environment Variable | F0007.001 | Uninstalls self via COMSPEC environment variable. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| Terminator | 2013 | F0007.001 | The RAT evades sandboxes by terminating and removing itself (DW20.exe) after installation. [1] |
| CozyCar | 2010 | -- | CozyCar has a dll file that serves as a cleanup mechanism for its dropped binary. [2] |
| SearchAwesome | 2018 | -- | The malware will monitor if a specific file gets deleted and then will delete itself. [3] |
| WannaCry | 2017 | -- | WannaCry looks for a DNS entry and if the entry exists, it terminates and deletes itself. [4] |
| Snake | 2004 | -- | Snake can delete itself. [5] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| self delete | Self Deletion::COMSPEC Environment Variable (F0007.001) | -- |
| self delete using alternate data streams | Defense Evasion::Self Deletion (F0007) | SetFileInformationByHandle, kernel32.SetFileInformationByHandle |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| trickbot_task_delete | Self Deletion (F0007) | DeleteFileW |
| deletes_executed_files | Self Deletion (F0007) | -- |
| deletes_self | Self Deletion (F0007) | NtDeleteFile, DeleteFileW, DeleteFileA, MoveFileWithProgressW, MoveFileWithProgressTransactedW |
References
[1] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/FireEye-Terminator_RAT.pdf
[2] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke
[3] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection
[4] https://www.mandiant.com/resources/blog/wannacry-malware-profile
[5] https://www.cybereason.com/blog/research/threat-analysis-report-snake-infostealer-malware