Code Discovery

May 1, 2024 ยท View on GitHub

ID B0046
Objective(s) Discovery
Related ATT&CK Techniques None
Version 2.2
Created 10 November 2021
Last Modified 29 April 2024

Code Discovery

Malware may inspect code or enumerate aspects.

Methods

NameIDDescription
Enumerate PE SectionsB0046.001Malware enumerates virtual offsets of code sections.
Inspect Section Memory PermissionsB0046.002Malware identifies section memory permissions from image section header.
Parse PE HeaderB0046.003Malware parses the PE header.

Use in Malware

NameDateMethodDescription
BlackEnergy2007B0046.001BlackEnergy enumerates PE sections. [1]
CryptoLocker2013B0046.001CryptoLocker enumerates PE sections. [1]
Dark Comet2008B0046.001DarkComet enumerates PE sections. [1]
Emotet2018B0046.001Emotet enumerates PE sections. [1]
Gamut2014B0046.001Gamut enumerates PE sections. [1]
Hupigon2013B0046.001Hupigon enumerates PE sections. [1]
Locky Bart2017B0046.001Locky Bart enumerates PE sections. [1]
Redhip2011B0046.002Redhip inspects section memory permissions. [1]
Stuxnet2010B0046.001Stuxnet enumerates PE sections. [1]
TrickBot2016B0046.002TrickBot inspects section memory permissions. [1]
Ursnif2016B0046.001Ursnif enumerates PE sections. [1]

Detection

Tool: capaMappingAPIs
enumerate PE sectionsCode Discovery::Enumerate PE Sections (B0046.001)--
inspect section memory permissionsCode Discovery::Inspect Section Memory Permissions (B0046.002)--

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022