File and Directory Discovery
May 1, 2024 ยท View on GitHub
| ID | E1083 |
| Objective(s) | Discovery |
| Related ATT&CK Techniques | File and Directory Discovery (T1083) |
| Version | 2.3 |
| Created | 2 August 2022 |
| Last Modified | 30 April 2024 |
File and Directory Discovery
Malware may enumerate files and directories or may search for specific files or in specific locations.
Methods
| Name | ID | Description |
|---|---|---|
| Log File | E1083.m01 | Malware may look for system log files. |
| Filter by Extension | E1083.m02 | Malware may filter by extension (common in ransomware). |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| CryptoWall | 2014 | -- | The malware searches for user files before encrypting them. [1] |
| CryptoLocker | 2013 | -- | The malware searches for user files before encrypting them. [2] |
| TrickBot | 2016 | -- | The malware collects machine information and local files with specified file extensions. [3] |
| Matanbuchus | 2021 | -- | Malware verifies that the folder from the first stage loader exists on the system. The malware also checks for the path for the Opera web browser. If it exists, the malware exits. [4] [5] |
| GravityRAT | 2018 | -- | GravityRAT enumerates files on Windows. [6] |
| Hupigon | 2013 | -- | Hupigon enumerates files recursively. [6] |
| Hupigon | 2013 | E1083.m01 | Hupigon accesses the Windows event log. [6] |
| Kovter | 2016 | -- | Kovter gets file version info. [6] |
| Kovter | 2016 | E1083.m01 | Kovter accesses the Windows event log. [6] |
| SamSam | 2015 | -- | SamSam enumerates files on Windows. [6] |
| UP007 | 2016 | -- | The malware enumerates files on Windows. [6] |
| BlackEnergy | 2007 | -- | The malware gets the common file path. [6] |
| Dark Comet | 2008 | -- | The malware gets file version info. [6] |
| Gamut | 2014 | -- | Gamut gets the common file path. [6] |
| GoBotKR | 2019 | -- | GoBotKR checks if a file exists. [6] |
| Locky Bart | 2017 | -- | The malware gets a file size. [6] |
| Mebromi | 2011 | -- | Mebromi gets a file size. [6] |
| Redhip | 2011 | -- | Redhip gets a file size. [6] |
| Rombertik | 2015 | -- | The malware gets the file version info. [6] |
| Shamoon | 2012 | -- | Shamoon gets a common file path. [6] |
| ElectroRAT | 2020 | -- | ElectroRat looks for wallets to steal cryptocurrency. [7] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| get common file path | File and Directory Discovery (E1083) | kernel32.GetTempPath, kernel32.GetTempFileName, kernel32.GetSystemDirectory, kernel32.GetWindowsDirectory, kernel32.GetSystemWow64Directory, GetAllUsersProfileDirectory, GetAppContainerFolderPath, GetCurrentDirectory, GetDefaultUserProfileDirectory, GetProfilesDirectory, GetUserProfileDirectory, SHGetFolderPathAndSubDir, shell32.SHGetFolderPath, shell32.SHGetFolderLocation, shell32.SHGetKnownFolderPath, shell32.SHGetSpecialFolderPath, shell32.SHGetSpecialFolderLocation, System.IO.Directory::GetCurrentDirectory, System.Environment::GetFolderPath |
| get file version info | File and Directory Discovery (E1083) | version.GetFileVersionInfo, version.GetFileVersionInfoEx, System.Diagnostics.FileVersionInfo::GetVersionInfo, version.VerQueryValue, version.GetFileVersionInfoSize, version.GetFileVersionInfoSizeEx |
| get file size | File and Directory Discovery (E1083) | kernel32.GetFileSize, kernel32.GetFileSizeEx |
| check if file exists | File and Directory Discovery (E1083) | kernel32.GetFileAttributes, kernel32.GetLastError, shlwapi.PathFileExists, System.IO.File::Exists |
| enumerate files on Linux | File and Directory Discovery (E1083) | getdents, getdents64, opendir, readdir |
| enumerate files on Windows | File and Directory Discovery (E1083) | kernel32.FindFirstFile, kernel32.FindFirstFileEx, kernel32.FindFirstFileTransacted, kernel32.FindFirstFileName, kernel32.FindFirstFileNameTransacted, kernel32.FindNextFile, kernel32.FindNextFileName, kernel32.FindClose, ntdll.NtOpenDirectoryObject, ntdll.NtQueryDirectoryObject, RtlAllocateHeap, System.IO.DirectoryInfo::GetFiles, System.IO.DirectoryInfo::EnumerateFiles, System.IO.Directory::GetFiles, System.IO.Directory::EnumerateFiles, System.IO.Directory::EnumerateFileSystemEntries, System.IO.DirectoryInfo::GetDirectories, System.IO.DirectoryInfo::EnumerateDirectories, System.IO.Directory::GetDirectories, System.IO.Directory::EnumerateDirectories |
| enumerate files recursively | File and Directory Discovery (E1083) | -- |
| read data from CLFS log container | File and Directory Discovery::Log File (E1083.m01) | clfsw32.CreateLogFile, clfsw32.CreateLogMarshallingArea, clfsw32.ReadLogRecord, clfsw32.ReadNextLogRecord |
| access the Windows event log | File and Directory Discovery::Log File (E1083.m01) | OpenEventLog, ClearEventLog, OpenBackupEventLog, ReportEvent |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| antisandbox_cuckoo_files | File and Directory Discovery (E1083) | -- |
| antisandbox_threattrack_files | File and Directory Discovery (E1083) | -- |
| antivm_directory_objects | File and Directory Discovery (E1083) | NtQueryDirectoryObject, NtOpenDirectoryObject |
| antivm_vmware_events | File and Directory Discovery (E1083) | NtOpenEvent, NtCreateEvent |
| antivm_vmware_events | File and Directory Discovery::Log File (E1083.m01) | NtOpenEvent, NtCreateEvent |
| antivm_vbox_devices | File and Directory Discovery (E1083) | -- |
| antivm_vmware_devices | File and Directory Discovery (E1083) | -- |
| antivm_vbox_files | File and Directory Discovery (E1083) | -- |
| antivm_vmware_libs | File and Directory Discovery (E1083) | LdrLoadDll |
| antiav_detectfile | File and Directory Discovery (E1083) | -- |
| antivm_vpc_files | File and Directory Discovery (E1083) | -- |
| antivm_vbox_libs | File and Directory Discovery (E1083) | LdrLoadDll |
| driver_filtermanager | File and Directory Discovery (E1083) | -- |
| antisandbox_joe_anubis_files | File and Directory Discovery (E1083) | -- |
| antivm_vmware_files | File and Directory Discovery (E1083) | -- |
| antisandbox_fortinet_files | File and Directory Discovery (E1083) | -- |
| antisandbox_sunbelt_files | File and Directory Discovery (E1083) | -- |
| antianalysis_detectfile | File and Directory Discovery (E1083) | -- |
E1083 Snippet
Discovery::File and Directory Discovery
SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6 Location: 0x409A62push eax ; argument to function containing file path to search call KERNEL32.DLL::GetFileAttributesA ; Function to retrieve file attributes for file path indicated by eax cmp eax, -0x1 ; Test if function returned an error jz lab_00409a71 ; If the function failed (the file's attributes were not retrieved and the return value is -1), jump to the specified address to continue execution test al, 0x10 ; Test the lower 8 bits of the return value to check if the file is a directory jnz lab_00409a75 ; If the returned result is not a directory, jump to the specified address to continue execution
References
[1] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
[2] https://www.secureworks.com/research/cryptolocker-ransomware
[3] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
[4] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[5] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader
[6] capa v4.0, analyzed at MITRE on 10/12/2022
[7] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/