Copy File

April 3, 2025 · View on GitHub

ID	C0045
Objective(s)	File System
Related ATT&CK Techniques	None
Version	2.2
Created	4 December 2020
Last Modified	6 February 2024

Copy File

Malware copies a file.

Use in Malware

Name	Date	Method	Description
GoBotKR	2019	--	GoBotKR copies files. [1]
Hupigon	2013	--	Hupigon copies files. [1]
Kovter	2016	--	Kovter copies files. [1]
Mebromi	2011	--	Mebromi copies files. [1]
Redhip	2011	--	Redhip copies files. [1]
Shamoon	2012	--	Shamoon copies files. [1]
Snake	2004	--	Snake copies files. [2]

Detection

Tool: capa	Mapping	APIs
copy file	Copy File (C0045)	kernel32.CopyFile, kernel32.CopyFileEx, CopyFile2, CopyFileTransacted, LZCopy, System.IO.FileInfo::CopyTo, System.IO.File::Copy, kernel32.SHFileOperation

Tool: CAPE	Class	Mapping	APIs
injection_needextension	InjectionExtension	Copy File (C0045)	NtCreateUserProcess, CreateProcessInternalW

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022

[2] https://www.cybereason.com/blog/research/threat-analysis-report-snake-infostealer-malware