Create Directory

November 18, 2024 · View on GitHub

ID	C0046
Objective(s)	File System
Related ATT&CK Techniques	None
Version	2.3
Created	4 December 2020
Last Modified	30 April 2024

Create Directory

Malware creates a directory.

Use in Malware

Name	Date	Method	Description
Gamut	2014	--	Gamut creates directories. [1]
GoBotKR	2019	--	GoBotKR creates directories. [1]
GravityRAT	2018	--	GravityRAT creates directories. [1]
Hupigon	2013	--	Hupigon creates directories. [1]
Kovter	2016	--	Kovter creates directories. [1]
Redhip	2011	--	Redhip creates directories. [1]
UP007	2016	--	UP007 creates directories. [1]

Detection

Tool: capa	Mapping	APIs
create directory	Create Directory (C0046)	kernel32.CreateDirectory, kernel32.CreateDirectoryEx, kernel32.CreateDirectoryTransacted, NtCreateDirectoryObject, ZwCreateDirectoryObject, SHCreateDirectory, SHCreateDirectoryEx, _mkdir, _wmkdir, System.IO.Directory::CreateDirectory, System.IO.DirectoryInfo::Create, System.IO.DirectoryInfo::CreateSubdirectory

Tool: CAPE	Class	Mapping	APIs
arkei_files	ArkeiFiles	Create Directory (C0046)	--

C0046 Snippet

File System::Create Directory

SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f Location: 0x1400036d4

xor     param_2, param_2        ; use default security attributes (param_2 is NULL)
mov     param_1, rbp    ; use contents of rbp as directory name
call    qword ptr [->KERNEL32.DLL::CreateDirectoryA]  ; call Windows API to create directory

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022