Create File
April 3, 2025 ยท View on GitHub
| ID | C0016 |
| Objective(s) | File System |
| Related ATT&CK Techniques | None |
| Version | 2.1 |
| Created | 14 August 2020 |
| Last Modified | 5 December 2023 |
Create File
Malware creates a file.
Methods
| Name | ID | Description |
|---|---|---|
| Create Office Document | C0016.001 | An Office document is created. |
| Create Ransomware File | C0016.002 | Create a file used by ransomware. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| Snake | 2004 | -- | Snake creates files. [1] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| create or open file | Create File (C0016) | CreateFile, CreateFileEx, IoCreateFile, IoCreateFileEx, ZwOpenFile, ZwCreateFile, NtOpenFile, NtCreateFile, LZCreateFile, LZOpenFile, fopen, fopen64, fdopen, freopen, open, openat |
| Tool: CAPE | Class | Mapping | APIs |
|---|---|---|---|
| copies_self | CopiesSelf | Create File (C0016) | -- |
| rat_pcclient | PcClientMutexes | Create File (C0016) | -- |
| ransomware_radamant | RansomwareRadamant | Create File (C0016) | -- |
| remcos_files | RemcosFiles | Create File (C0016) | -- |
| karagany_files | KaraganyFiles | Create File (C0016) | -- |
| obliquerat_files | ObliquekRATFiles | Create File (C0016) | -- |
| ransomware_message | RansomwareMessage | Create File (C0016) | NtWriteFile |
| rat_luminosity | LuminosityRAT | Create File (C0016) | NtCreateFile, CryptHashData |
| xpertrat_files | XpertRATFiles | Create File (C0016) | -- |
| nemty_note | NemtyNote | Create File (C0016) | NtWriteFile |
| office_write_exe | OfficeWriteEXE | Create File (C0016) | NtWriteFile |
| warzonerat_files | WarzoneRATFiles | Create File (C0016) | -- |
| spreading_autoruninf | CreatesAutorunInf | Create File (C0016) | -- |
| neshta_files | NeshtaFiles | Create File (C0016) | NtCreateFile |
| arkei_files | ArkeiFiles | Create File (C0016) | -- |
| office_postscript | OfficePostScript | Create File (C0016) | NtWriteFile |
| rat_nanocore | NanocoreRAT | Create File (C0016) | CryptHashData |
| qulab_files | QulabFiles | Create File (C0016) | -- |
| ransomware_files | RansomwareFiles | Create File (C0016), Create File (C0016) | -- |
| ransomware_files | RansomwareFiles | Create File (C0016), Create File::Create Ransomware File (C0016.002) | -- |
| dcrat_files | DCRatFiles | Create File (C0016) | -- |
| rtf_embedded_office_file | RTFEmbeddedOfficeFile | Create File (C0016) | -- |
| rtf_embedded_office_file | RTFEmbeddedOfficeFile | Create File::Create Office Document (C0016.001) | -- |
| stack_pivot_file_created | StackPivotFileCreated | Create File (C0016) | NtCreateFile |
| masslogger_files | MassLoggerFiles | Create File (C0016) | -- |
| stealth_file | StealthFile | Create File (C0016) | NtSetInformationFile, NtClose, NtCreateFile, NtDuplicateObject, NtOpenFile |
References
[1] https://www.cybereason.com/blog/research/threat-analysis-report-snake-infostealer-malware