Read File

June 30, 2024 · View on GitHub

ID	C0051
Objective(s)	File System
Related ATT&CK Techniques	None
Version	2.3
Created	4 December 2020
Last Modified	30 April 2024

Read File

Malware reads a file.

Use in Malware

Name	Date	Method	Description
Dark Comet	2008	--	Dark Comet reads files on Windows. [1]
DNSChanger	2011	--	DNSChanger reads files on Windows. [1]
Gamut	2014	--	Gamut reads files on Windows. [1]
GravityRAT	2018	--	GravityRAT reads files on Windows. [1]
Hupigon	2013	--	Hupigon reads files on Windows. [1]
Kovter	2016	--	Kovter reads files on Windows. [1]
Locky Bart	2017	--	Locky Bart reads files on Windows. [1]
Mebromi	2011	--	Mebromi reads files on Windows. [1]
Poison Ivy	2005	--	Poison Ivy reads files on Windows. [1]
Redhip	2011	--	Redhip reads files on Windows. [1]
Rombertik	2015	--	Rombertik reads files on Windows. [1]
SamSam	2015	--	SamSam reads files on Windows. [1]
Shamoon	2012	--	Shamoon reads files on Windows. [1]
UP007	2016	--	UP007 reads files on Windows. [1]

Detection

Tool: capa	Mapping	APIs
read file on Windows	Read File (C0051)	kernel32.ReadFile, ReadFileEx, NtReadFile, ZwReadFile, LZRead, _read, fread, System.IO.File::ReadAllBytes, System.IO.File::ReadAllBytesAsync, System.IO.File::ReadAllLines, System.IO.File::ReadAllLinesAsync, System.IO.File::ReadAllText, System.IO.File::ReadAllTextAsync, System.IO.File::ReadLines
read file via mapping	Read File (C0051)	kernel32.MapViewOfFile, kernel32.UnmapViewOfFile, kernel32.CreateFileMapping
read file on Linux	Read File (C0051)	fgetc, fgets, getc, getchar, read, getline, getdelim, fgetwc, getwc, fscanf, vfscanf, fread
read .ini file	Read File (C0051)	GetPrivateProfileInt, GetPrivateProfileString, GetPrivateProfileStruct, GetPrivateProfileSection, GetPrivateProfileSectionNames, GetFullPathName

Tool: CAPE	Class	Mapping	APIs
reads_self	ReadsSelf	Read File (C0051)	NtReadFile, NtSetInformationFile, NtClose, NtCreateFile, NtOpenFile
accesses_sysvol	AccessesSysvol	Read File (C0051)	--
antidebug_devices	AntiDBGDevices	Read File (C0051)	--
antiav_detectfile	AntiAVDetectFile	Read File (C0051)	--
infostealer_browser	BrowserStealer	Read File (C0051)	NtReadFile, CopyFileA, CopyFileExW, CopyFileW
antianalysis_detectfile	AntiAnalysisDetectFile	Read File (C0051)	--

C0051 Snippet

File System::Read File

SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732 Location: 0x401762

mov     r9, rdi         ; variable that will hold number of bytes actually read from file
mov     r8d, ebx        ; number of bytes to read
mov     param_2, rsi    ; pointer to buffer that will hold content read from file
mov     param_1, r12    ; handle to the device/file to read from
mov     qword ptr [rsp + local_58], 0x0 ; optional pointer to OVERLAPPED structure (in this case, it is NULL)
call    qword ptr [->KERNEL32.DLL::ReadFile] ; API call to read file specified in param_1

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022