writes-file.md

ID	C0052
Objective(s)	File System
Related ATT&CK Techniques	None
Version	2.3
Created	4 December 2020
Last Modified	30 April 2024

Writes File

Malware writes to a file.

Use in Malware

Name	Date	Method	Description
CryptoLocker	2013	--	CryptoLocker writes Fileon Windows. [1]
Dark Comet	2008	--	Dark Comet writes Fileon Windows. [1]
DNSChanger	2011	--	DNSChanger writes Fileon Windows. [1]
Gamut	2014	--	Gamut writes files on Windows. [1]
GravityRAT	2018	--	GravityRAT writes files on Windows. [1]
Hupigon	2013	--	Hupigon writes files on Windows. [1]
Locky Bart	2017	--	Locky Bart writes files on Windows. [1]
Poison Ivy	2005	--	Poison Ivy writes files on Windows. [1]
Redhip	2011	--	Redhip writes files on Windows. [1]
Rombertik	2015	--	Rombertik writes files on Windows. [1]
Shamoon	2012	--	Shamoon writes files on Windows. [1]
UP007	2016	--	UP007 writes files on Windows. [1]

Detection

Tool: capa	Mapping	APIs
write file on Linux	Writes File (C0052)	fputc, fputs, putc, write, fputwc, putwc, fputws, fwrite, putwchar, dprintf, vdprnitf, fprintf, vfprintf
write file on Windows	Writes File (C0052)	kernel32.WriteFile, kernel32.WriteFileEx, NtWriteFile, ZwWriteFile, _fwrite, fwrite, System.IO.File::WriteAllBytes, System.IO.File::WriteAllBytesAsync, System.IO.File::WriteAllLines, System.IO.File::WriteAllLinesAsync, System.IO.File::WriteAllText, System.IO.File::WriteAllTextAsync, System.IO.File::AppendAllLines, System.IO.File::AppendAllLinesAsync, System.IO.File::AppendAllText, System.IO.File::AppendAllTextAsync, System.IO.File::AppendText, System.IO.FileInfo::AppendText
create process memory minidump	Writes File (C0052)	dbghelp.MiniDumpWriteDump

Tool: CAPE	Class	Mapping	APIs
upatre_files	UpatreFiles	Writes File (C0052)	--
wiper_zeroedbytes	WiperZeroedBytes	Writes File (C0052)	NtWriteFile
modify_hostsfile	Modifies_HostFile	Writes File (C0052)	--
writes_sysvol	WritesSysvol	Writes File (C0052)	--
ursnif_behavior	UrsnifBehavior	Writes File (C0052)	--
poullight_files	PoullightFiles	Writes File (C0052)	--
echelon_files	EchelonFiles	Writes File (C0052)	--
apocalypse_stealer_file_behavior	ApocalypseStealerFileBehavior	Writes File (C0052)	--
masslogger_version	MassLoggerVersion	Writes File (C0052)	NtWriteFile
masslogger_artifacts	MassLoggerArtifacts	Writes File (C0052)	FindFirstFileExW, CryptDecrypt

C0052 Snippet

File System::Writes File

SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732 Location: 0x4016A7

mov     r9, rdi         ; variable that will hold number of bytes actually written
mov     r8d, ebx        ; number of bytes to write
mov     param_2, rsi    ; pointer to buffer containing data that will be written to the file
mov     param_1, r12    ; handle to the device/file to write to
mov     qword ptr [rsp + local_58], 0x0 ; optional pointer to OVERLAPPED structure (in this case, it is NULL)
call    qword ptr [->KERNEL32.DLL::WriteFile] ; API call to write to file specified in param_1

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022