| ID | E1083 |
| Objective(s) | Discovery |
| Related ATT&CK Techniques | File and Directory Discovery (T1083) |
| Version | 2.1 |
| Created | 2 August 2022 |
| Last Modified | 13 September 2023 |
Malware may enumerate files and directories or may search for specific files or in specific locations.
| Name | ID | Description |
|---|---|---|
| Log File | E1083.m01 | Malware may look for system log files. |
| Filter by Extension | E1083.m02 | Malware may filter by extension (common in ransomware). |
| Name | Date | Method | Description |
|---|---|---|---|
| CryptoWall | 2014 | -- | The malware searches for user files before encrypting them. [1] |
| CryptoLocker | 2013 | -- | The malware searches for user files before encrypting them. [2] |
| TrickBot | 2016 | -- | The malware collects machine information and local files with specified file extensions. [3] |
| Matanbuchus | 2021 | -- | Malware verifies that the folder from the first stage loader exists on the system. The malware also checks for the path for the Opera web browser. If it exists, the malware exits. [4] [5] |
| GravityRAT | 2018 | -- | GravityRAT enumerates files on Windows. [6] |
| Hupigon | 2013 | -- | Hupigon enumerates files recursively. [6] |
| Hupigon | 2013 | E1083.m01 | Hupigon accesses the Windows event log. [6] |
| Kovter | 2016 | -- | Kovter gets file version info. [6] |
| Kovter | 2016 | E1083.m01 | Kovter accesses the Windows event log. [6] |
| SamSam | 2015 | -- | SamSam enumerates files on Windows. [6] |
| UP007 | 2016 | -- | The malware enumerates files on Windows. [6] |
| BlackEnergy | 2007 | -- | The malware gets the common file path. [6] |
| Dark Comet | 2008 | -- | The malware gets file version info. [6] |
| Gamut | 2014 | -- | Gamut gets the common file path. [6] |
| GoBotKR | 2019 | -- | GoBotKR checks if a file exists. [6] |
| Locky Bart | 2017 | -- | The malware gets a file size. [6] |
| Mebromi | 2011 | -- | Mebromi gets a file size. [6] |
| Redhip | 2011 | -- | Redhip gets a file size. [6] |
| Rombertik | 2015 | -- | The malware gets the file version info. [6] |
| Shamoon | 2012 | -- | Shamoon gets a common file path. [6] |
| ElectroRAT | 2020 | -- | ElectroRat looks for wallets to steal cryptocurrency. [7] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| get common file path | File and Directory Discovery (E1083) | kernel32.GetTempPath, kernel32.GetTempFileName, kernel32.GetSystemDirectory, kernel32.GetWindowsDirectory, kernel32.GetSystemWow64Directory, GetAllUsersProfileDirectory, GetAppContainerFolderPath, GetCurrentDirectory, GetDefaultUserProfileDirectory, GetProfilesDirectory, GetUserProfileDirectory, SHGetFolderPathAndSubDir, shell32.SHGetFolderPath, shell32.SHGetFolderLocation, shell32.SHGetKnownFolderPath, shell32.SHGetSpecialFolderPath, shell32.SHGetSpecialFolderLocation, System.IO.Directory::GetCurrentDirectory, System.Environment::GetFolderPath |
| get file version info | File and Directory Discovery (E1083) | version.GetFileVersionInfo, version.GetFileVersionInfoEx, System.Diagnostics.FileVersionInfo::GetVersionInfo, version.VerQueryValue, version.GetFileVersionInfoSize, version.GetFileVersionInfoSizeEx |
| get file size | File and Directory Discovery (E1083) | kernel32.GetFileSize, kernel32.GetFileSizeEx |
| check if file exists | File and Directory Discovery (E1083) | kernel32.GetFileAttributes, kernel32.GetLastError, shlwapi.PathFileExists, System.IO.File::Exists |
| enumerate files on Linux | File and Directory Discovery (E1083) | getdents, getdents64, opendir, readdir |
| enumerate files on Windows | File and Directory Discovery (E1083) | kernel32.FindFirstFile, kernel32.FindFirstFileEx, kernel32.FindFirstFileTransacted, kernel32.FindFirstFileName, kernel32.FindFirstFileNameTransacted, kernel32.FindNextFile, kernel32.FindNextFileName, kernel32.FindClose, ntdll.NtOpenDirectoryObject, ntdll.NtQueryDirectoryObject, RtlAllocateHeap, System.IO.DirectoryInfo::GetFiles, System.IO.DirectoryInfo::EnumerateFiles, System.IO.Directory::GetFiles, System.IO.Directory::EnumerateFiles, System.IO.Directory::EnumerateFileSystemEntries, System.IO.DirectoryInfo::GetDirectories, System.IO.DirectoryInfo::EnumerateDirectories, System.IO.Directory::GetDirectories, System.IO.Directory::EnumerateDirectories |
| enumerate files recursively | File and Directory Discovery (E1083) | |
| read data from CLFS log container | File and Directory Discovery::Log File (E1083.m01) | clfsw32.CreateLogFile, clfsw32.CreateLogMarshallingArea, clfsw32.ReadLogRecord, clfsw32.ReadNextLogRecord |
| access the Windows event log | File and Directory Discovery::Log File (E1083.m01) | OpenEventLog, ClearEventLog, OpenBackupEventLog, ReportEvent |
[1] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
[2] https://www.secureworks.com/research/cryptolocker-ransomware
[3] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
[4] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[5] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader
[6] capa v4.0, analyzed at MITRE on 10/12/2022
[7] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/