Skip to content

Latest commit

 

History

History
87 lines (76 loc) · 4.98 KB

read-file.md

File metadata and controls

87 lines (76 loc) · 4.98 KB
Raw
ID C0051
Objective(s) File System
Related ATT&CK Techniques None
Version 2.3
Created 4 December 2020
Last Modified 30 April 2024

Read File

Malware reads a file.

Use in Malware

Name Date Method Description
Dark Comet 2008 -- Dark Comet reads files on Windows. [1]
DNSChanger 2011 -- DNSChanger reads files on Windows. [1]
Gamut 2014 -- Gamut reads files on Windows. [1]
GravityRAT 2018 -- GravityRAT reads files on Windows. [1]
Hupigon 2013 -- Hupigon reads files on Windows. [1]
Kovter 2016 -- Kovter reads files on Windows. [1]
Locky Bart 2017 -- Locky Bart reads files on Windows. [1]
Mebromi 2011 -- Mebromi reads files on Windows. [1]
Poison Ivy 2005 -- Poison Ivy reads files on Windows. [1]
Redhip 2011 -- Redhip reads files on Windows. [1]
Rombertik 2015 -- Rombertik reads files on Windows. [1]
SamSam 2015 -- SamSam reads files on Windows. [1]
Shamoon 2012 -- Shamoon reads files on Windows. [1]
UP007 2016 -- UP007 reads files on Windows. [1]

Detection

Tool: capa Mapping APIs
read file on Windows Read File (C0051) kernel32.ReadFile, ReadFileEx, NtReadFile, ZwReadFile, LZRead, _read, fread, System.IO.File::ReadAllBytes, System.IO.File::ReadAllBytesAsync, System.IO.File::ReadAllLines, System.IO.File::ReadAllLinesAsync, System.IO.File::ReadAllText, System.IO.File::ReadAllTextAsync, System.IO.File::ReadLines
read file via mapping Read File (C0051) kernel32.MapViewOfFile, kernel32.UnmapViewOfFile, kernel32.CreateFileMapping
read file on Linux Read File (C0051) fgetc, fgets, getc, getchar, read, getline, getdelim, fgetwc, getwc, fscanf, vfscanf, fread
read .ini file Read File (C0051) GetPrivateProfileInt, GetPrivateProfileString, GetPrivateProfileStruct, GetPrivateProfileSection, GetPrivateProfileSectionNames, GetFullPathName
Tool: CAPE Class Mapping APIs
reads_self ReadsSelf Read File (C0051) NtReadFile, NtSetInformationFile, NtClose, NtCreateFile, NtOpenFile
accesses_sysvol AccessesSysvol Read File (C0051) --
antidebug_devices AntiDBGDevices Read File (C0051) --
antiav_detectfile AntiAVDetectFile Read File (C0051) --
infostealer_browser BrowserStealer Read File (C0051) NtReadFile, CopyFileA, CopyFileExW, CopyFileW
antianalysis_detectfile AntiAnalysisDetectFile Read File (C0051) --

C0051 Snippet

File System::Read File SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732 Location: 0x401762 
mov     r9, rdi         ; variable that will hold number of bytes actually read from file
mov     r8d, ebx        ; number of bytes to read
mov     param_2, rsi    ; pointer to buffer that will hold content read from file
mov     param_1, r12    ; handle to the device/file to read from
mov     qword ptr [rsp + local_58], 0x0 ; optional pointer to OVERLAPPED structure (in this case, it is NULL)
call    qword ptr [->KERNEL32.DLL::ReadFile] ; API call to read file specified in param_1

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022