| ID | C0049 |
| Objective(s) | File System |
| Related ATT&CK Techniques | None |
| Version | 2.2 |
| Created | 4 December 2020 |
| Last Modified | 30 April 2024 |
Malware gets file attributes.
| Name | Date | Method | Description |
|---|---|---|---|
| Dark Comet | 2008 | -- | Dark Comet gets file attributes. [1] |
| DNSChanger | 2011 | -- | DNSChanger gets file attributes. [1] |
| Gamut | 2014 | -- | Gamut gets file attributes. [1] |
| Hupigon | 2013 | -- | Hupigon gets file attributes. [1] |
| Redhip | 2011 | -- | Redhip gets file attributes. [1] |
| UP007 | 2016 | -- | UP007 gets file attributes. [1] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| get file attributes | Get File Attributes (C0049) | kernel32.GetFileAttributes, ZwQueryDirectoryFile, ZwQueryInformationFile, NtQueryDirectoryFile, NtQueryInformationFile, System.IO.File::GetAttributes, System.IO.File::GetCreationTime, System.IO.File::GetCreationTimeUtc, System.IO.File::GetLastAccessTime, System.IO.File::GetLastAccessTimeUtc, System.IO.File::GetLastWriteTime, System.IO.File::GetLastWriteTimeUtc |
File System::Get File Attributes
SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db Location: 0x4094B0push ebx ; Name of file to get attributes for mov ebx, param_1 mov param_1, ebx call FUN_00404DFC push param_1 ; Return value for function call call KERNEL32.DLL::GetFileAttributesA ; Call Windows API for file deletion cmp param_1, -0x1 ; Test if the return value indicates an error jz LAB_004094C9 ; If the function returned an error, go to this address to continue execution test param_1, 0x10 ; Test to see if the file queried is a directory jnz LAB_004094CD ; If the file is not a directory, continue execution from this address
[1] capa v4.0, analyzed at MITRE on 10/12/2022