copy file

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: copy file
    namespace: host-interaction/file-system/copy
    authors:
      - moritz.raabe@mandiant.com
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - File System::Copy File [C0045]
    examples:
      - Practical Malware Analysis Lab 01-01.exe_:0x401440
  features:
    - or:
      - api: kernel32.CopyFile
      - api: kernel32.CopyFileEx
      - api: CopyFile2
      - api: CopyFileTransacted
      - api: LZCopy
      - api: System.IO.FileInfo::CopyTo
      - api: System.IO.File::Copy
      - basic block:
        - and:
          - number: 2 = FO_COPY
          - or:
            - api: kernel32.SHFileOperation
      - call:
        - and:
          - number: 2 = FO_COPY
          - or:
            - api: kernel32.SHFileOperation
last edited: 2023-11-24 10:35:03