ID	F0005
Objective(s)	Defense Evasion, Persistence
Related ATT&CK Techniques	Hide Artifacts: Hidden Files and Directories (T1564.001)
Version	2.1
Created	1 August 2019
Last Modified	12 June 2023

Hidden Files and Directories

Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below.

This behavior is related to Unprotect technique U1230.

See ATT&CK: Hide Artifacts: Hidden Files and Directories (T1564.001).

Methods

Name	ID	Description
Attribute	F0005.003	Malware may change or choose an attribute to hide a file or directory.
Extension	F0005.001	Malware may change or use a particular file extension to hide a file.
Location	F0005.002	Malware may change or choose the location of itself, another file, or a directory to prevent detection.
Timestamp	F0005.004	Malware may change the timestamp on a file to prevent detection.

Name	Date	Method	Description
GoBotKR	2019	--	GoBotKR stores itself in a file with Hidden and System attributes. [1]
Shamoon	2012	F0005.004	Malware modifies target files' time to August 2012 as an antiforensic trick. [2]
CHOPSTICK	2015	--	CHOPSTICK creates a hidden file for temporary storage. [3]
Vobfus	2016	F0005.002	Vobfus is located on external drives or network shares and attaches itself to ZIP and RAR files, other removable drives, and network shares. Vobfus hides folders on the external drive and drops an executable with the same name and a disguised folder icon. [4]
Matanbuchus	2021	F0005.002	Malware looks for a specific folder on the victim. If the folder doesn't exist, the malware creates the folder on the victim by calling CreateDirectoryA and downloads the remote file into the new folder. [5] [6]
Matanbuchus	2021	F0005.001	The malware also appends the filename and extension .ocx to the ProgramData folder path. [5] [6]
WannaCry	2017	F0005.003	WannaCry uses the +h attribute to hide its files. [7]