| ID | F0007 |
| Objective(s) | Defense Evasion |
| Related ATT&CK Techniques | Indicator Removal on Host: Uninstall Malicious Application (T1630.001), Indicator Removal on Host: File Deletion (T1070.004) |
| Version | 2.1 |
| Created | 14 August 2020 |
| Last Modified | 13 September 2023 |
Malware may uninstall itself to avoid detection.
See ATT&CK: Indicator Removal on Host: Uninstall Malicious Application (T1630.001), Indicator Removal on Host: File Deletion (T1070.004).
| Name | ID | Description |
|---|---|---|
| COMSPEC Environment Variable | F0007.001 | Uninstalls self via COMSPEC environment variable. |
| Name | Date | Method | Description |
|---|---|---|---|
| Terminator | 2013 | F0007.001 | The RAT evades sandboxes by terminating and removing itself (DW20.exe) after installation. [1] |
| CozyCar | 2010 | -- | CozyCar has a dll file that serves as a cleanup mechanism for its dropped binary. [2] |
| SearchAwesome | 2018 | -- | The malware will monitor if a specific file gets deleted and then will delete itself. [3] |
| WannaCry | 2017 | -- | WannaCry looks for a DNS entry and if the entry exists, it terminates and deletes itself. [4] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| self delete | Self Deletion::COMSPEC Environment Variable (F0007.001) |
[1] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/FireEye-Terminator_RAT.pdf
[2] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke
[3] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection
[4] https://www.mandiant.com/resources/blog/wannacry-malware-profile