Classe: Trojan
Um programa malicioso projetado para espionar eletronicamente as atividades do usuário (interceptar entradas de teclado, fazer capturas de tela, capturar uma lista de aplicativos ativos, etc.). As informações coletadas são enviadas ao cibercriminoso por vários meios, incluindo e-mail, FTP e HTTP (enviando dados em uma solicitação).Plataforma: Win32
O Win32 é uma API em sistemas operacionais baseados no Windows NT (Windows XP, Windows 7, etc.) que oferece suporte à execução de aplicativos de 32 bits. Uma das plataformas de programação mais difundidas do mundo.Família: Trojan.Win32.SelfDel
No family descriptionExamples
E4FEBC74A18353B45B57B80E0339847153EB825D77A2B39D42B6A1A5089A8738
80A7CF6FDDEE0DDECD9454DA74F4EE46
ECF0379778034E054DFE768004DFB8C7
0B873FB640A021C123BC353B1E2C4E56
Tactics and Techniques: Mitre*
TA0003
Persistence
The adversary is trying to maintain their foothold.
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
T1546.002
Event Triggered Execution: Screensaver
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in
The following screensaver settings are stored in the Registry (
*
*
*
*
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.The following screensaver settings are stored in the Registry (
HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:*
SCRNSAVE.exe - set to malicious PE path*
ScreenSaveActive - set to '1' to enable the screensaver*
ScreenSaverIsSecure - set to '0' to not require a password to unlock*
ScreenSaveTimeout - sets user inactivity timeout before screensaver is executedAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
TA0004
Privilege Escalation
The adversary is trying to gain higher-level permissions.
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:
* SYSTEM/root level
* local administrator
* user account with admin-like access
* user accounts with access to specific system or perform specific function
These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:
* SYSTEM/root level
* local administrator
* user account with admin-like access
* user accounts with access to specific system or perform specific function
These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.
T1546.002
Event Triggered Execution: Screensaver
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in
The following screensaver settings are stored in the Registry (
*
*
*
*
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.The following screensaver settings are stored in the Registry (
HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:*
SCRNSAVE.exe - set to malicious PE path*
ScreenSaveActive - set to '1' to enable the screensaver*
ScreenSaverIsSecure - set to '0' to not require a password to unlock*
ScreenSaveTimeout - sets user inactivity timeout before screensaver is executedAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
TA0005
Defense Evasion
The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1070.004
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include
del on Windows and rm or unlink on Linux and macOS. * © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.