Class: Trojan-FakeAV
A class of malicious programs that simulate the activity of antivirus software or parts of the operating system security modules. These programs are designed to extort money from users in return for the purported detection and removal of threats, which are in fact non-existent. General speaking, this malware shows many repeating pop-ups in an effort to make the user worry about the security of their system and pay for fake AV software. Additionally, Trojan-FakeAV programs prevent the computer from working properly, but do not fully inhibit the operating system in order to make the user believe that the threat is credible.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Family: Trojan-FakeAV.Win32.FlashApp.ydf
No family descriptionExamples
89EB448C016BB92C543AEDC0FFEEF057Tactics and Techniques: Mitre*
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
* © 2025 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.