Class: Trojan
A malicious program designed to electronically spy on the user’s activities (intercept keyboard input, take screenshots, capture a list of active applications, etc.). The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request).Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Family: Scar
No family descriptionExamples
BA234BEC16A4B24CDF300E53070ADEB68875FCF13262E6A2A9A1F7BAC52A0924
70385965CFED577643C146110DD6BC19
76E6756EE64D3726995F7A041EA10A67
DA2E1C7358A545275B4150912356DD06
Tactics and Techniques: Mitre*
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:WindowsSystem32, and C:WindowssysWOW64 on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCUControl PanelDesktop) and could be manipulated to achieve persistence:
* SCRNSAVE.exe – set to malicious PE path
* ScreenSaveActive – set to ‘1’ to enable the screensaver
* ScreenSaverIsSecure – set to ‘0’ to not require a password to unlock
* ScreenSaveTimeout – sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:WindowsSystem32, and C:WindowssysWOW64 on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCUControl PanelDesktop) and could be manipulated to achieve persistence:
* SCRNSAVE.exe – set to malicious PE path
* ScreenSaveActive – set to ‘1’ to enable the screensaver
* ScreenSaverIsSecure – set to ‘0’ to not require a password to unlock
* ScreenSaveTimeout – sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:WindowsSystem32, and C:WindowssysWOW64 on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCUControl PanelDesktop) and could be manipulated to achieve persistence:
* SCRNSAVE.exe – set to malicious PE path
* ScreenSaveActive – set to ‘1’ to enable the screensaver
* ScreenSaverIsSecure – set to ‘0’ to not require a password to unlock
* ScreenSaveTimeout – sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:WindowsSystem32, and C:WindowssysWOW64 on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCUControl PanelDesktop) and could be manipulated to achieve persistence:
* SCRNSAVE.exe – set to malicious PE path
* ScreenSaveActive – set to ‘1’ to enable the screensaver
* ScreenSaverIsSecure – set to ‘0’ to not require a password to unlock
* ScreenSaveTimeout – sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
* © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.