Attachments: SCR Files

SCR Files are screensaver files used by Windows for energy saving purposes. I will create a simply binary and changing the extension from EXE to SCR.

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.

SCR files are screensaver files used by Windows for energy saving purposes. Screensavers are programs that execute after a configurable time of user inactivity and consists of Portable Executable (PE) files with a .scr file extension. The windows screensaver application scrnsave.scr is located in C:\Windows\System32, and C:\Windows\sysWOW64\ on 64-bit Windows systems. The screensaver settings are stored in the Registry (HKCU: Control Panel\Desktop\ ) and can also be manipulated for persistence.

We can use Msfvenom, Phantom Evasion, Veil Framework or any tool that can generate a binary payload. As this file we will manipulate so that we can send it to our victim and have it executed.

I will use a simple payload created from the msfvenom tool, I will save it as an EXE file and from the Attacker machine I can change the extension to .scr and we can compare both payloads even though the extension has change the functionality has not been affected.

I will transfer these files onto our Windows Box and we can see the small but very valuable difference. We can see that in the description information for the EXE file is described as an Application and the SCR file is described as a Screensaver. This is good as we can confuse our target into thinking this is a normal Screensaver File.

We can see our payload running in the processes list

What about the SCR file?

Same results, but why is this??. Well scr extensions are also executables on a Windows machine we can go a bit more farther and try to make this a more credible file to open.

Spoofed Extension and Icon has been switched.

In this Example I spoofed the Extension and switched the Icon image to a more credible or safer looking icon where the user might think this is a simple image but in the following demo we can see that this is an Executable that will connect us back to our attacking machine.

Demo: