SCR Files

SCR files are screensaver files use by Windows for energy saving purposes. I will create simply binaries and changing the extension from EXE to SCR.

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.

SCR files are screensaver files used by Windows for energy saving purposes. Screensavers are programs that execute after a configurable time of user inactivity and consists of Portable Executable(PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\Windows\System32 , and C;\Windoww\sysWOW64\ on 64-bit Windows systems. The screensaver settings are stored in the Registry (HKCU:\Control Panel\Desktop\) and can also be manipulated for persistence.

We can use Msfvenom, Phantom Evasion, Veil Framework or any C2 that can generate a binary. As with this file we will manipulate so that we can send it to our user victims PC and have it get executed.

I will use msfvenom to create a simple tcp reverse payload save it as en EXE file and from the Linux box I can always change the extension and keep the original file. We can see both file even the extensions have been changed they are still the executable files that as they are meant to be.

I will move these onto a Windows Machine and we can see a small but very valuable difference. We can see that in the description information the EXE file is described as an Application and the SCR file is described as a Screensaver. I will show a few examples on how we can achieve a reverse Shell with these type's of files.

Both payloads different extensions and different description

As we can see if we execute the EXE file we will get a call back on our listener setup on our Linux Box.

task-list command on CMD

So what about our scr file?

task-list command on CMD

We can verify that both file's gives us a call back to our listener, why is this? Well SCR extensions are also executables on a Windows machine we can go a bit more farther and try to make this more credible program to execute.

Spoofed the extension and changed the Icon

Here I spoofed the Extension and went onto changing the Icon with this the file can look more credible and it does not change the file's description it also uses a more credible, Icon that makes the user believe this is an Image file being executed and with this execute and receive a call back onto our Listener, your creativity will help on your success. These types of procedures may help in the Delivery and Execution onto our user's machine, this file can be set on a remote server and download, can be compiled onto a Rar file and send via email to void detection or scans.