Screen Capture
April 3, 2025 ยท View on GitHub
| ID | E1113 |
| Objective(s) | Collection, Credential Access |
| Related ATT&CK Techniques | Screen Capture (T1113) |
| Version | 2.3 |
| Created | 1 August 2019 |
| Last Modified | 27 April 2024 |
Screen Capture
Malware takes screen captures of the desktop. This technique is often used by cyber attackers to gather sensitive information, such as login credentials, personal data, or confidential documents. The malware can use various methods to capture the screen, including using built-in functions of the operating system or third-party libraries. The captured screenshots are then typically sent back to the attacker's command and control server. This technique is commonly used by spyware, information stealers, and advanced persistent threats (APTs).
See ATT&CK: Screen Capture (T1113).
Methods
| Name | ID | Description |
|---|---|---|
| WinAPI | E1113.m01 | Screen is captured using WinAPI functions (e.g., user32.GetDesktopWindow). |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| GoBotKR | 2019 | -- | GoBotKR is capable of capturing screenshots. [1] |
| BlackEnergy | 2007 | -- | BlackEnergy's screenshot plugin allows for collection of screenshots. [2] |
| DarkComet | 2008 | E1113.m01 | DarkComet can take screenshots of the victim's computer. [3] [5] |
| CHOPSTICK | 2015 | -- | CHOPSTICK takes snapshots of deskop and window contents. [4] |
| Hupigon | 2013 | E1113.m01 | Malware captures screenshots. [5] |
| Kovter | 2016 | E1113.m01 | Malware captures screenshots. [5] |
| Rombertik | 2015 | E1113.m01 | Malware captures screenshots. [5] |
| Snake | 2004 | -- | Malware captures screenshots. [6] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| capture screenshot | Screen Capture::WinAPI (E1113.m01) | user32.GetWindowDC, user32.GetDC, gdi32.CreateDC, gdi32.BitBlt, gdi32.GetDIBits, gdi32.CreateCompatibleDC, gdi32.CreateCompatibleBitmap, user32.GetSystemMetrics = fetch screen dimensions, user32.GetDesktopWindow = get entire desktop, BitBlt, System.Drawing.Graphics::CopyFromScreen |
| capture screenshot via keybd event | Screen Capture (E1113) | -- |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| poullight_files | Screen Capture (E1113) | -- |
| captures_screenshot | Screen Capture (E1113) | LdrGetProcedureAddress, NtCreateFile |
E1113.m01 Snippet
Collection::Screen Capture::WinAPI
SHA256: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec Location: 0x4036depush 0xcc0020 ; Raster operation code to copy the source rectangle directly onto the destination rectangle push 0x0 ; y-coordinate of upper left corner of source rectangle push 0x0 ; x-coordinate of upper left corner of source rectangle push dword ptr [esi] ; handle to source device push eax ; height of source/destination rectangles mov eax, dword ptr [esi + 0xc] sub eax, param_2 sub param_2, ebx push eax ; width of source/destination rectangles push param_1 ; y-coordinate of upper left corner of destination rectangle push param_2 ; x-coordinate of upper left corner of destination rectangle push dword ptr [ebp + local_28] ; handle to destingation device call dword ptr [->GDI32.DLL::BitBlt] ; Windows API function to transfer a rectangle of pixels from one device to another
References
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
[3] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[4] https://web.archive.org/web/20210307034415/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[5] capa v4.0, analyzed at MITRE on 10/12/2022
[6] https://www.cybereason.com/blog/research/threat-analysis-report-snake-infostealer-malware