| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Zeus Panda uses HTTP for C2 communications. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Zeus Panda adds persistence by creating Registry Run keys. |
| enterprise |
T1115 |
Clipboard Data |
Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
Zeus Panda can launch remote scripts on the victim’s machine. |
| enterprise |
T1059.001 |
PowerShell |
Zeus Panda uses PowerShell to download and execute the payload. |
| enterprise |
T1059.003 |
Windows Command Shell |
Zeus Panda can launch an interface where it can execute several commands on the victim’s PC. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Zeus Panda decrypts strings in the code during the execution process. |
| enterprise |
T1083 |
File and Directory Discovery |
Zeus Panda searches for specific directories on the victim’s machine. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN. |
| enterprise |
T1056.004 |
Credential API Hooking |
Zeus Panda hooks processes by leveraging its own IAT hooked functions. |
| enterprise |
T1112 |
Modify Registry |
Zeus Panda modifies several Registry keys under HKCU\Software\Microsoft\Internet Explorer\ PhishingFilter\ to disable phishing filters. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Zeus Panda encrypts strings with XOR. Zeus Panda also encrypts all configuration and settings in AES and RC4. |
| enterprise |
T1027.010 |
Command Obfuscation |
Zeus Panda obfuscates the macro commands in its initial payload. |
| enterprise |
T1057 |
Process Discovery |
Zeus Panda checks for running processes on the victim’s machine. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.002 |
Portable Executable Injection |
Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process. |
| enterprise |
T1012 |
Query Registry |
Zeus Panda checks for the existence of a Registry key and if it contains certain values. |
| enterprise |
T1113 |
Screen Capture |
Zeus Panda can take screenshots of the victim’s machine. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment. |
| enterprise |
T1082 |
System Information Discovery |
Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system. |
| enterprise |
T1614 |
System Location Discovery |
- |
| enterprise |
T1614.001 |
System Language Discovery |
Zeus Panda queries the system’s keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN. |
| enterprise |
T1124 |
System Time Discovery |
Zeus Panda collects the current system time (UTC) and sends it back to the C2 server. |