{"description": "Enterprise techniques used by Zeus Panda, ATT&CK software S0330 (v1.4)", "name": "Zeus Panda (S0330)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) uses HTTP for C2 communications.(Citation: Talos Zeus Panda Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) adds persistence by creating Registry Run keys.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) can hook GetClipboardData function to watch for clipboard pastes to collect.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) can launch remote scripts on the victim\u2019s machine.(Citation: GDATA Zeus Panda June 2017)\t", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) uses PowerShell to download and execute the payload.(Citation: Talos Zeus Panda Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) can launch an interface where it can execute several commands on the victim\u2019s PC.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) decrypts strings in the code during the execution process.(Citation: Talos Zeus Panda Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) searches for specific directories on the victim\u2019s machine.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) has a command to delete a file. It also can uninstall scripts and delete files to cover its track.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) can download additional malware plug-in modules and execute them on the victim\u2019s machine.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) can perform keylogging on the victim\u2019s machine by hooking the functions TranslateMessage and WM_KEYDOWN.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056.004", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) hooks processes by leveraging its own IAT hooked functions.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) modifies several Registry keys under HKCU\\Software\\Microsoft\\Internet Explorer\\ PhishingFilter\\ to disable phishing filters.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) obfuscates the macro commands in its initial payload.(Citation: Talos Zeus Panda Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) encrypts strings with XOR. [Zeus Panda](https://attack.mitre.org/software/S0330) also encrypts all configuration and settings in AES and RC4.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) checks for running processes on the victim\u2019s machine.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) checks processes on the system and if they meet the necessary requirements, it injects into that process.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) checks for the existence of a Registry key and if it contains certain values.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) can take screenshots of the victim\u2019s machine.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim\u2019s environment.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN.(Citation: Talos Zeus Panda Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "[Zeus Panda](https://attack.mitre.org/software/S0330) collects the current system time (UTC) and sends it back to the C2 server.(Citation: GDATA Zeus Panda June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Zeus Panda", "color": "#66b1ff"}]}