For350‐ContinuationOfThug - ConnorEast/Tech-Journal GitHub Wiki
This forensic analysis compares two system audits: a baseline audit (SystemAudit-prior.csv) taken before malware execution and a post-infection audit (SystemAudit.csv) taken after running "thug_simulator.exe". The investigation reveals sophisticated malware behavior combining persistence mechanisms with aggressive anti-forensics techniques designed to conceal the attack.
Known THUG.Lyfe Malware:
- svchost.exe (MD5: 5207fe630502c3ff2515dd49683c9b2e) - Masquerading as legitimate Windows service
- SecurityAdvisory.docm - Malicious document
- FrontPage.jpg - Suspicious image file
- User Activity Concealment: 35 recent file shortcuts cleared
- Persistence Established: 2 registry keys modified, 1 scheduled task created
- Privilege Escalation: 2 administrative accounts created with hardcoded passwords
- Service Manipulation: 6 legitimate Windows services activated for camouflage Created Files: [C:\Users\All Users\*]
- account.dat
- apps.dat
- autorun.dat
- config.dat
- connections.dat
- dns.dat
- jobs.dat
- network.dat
- services.dat
- userlist.dat
- WindowsUpdateCheck scheduled task
- “Capability Access Manager Service”
- “Client License Service”
- “Microsoft Password Container”
- “Program Compatibility Assistant Server”
- “Windows Backup”
- “Windows Modules Installer”
ASSESMENT: The attack demonstrates advanced threat actor capabilities with a clear focus on persistence, privilege escalation, and evidence destruction. The comprehensive anti-forensics measures indicate awareness of digital forensic techniques and deliberate attempts to evade detection and analysis. The evidence which had been provided to me has the following data
| File | MD5 Hash |
|---|---|
| data1.bin | 92910b8ec24ace49e3a6eecf3670ff57 |
| data2.bin | 5207fe630502c3ff2515dd49683c9b2e |
| data3.bin | 7fd126c4884e6d837e2ba80208163cfe |
| data4.bin | 6a2366799b5474a70e782666fb074e9f |
| thug_simulator.exe | 5682fbfe820380bb5ffcba682eacbc0a |
| thuglyfe.zip | b2662574a0ea125347cdab991829a913 |
Items Found 7 Priority: High Location: System Services && Tasks
Description
Six Windows services changed from 'Stopped' to 'Running' between audits. These are legitimate system services that typically start during Windows updates or maintenance activities. Under the context of these turning on following the installation of malware, there are a few potential reasons. Malware can hide inside legitimate processes so they don't get flagged by security software. The way in which this had been found was by comparing the services labeled on and those labeled off in the There was also a malicious task which had been created. The services changed are as follows:Task Created:
Services Changed:
While the Services themselves may be unrelated to this specific malware strain, which is part of the THUG.lyfe campaign, it is still notable and requires explanation. Below are outputs of each individual service prior to the execution of the malware.
Following the Execution of the malware the previous services were changed from “Stopped” to “Running. Below are images of the Post-execution SystemAudit.csv document.
Conclusion
All of the services which have been enabled are all legitimate Microsoft programs, as such this could simply not be malicious. However, it is good to note as these services can be used by malware in order to hide. The task created is a file which runs a malicious “svchost.exe” program under a malicious folder which had been created “C:\ProgramData\SecurityUpdate\” . The fact that both the folder and the svchost instance are obfuscated shows malicious intent.Items Found: 2 Priority: HIGH Location: User Groups and Local Users
Description: Between the Audits which have occurred, two users were created and both have two sets of group permissions. Below are the users created by this THUG.lyfe campaign the user and group memberships were located through the use of the FindContent.ps1 script while the passwords could be located using ProcExp.exe.
| Created User: | Password: | Group Membership: |
|---|---|---|
| Administators | Secur1ty@2025 | Users, Administators |
| SYSTEM_SERVICE | SVC@Admin99 | Users, Administators |
| An Image depicting the Administrative User accounts through Velociraptor. This was collected using the “Windows.Sys.AllUsers” filter in Velociraptor. This shows the malicious Administrators account and the malicious SYSTEM_SERVICE account. |
Description:
Two registry keys were edited for the purpose of establishing persistence. Both Registry keys that were edited now point to a malicious Svchost created by the THUG.lyfe malware. This was created for persistence.
| Registry Key | Registry Location | Data |
|---|---|---|
| WindowsDefender | Computer\HKEY_CURRENT_USER\Software \Microsoft\Windows\CurrentVersion\Run | C:\ProgramData\SecurityUpdat e\svchost.exe |
| SYSTEM_SERVICE | Computer\HKEY_CURRENT_USER\Software \Microsoft\Windows\CurrentVersion\RunOnce | C:\ProgramData\SecurityUpdat e\svchost.exe |
| A “svchost.exe” file was created under “C:\ProgramData\SecurityUpdate” with a creation time of 2025-10-26T04:02:52.2257329Z. This was following the running of the THUG.lyfe malware. The MD5 Hash of this file “5207fe630502c3ff2515dd49683c9b2e” matches the MD5 hash for the Image_Downloader.exe present in the “Searching For Thug Behavior Change”. |
Items Found: 3 Priority: HIGH Location: Registry [HKCU]
Description:
Three malicious files were located. These files being svchost.exe, SecurityAdvisory.docm, and frontpage.jpg. All of these files have matching md5 hashes to the files located in the original security report. As such this confirms the threat actor is “THUG.lyfe”.| File: | File Location | MD5 |
|---|---|---|
| svchost.exe | C:\Users\All Users\SecurityUpdate | 5207fe630502c3ff2515dd49683c 9b2e |
| SecurityAdvisory.docm | C:\Users\IEUser\Documents | 92910b8ec24ace49e3a6eecf3670f f57 |
| frontpage.jpg | C:\Users\public\pictures\ | 6a2366799b5474a70e782666fb07 4e9f |
Items Found: 10 Priority: Low Location: C:\Users\All Users The ThugLyfe Malware does host and network information enumeration. By understanding how the system works at a fundamental level, the malware can often adapt to new paths. All of the files are non-dangerous following the actual malware having been run. Immediate removal of these files is recommended for system functionality and security reasons.
| File: | Creation Time | Purpose |
|---|---|---|
| accounts.dat | 10/25/2025 9:06:04 | |
| 10/25/2025 9:06:04 | ||
| File: | File Location | MD5 |
|---|---|---|