Skip to content

S0248 yty

yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. 1

Item Value
ID S0248
Associated Names
Type MALWARE
Version 1.2
Created 17 October 2018
Last Modified 28 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1005 Data from Local System yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.1
enterprise T1083 File and Directory Discovery yty gathers information on victim’s drives and has a plugin for document listing.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging yty uses a keylogger plugin to gather keystrokes.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding yty contains junk code in its binary, likely to confuse malware analysts.1
enterprise T1027.002 Software Packing yty packs a plugin with UPX.1
enterprise T1057 Process Discovery yty gets an output of running processes using the tasklist command.1
enterprise T1018 Remote System Discovery yty uses the net view command for discovery.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task yty establishes persistence by creating a scheduled task with the command SchTasks /Create /SC DAILY /TN BigData /TR “ + path_file + “/ST 09:30“.1
enterprise T1113 Screen Capture yty collects screenshots of the victim machine.1
enterprise T1082 System Information Discovery yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.1
enterprise T1016 System Network Configuration Discovery yty runs ipconfig /all and collects the domain name.1
enterprise T1033 System Owner/User Discovery yty collects the victim’s username.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. 1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication yty communicates to the C2 server by retrieving a Google Doc.1

References

  1. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.