S0254 PLAINTEE
PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia. 1
| Item | Value |
|---|---|
| ID | S0254 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | An older variant of PLAINTEE performs UAC bypass.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | PLAINTEE gains persistence by adding the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | PLAINTEE uses cmd.exe to execute commands on the victim’s machine.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | PLAINTEE encodes C2 beacons using XOR.1 |
| enterprise | T1105 | Ingress Tool Transfer | PLAINTEE has downloaded and executed additional plugins.1 |
| enterprise | T1112 | Modify Registry | PLAINTEE uses reg add to add a Registry Run key for persistence.1 |
| enterprise | T1057 | Process Discovery | PLAINTEE performs the tasklist command to list running processes.1 |
| enterprise | T1082 | System Information Discovery | PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.1 |
| enterprise | T1016 | System Network Configuration Discovery | PLAINTEE uses the ipconfig /all command to gather the victim’s IP address.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0075 | Rancor | 1 |