yty

yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. [1]

ID: S0248
Type: MALWARE
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1009 Binary Padding yty contains junk code in its binary, likely to confuse malware analysts.[1]
Enterprise T1005 Data from Local System yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.[1]
Enterprise T1083 File and Directory Discovery yty gathers information on victim’s drives and has a plugin for document listing.[1]
Enterprise T1056 Input Capture yty uses a keylogger plugin to gather keystrokes.[1]
Enterprise T1036 Masquerading yty contains several references to football (including "football," "score," "ball," and "loose") in a likely attempt to disguise its traffic.[1]
Enterprise T1057 Process Discovery yty gets an output of running processes using the tasklist command.[1]
Enterprise T1018 Remote System Discovery yty uses the net view command for discovery.[1]
Enterprise T1053 Scheduled Task yty establishes persistence by creating a scheduled task with the command SchTasks /Create /SC DAILY /TN BigData /TR “ + path_file + “/ST 09:30“.[1]
Enterprise T1113 Screen Capture yty collects screenshots of the victim machine.[1]
Enterprise T1045 Software Packing yty packs a plugin with UPX.[1]
Enterprise T1082 System Information Discovery yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.[1]
Enterprise T1016 System Network Configuration Discovery yty runs ipconfig /all and collects the domain name.[1]
Enterprise T1033 System Owner/User Discovery yty collects the victim’s username.[1]
Enterprise T1497 Virtualization/Sandbox Evasion yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware.[1]
Enterprise T1102 Web Service yty communicates to the C2 server by retrieving a Google Doc.[1]

References