yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. [1]

ID: S0248
Platforms: Windows

Version: 1.1

Techniques Used

EnterpriseT1009Binary Paddingyty contains junk code in its binary, likely to confuse malware analysts.[1]
EnterpriseT1005Data from Local Systemyty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.[1]
EnterpriseT1083File and Directory Discoveryyty gathers information on victim’s drives and has a plugin for document listing.[1]
EnterpriseT1056Input Captureyty uses a keylogger plugin to gather keystrokes.[1]
EnterpriseT1036Masqueradingyty contains several references to football (including "football," "score," "ball," and "loose") in a likely attempt to disguise its traffic.[1]
EnterpriseT1057Process Discoveryyty gets an output of running processes using the tasklist command.[1]
EnterpriseT1018Remote System Discoveryyty uses the net view command for discovery.[1]
EnterpriseT1053Scheduled Taskyty establishes persistence by creating a scheduled task with the command SchTasks /Create /SC DAILY /TN BigData /TR “ + path_file + “/ST 09:30“.[1]
EnterpriseT1113Screen Captureyty collects screenshots of the victim machine.[1]
EnterpriseT1045Software Packingyty packs a plugin with UPX.[1]
EnterpriseT1082System Information Discoveryyty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.[1]
EnterpriseT1016System Network Configuration Discoveryyty runs ipconfig /all and collects the domain name.[1]
EnterpriseT1033System Owner/User Discoveryyty collects the victim’s username.[1]
EnterpriseT1497Virtualization/Sandbox Evasionyty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware.[1]
EnterpriseT1102Web Serviceyty communicates to the C2 server by retrieving a Google Doc.[1]