yty
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.[1] |
|
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1083 | 文件和目录发现 |
yty gathers information on victim’s drives and has a plugin for document listing.[1] |
|
| Enterprise | T1027 | .001 | 混淆文件或信息: Binary Padding |
yty contains junk code in its binary, likely to confuse malware analysts.[1] |
| .002 | 混淆文件或信息: Software Packing | |||
| Enterprise | T1082 | 系统信息发现 |
yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
yty communicates to the C2 server by retrieving a Google Doc.[1] |
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. [1] |
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |
| Enterprise | T1057 | 进程发现 |
yty gets an output of running processes using the |
|
| Enterprise | T1018 | 远程系统发现 | ||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
yty establishes persistence by creating a scheduled task with the command |