{"description": "Enterprise techniques used by yty, ATT&CK software S0248 (v1.3)", "name": "yty (S0248)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1005", "comment": "[yty](https://attack.mitre.org/software/S0248) collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[yty](https://attack.mitre.org/software/S0248) gathers information on victim\u2019s drives and has a plugin for document listing.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[yty](https://attack.mitre.org/software/S0248) uses a keylogger plugin to gather keystrokes.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1680", "comment": "[yty](https://attack.mitre.org/software/S0248) gathers the the serial number of the main disk volume.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[yty](https://attack.mitre.org/software/S0248) packs a plugin with UPX.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[yty](https://attack.mitre.org/software/S0248) contains junk code in its binary, likely to confuse malware analysts.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[yty](https://attack.mitre.org/software/S0248) gets an output of running processes using the tasklist command.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[yty](https://attack.mitre.org/software/S0248) uses the net view command for discovery.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[yty](https://attack.mitre.org/software/S0248) establishes persistence by creating a scheduled task with the command SchTasks /Create /SC DAILY /TN BigData /TR \u201c + path_file + \u201c/ST 09:30\u201c.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[yty](https://attack.mitre.org/software/S0248) collects screenshots of the victim machine.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[yty](https://attack.mitre.org/software/S0248) gathers the computer name, CPU information, Microsoft Windows version, and runs the command systeminfo.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[yty](https://attack.mitre.org/software/S0248) runs ipconfig /all and collects the domain name.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[yty](https://attack.mitre.org/software/S0248) collects the victim\u2019s username.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[yty](https://attack.mitre.org/software/S0248) has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. (Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[yty](https://attack.mitre.org/software/S0248) communicates to the C2 server by retrieving a Google Doc.(Citation: ASERT Donot March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by yty", "color": "#66b1ff"}]}