This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

yty

yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. ^[1]

ID: S0248

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 17 October 2018

Last Modified: 28 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		Data from Local System	yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.^[1]
Enterprise	T1083		File and Directory Discovery	yty gathers information on victim’s drives and has a plugin for document listing.^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	yty uses a keylogger plugin to gather keystrokes.^[1]
Enterprise	T1027	.001	Obfuscated Files or Information: Binary Padding	yty contains junk code in its binary, likely to confuse malware analysts.^[1]
		.002	Obfuscated Files or Information: Software Packing	yty packs a plugin with UPX.^[1]
Enterprise	T1057		Process Discovery	yty gets an output of running processes using the `tasklist` command.^[1]
Enterprise	T1018		Remote System Discovery	yty uses the `net view` command for discovery.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	yty establishes persistence by creating a scheduled task with the command `SchTasks /Create /SC DAILY /TN BigData /TR " + path_file + "/ST 09:30"`.^[1]
Enterprise	T1113		Screen Capture	yty collects screenshots of the victim machine.^[1]
Enterprise	T1082		System Information Discovery	yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command `systeminfo`.^[1]
Enterprise	T1016		System Network Configuration Discovery	yty runs `ipconfig /all` and collects the domain name.^[1]
Enterprise	T1033		System Owner/User Discovery	yty collects the victim’s username.^[1]
Enterprise	T1497	.001	Virtualization/Sandbox Evasion: System Checks	yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. ^[1]
Enterprise	T1102	.002	Web Service: Bidirectional Communication	yty communicates to the C2 server by retrieving a Google Doc.^[1]

References

Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.