PLAINTEE

PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia. ^[1]

ID: S0254

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 17 October 2018

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1112		修改注册表	PLAINTEE uses `reg add` to add a Registry Run key for persistence.^[1]
Enterprise	T1573	.001	加密通道: Symmetric Cryptography	PLAINTEE encodes C2 beacons using XOR.^[1]
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	PLAINTEE gains persistence by adding the Registry key `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce`.^[1]
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	PLAINTEE uses cmd.exe to execute commands on the victim’s machine.^[1]
Enterprise	T1548	.002	滥用权限提升控制机制: Bypass User Account Control	An older variant of PLAINTEE performs UAC bypass.^[1]
Enterprise	T1082		系统信息发现	PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.^[1]
Enterprise	T1016		系统网络配置发现	PLAINTEE uses the `ipconfig /all` command to gather the victim’s IP address.^[1]
Enterprise	T1105		输入工具传输	PLAINTEE has downloaded and executed additional plugins.^[1]
Enterprise	T1057		进程发现	PLAINTEE performs the `tasklist` command to list running processes.^[1]

Groups That Use This Software

ID	Name	References
G0075	Rancor	^[1]

References

Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.