YAHOYAH

YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.[1]

ID: S0388
Type: MALWARE
Platforms: Windows
Contributors: Bart Parys
Version: 1.1
Created: 17 June 2019
Last Modified: 21 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

YAHOYAH uses HTTP for C2.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

YAHOYAH decrypts downloaded files before execution.[1]

Enterprise T1105 Ingress Tool Transfer

YAHOYAH uses HTTP GET requests to download other files that are executed in memory.[1]

Enterprise T1027 Obfuscated Files or Information

YAHOYAH encrypts its configuration file using a simple algorithm.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

YAHOYAH checks for antimalware solution processes on the system.[1]

Enterprise T1082 System Information Discovery

YAHOYAH checks for the system’s Windows OS version and hostname.[1]

Groups That Use This Software

ID Name References
G0081 Tropic Trooper

[1]

References