YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.[1]

ID: S0388
Platforms: Windows
Version: 1.2
Created: 17 June 2019
Last Modified: 19 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

YAHOYAH uses HTTP for C2.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

YAHOYAH decrypts downloaded files before execution.[1]

Enterprise T1105 Ingress Tool Transfer

YAHOYAH uses HTTP GET requests to download other files that are executed in memory.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

YAHOYAH encrypts its configuration file using a simple algorithm.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

YAHOYAH checks for antimalware solution processes on the system.[1]

Enterprise T1082 System Information Discovery

YAHOYAH checks for the system’s Windows OS version and hostname.[1]

Groups That Use This Software

ID Name References
G0081 Tropic Trooper