S0388 YAHOYAH
YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.1
| Item | Value |
|---|---|
| ID | S0388 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 June 2019 |
| Last Modified | 23 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | YAHOYAH uses HTTP for C2.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | YAHOYAH decrypts downloaded files before execution.1 |
| enterprise | T1105 | Ingress Tool Transfer | YAHOYAH uses HTTP GET requests to download other files that are executed in memory.1 |
| enterprise | T1027 | Obfuscated Files or Information | YAHOYAH encrypts its configuration file using a simple algorithm.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | YAHOYAH checks for antimalware solution processes on the system.1 |
| enterprise | T1082 | System Information Discovery | YAHOYAH checks for the system’s Windows OS version and hostname.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0081 | Tropic Trooper | 1 |