virus logo Virus

W32/Yakes.FHJN!tr

description-logoAnalysis


W32/Yakes.FHJN!tr is a generic detection for a type of trojan that uses a polymorphic custom algorithm. Since this is a generic detection, malware that are detected as W32/Yakes.FHJN!tr may have varying behavior.
Below are examples of some of these behavior:

  • Drops the following copies of the malware:
    • undefinedTempundefined\[Random].exe
    • undefinedTempundefined\Adobe\Reader_sl.exe
    • undefinedProgramFilesundefined\Common Files\CreativeAudio\[Random].exe
    • undefinedAppDataundefined\c731200

  • Creates the following registry entries to automatically execute its dropped file every time the infected user logs on:
    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • value: CreativeAudio
    • data: undefinedProgramFilesundefined\Common Files\CreativeAudio\[Random].exe

    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • value: MicrosoftStCnt
    • data: undefinedTempundefined\[Random].exe

    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • value: Adobe System Incorporated
    • data: undefinedTempundefined\Adobe\Reader_sl.exe

  • Modifies the following registry entries to disable "Protected mode" in Internet Explorer:
    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    • value: 2500
    • data: 3

    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    • value: 2500
    • data: 3

    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • value: 2500
    • data: 3

    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    • value: 2500
    • data: 3

  • Modifies the following registry entry to disable some security products:
    • key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
    • value: Debugger
    • data: [Random].exe

    • key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe
    • value: Debugger
    • data: [Random].exe

    • key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
    • value: Debugger
    • data: [Random].exe

  • Creates the following registry entries:
    • key: HKCU\Software\Win7zip
    • value: Uuid
    • data: [Random 16-byte hexadecimal string]

    • key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Random}.exe
    • value: DisableExceptionChainValidation
    • data: ""

  • The original copy of the malware is deleted after execution.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-05-03 68.25000 Sig Added
2019-05-03 68.24700 Sig Updated
ID 6263941
Released Jul 07, 2014
Description
Updated		 Aug 13, 2014
Aliases Trojan.Win32.Yakes.fhjn (KAV), Troj/Wonton-ES (Sophos), Win32/Kryptik.CFZS trojan (NOD32)
Platform Profile Win32 file format / PE 32 bit