W32/Yakes.FHJN!tr
Analysis
W32/Yakes.FHJN!tr is a generic detection for a type of trojan that uses a polymorphic custom algorithm. Since this is a generic detection, malware that are detected as W32/Yakes.FHJN!tr may have varying behavior.
Below are examples of some of these behavior:
- Drops the following copies of the malware:
- undefinedTempundefined\[Random].exe
- undefinedTempundefined\Adobe\Reader_sl.exe
- undefinedProgramFilesundefined\Common Files\CreativeAudio\[Random].exe
- undefinedAppDataundefined\c731200
- Creates the following registry entries to automatically execute its dropped file every time the infected user logs on:
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- value: CreativeAudio
- data: undefinedProgramFilesundefined\Common Files\CreativeAudio\[Random].exe
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- value: MicrosoftStCnt
- data: undefinedTempundefined\[Random].exe
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- value: Adobe System Incorporated
- data: undefinedTempundefined\Adobe\Reader_sl.exe
- Modifies the following registry entries to disable "Protected mode" in Internet Explorer:
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- value: 2500
- data: 3
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- value: 2500
- data: 3
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- value: 2500
- data: 3
- key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- value: 2500
- data: 3
- Modifies the following registry entry to disable some security products:
- key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
- value: Debugger
- data: [Random].exe
- key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe
- value: Debugger
- data: [Random].exe
- key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
- value: Debugger
- data: [Random].exe
- Creates the following registry entries:
- key: HKCU\Software\Win7zip
- value: Uuid
- data: [Random 16-byte hexadecimal string]
- key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Random}.exe
- value: DisableExceptionChainValidation
- data: ""
- The original copy of the malware is deleted after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |