W32/Yakes.GAKM!tr
Analysis
W32/Yakes.GAKM!tr is a generic detection for a type of trojan that could possibly downloads other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Yakes.GAKM!tr may have varying behavior.
The following are the possible symptoms demonstrated by the trojan:
- It executes svchost.exe, possibly to inject some malicious codes.
- It adds the mutex named 0BFD7EE41E31306F1BBDE145342EA180000005E8 in explorer.exe.
- It creates the following empty registry key:
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- The following registry modifications are applied:
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This automatically executes the dropped file every time the infected user logs on. During our testing, the value was set to empty. This registry entry could potentially be updated by the malware once it downloads another malware or component of itself.
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- It performed DNS queries on the following names:
- msn.com
- go.microsoft.com
- dnsservicel2.ru
- The original copy of the malware is deleted.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |