Open Hunting - Threat Library

Openhunting Threat Library

Yahoyah

Yahoyah, W32/Seeav

(Type: Backdoor)

Yahoyah is a Trojan used by Tropic Trooper as a second-stage backdoor.

[News Analysis] Trends:

Total Trend: 1

Trend Per Year

2016

Trend Per Month

Nov 2016

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

0/36

persistence

0/113

privilege escalation

0/96

defense evasion

2/184

credential access

0/63

discovery

2/44

lateral movement

0/22

collection

0/37

command and control

2/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
						T1140 Deobfuscate/decode Files Or Information T1027 Obfuscated Files Or Information		T1518.001 Software Discovery : Security Software Discovery T1082 System Information Discovery			T1071.001 Application Layer Protocol : Web Protocols T1105 Ingress Tool Transfer

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy

2016-11-22 by Vicky Ray from Palo Alto Networks Unit 42

Basic Information (Credit @etda.or.th)

Tool: Yahoyah

Names: Yahoyah, W32/Seeav

Description: Yahoyah is a Trojan used by Tropic Trooper as a second-stage backdoor.

Category: Malware

Type: Backdoor

Information: http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

Mitre-attack: https://attack.mitre.org/software/S0388/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:yahoyah

Last-card-change: 2022-12-29

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
						T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION yahoyah decrypts downloaded files before execution. T1027 OBFUSCATED FILES OR INFORMATION yahoyah encrypts its configuration file using a simple algorithm.		T1518.001 SOFTWARE DISCOVERY : SECURITY SOFTWARE DISCOVERY yahoyah checks for antimalware solution processes on the system. T1082 SYSTEM INFORMATION DISCOVERY yahoyah checks for the system’s windows os version and hostname.			T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS yahoyah uses http for c2. T1105 INGRESS TOOL TRANSFER yahoyah uses http get requests to download other files that are executed in memory.