Yakes (often detected as Trojan.Yakes or Win32/Yakes) is a generic classification used by some security vendors to identify a family of obfuscated Trojan downloaders. Its primary function is to serve as an initial foothold on a compromised system, operating stealthily to download and execute more complex and destructive secondary payloads, such as banking trojans, information stealers, or ransomware, based on instructions from its Command and Control (C2) server.
Infection Vector and Technical Capabilities
Yakes is primarily distributed via malicious email campaigns (malspam) containing obfuscated JavaScript or macro-enabled Office documents, or via drive-by downloads from compromised websites hosting exploit kits.
Its technical design is optimized for evasion and delivery:
Evasion and Packing: Yakes executables are typically heavily packed or obfuscated using custom crypters to evade static signature-based antivirus detection. The payload often decrypts itself only in memory upon execution.
C2 Communication: Once active, the Trojan establishes a covert connection to a remote C2 server, sending basic system telemetry (OS version, architecture) to register the new infection.
Payload Execution: The C2 server responds with an encrypted secondary payload. Yakes downloads this file, decrypts it, and frequently utilizes process hollowing to inject the secondary malware into a legitimate Windows process (like `explorer.exe`), hiding it from traditional monitoring tools.
Threat Assessment
A Yakes detection is a critical indicator of compromise. It signifies that the initial perimeter defenses have failed and the machine is either actively downloading or has already downloaded a severe secondary payload. The true threat level depends entirely on what Yakes was instructed to deploy.
Incident Response and Remediation
Immediate Network Isolation: The endpoint must be disconnected from the network immediately to interrupt the download of secondary payloads and prevent potential lateral movement across the LAN.
EDR Triage for Child Processes: Security analysts must utilize EDR telemetry to trace the execution tree of the Yakes process. Identifying any child processes spawned or subsequent network connections is critical to determining the full scope of the breach.
Total Re-imaging: Because Yakes acts as a dropper for advanced malware, attempting to clean the machine manually is highly risky. A complete bare-metal wipe and re-image from a trusted baseline is strongly recommended.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1105T1059T1027
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.