Attention: We will be transitioning to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access.
TrojanDownloader:Win32/Yemrok.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected computer.
Installation
When it runs, TrojanDownloader:Win32/Yemrok.A copies itself to <system folder>\eeiaea.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Contacts remote hosts
TrojanDownloader:Win32/Yemrok.A may contact the following remote hosts:
0.0.0.0 using port 6677
199.36.76.95 using port 2305
Commonly, malware may contact a remote host for the following purposes:
To confirm Internet connectivity
To report a new infection to its author
To receive configuration or other data
To download and execute arbitrary files (including updates or additional malware)
To receive instruction from a remote attacker
To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 3824358df69d8faefff066cdc4fe8f6bc920daee.