user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Ymacco
Trojan:Win32/Ymacco - Windows Defender threat signature analysis

Trojan:Win32/Ymacco - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Ymacco
Classification:
Type:Trojan
Platform:Win32
Family:Ymacco
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Ymacco

Summary:

Trojan:Win32/Ymacco is a critical Windows-based Trojan exhibiting a broad range of malicious capabilities. It leverages multiple execution methods (mshta, regsvr32, rundll32, PowerShell), establishes persistence via scheduled tasks, and employs various hooking techniques to evade detection or manipulate system functions. The threat also includes capabilities for data encoding, remote file operations, and utilizes BITS jobs, indicating a sophisticated and multi-stage attack.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win32_Ymacco_YAA_2147905812_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/Ymacco.YAA!MTB"
        threat_id = "2147905812"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "Ymacco"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "12"
        strings_accuracy = "Low"
    strings:
        $x_2_1 = {8b 04 24 c6 00 ea 2d e3 39 46 00 05 6a 3a 46 00}  //weight: 2, accuracy: High
        $x_10_2 = {80 30 73 8b 04 24 89 c6 66 ad 89 f2 58 ff 70 fb 8f 02 b9 ?? ?? ?? ?? 81 e9 ?? ?? ?? ?? 8d 34 08 b9}  //weight: 10, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: Uninstall.exe
9ca8f42e3d4182d95d3a8f33df161e6d52e5678174d87cd6d6315e1b374532c7
16/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system to prevent further compromise. Perform a full system scan with up-to-date antivirus software to remove all detected malicious files and associated artifacts. Thoroughly investigate and remove any persistence mechanisms, such as scheduled tasks or modified registry entries. Due to the sophisticated nature and broad capabilities, consider a full system reimage to ensure complete eradication and review network logs for any signs of lateral movement or data exfiltration.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 16/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$