Yellow RAT Lab
CyberDefenders Threat Intel Lab
Scenario
During a regular IT security check at GlobalTech Industries, abnormal network traffic was detected from multiple workstations. Upon initial investigation, it was discovered that certain employees’ search queries were being redirected to unfamiliar websites. This discovery raised concerns and prompted a more thorough investigation. Your task is to investigate this incident and gather as much information as possible.
Question 1
Understanding the adversary helps defend against attacks. What is the name of the malware family that causes abnormal network traffic?
Answer 1
Looking at the community section on Virus Total gave a clear indication that this is part of the Yellow Cockatoo RAT malware family
Question 2
As part of our incident response, knowing common filenames the malware uses can help scan other workstations for potential infection. What is the common filename associated with the malware discovered on our workstations?
Answer 2
A quick search for the original file name, resulted in an answer of 111bc461–1ca8–43c6–97ed-911e0e69fdf8.dll. Located on the details page on Virus Total.
Question 3
Determining the compilation timestamp of malware can reveal insights into its development and deployment timeline. What is the compilation timestamp of the malware that infected our network?
Answer 3
The header on the file shows the compilation timestamp, 2020–09–24 18:26.
Question 4
Understanding when the broader cybersecurity community first identified the malware could help determine how long the malware might have been in the environment before detection. When was the malware first submitted to VirusTotal?
Answer 4
On the same page its fairly easy to find the important dates and times associated with the malware. Including the date of first submission: 2020–10–15 02:47.
Question 5
To completely eradicate the threat from Industries’ systems, we need to identify all components dropped by the malware. What is the name of the .dat file that the malware dropped in the AppData folder?
Answer 5
Straying away from VirusTotal for this answer. A little bit of research online uncovered a few write ups that talk about what the malware drops in the AppData folder. Mainly discussing this file: solarmarker.dat
Question 6
It is crucial to identify the C2 servers with which the malware communicates to block its communication and prevent further data exfiltration. What is the C2 server that the malware is communicating with?
Answer 6
In the same article by Red Canary we discover that the malware communicates with a C2 server with the name gogohid.
Last updated