Yellow Rat — Threat Intel Lab Writeup
Overview
This writeup documents my approach to the lab Yellow Rat available on the CyberDefenders website, a blue team-focused cyber threat intelligence lab that requires you to examine a potential compromise.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the lab before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the lab more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!
Scenario
During a regular IT security check at GlobalTech Industries, abnormal network traffic was detected from multiple workstations. Upon initial investigation, it was discovered that certain employees’ search queries were being redirected to unfamiliar websites. This discovery raised concerns and prompted a more thorough investigation. Your task is to investigate this incident and gather as much information as possible.
Lab Analysis
Understanding the adversary helps defend against attacks. What is the name of the malware family that causes abnormal network traffic?
In VirusTotal, we can see that the provided file hash is related to a Win32 DLL file.
In Relations tab, we can see a visualization of what associations this file hash has, including the name of the malware family.
In an article published by Red Canary in 2020, Yellow Cockatoo is described as a cluster of activity involving the execution of a .NET remote access trojan (RAT) that runs in memory and drops other payloads. Yellow Cockatoo has also garnered attention from other researchers, who track it under other names such as Jupyter, Solarmarker, and Polazert.
As part of our incident response, knowing common filenames the malware uses can help scan other workstations for potential infection. What is the common filename associated with the malware discovered on our workstations?
In VirusTotal under the Details tab, we can see a list of the common file names that this file has been seen to use in the wild.
Determining the compilation timestamp of malware can reveal insights into its development and deployment timeline. What is the compilation timestamp of the malware that infected our network?
In VirusTotal under the Details tab, we can see the compilation timestamp which shows the potential timeline of it’s development and deployment.
Understanding when the broader cybersecurity community first identified the malware could help determine how long the malware might have been in the environment before detection. When was the malware first submitted to VirusTotal?
In VirusTotal under the Details tab, we can see the history of the file has and when the first submission was made.
To completely eradicate the threat from Industries’ systems, we need to identify all components dropped by the malware. What is the name of the .dat file that the malware dropped in the AppData folder?
In VirusTotal, we do not see any references to a .dat file under the AppData folder. In the previously mentioned article published by Red Canary, one of the observed C2-related actions by Yellow Cockatoo is loading a randomly-generated string to %USERPROFILE%\AppData\Roaming\solarmarker.dat, which serves as a unique identifier for the host.
It is crucial to identify the C2 servers with which the malware communicates to block its communication and prevent further data exfiltration. What is the C2 server that the malware is communicating with?
Continuing to read through the article published by Red Canary, we can see that another C2-related action is the malware connecting to the C2 server (address: https://gogohid[.]com/gate?q=ENCODED_HOST_INFO) sharing a variety of host information and retrieving its first command.
Conclusion
This was a short but fun threat intel lab around the Yellow Cockatoo .NET remote access trojan (RAT). I enjoyed reading more about this malware and using the graph visualizations feature in VirusTotal to answer some of the questions. Thank you for reading till the end and I hope you enjoyed this writeup!
