Yellow RAT
Category: Threat Intel
Tools: VirusTotal Red Canary
Scenario
During a regular IT security check at GlobalTech Industries, abnormal network traffic was detected from multiple workstations. Upon initial investigation, it was discovered that certain employees' search queries were being redirected to unfamiliar websites. This discovery raised concerns and prompted a more thorough investigation. Your task is to investigate this incident and gather as much information as possible.
Questions
Q1: Understanding the adversary helps defend against attacks. What is the name of the malware family that causes abnormal network traffic?
Searching the malware's hash on VirusTotal
Q2: As part of our incident response, knowing common filenames the malware uses can help scan other workstations for potential infection. What is the common filename associated with the malware discovered on our workstations?
we can find the filename in the details tab.
Q3: Determining the compilation timestamp of malware can reveal insights into its development and deployment timeline. What is the compilation timestamp of the malware that infected our network?
The history of the malware can be found in the details tab also.
Q4: Understanding when the broader cybersecurity community first identified the malware could help determine how long the malware might have been in the environment before detection. When was the malware first submitted to VirusTotal?
Q5: To completely eradicate the threat from Industries' systems, we need to identify all components dropped by the malware. What is the name of the .dat file that the malware dropped in the AppData folder?
Starting by search at the behavior tab in the File system actions section but I can't find any .dat file in the AppData folder
So let's search somewhere else.. Going back to the community tab where we previously found the malware family and go to explore it in threat graph
Open the "How to Detect Yellow Cockatoo Remote Access Trojan" node and let's explore the source link
Nothing new, let's take a look at the references
In the persistence phase, There are multiple files created and the .dat file we are looking for is one of them
Q6: It is crucial to identify the C2 servers with which the malware communicates to block its communication and prevent further data exfiltration. What is the C2 server that the malware is communicating with?
From the same Red Canary report used in the previous question, we can found the C2 server.
Last updated