Yellow RAT

Lab Link

Category: Threat Intel

Tools: VirusTotal Red Canary

Scenario

During a regular IT security check at GlobalTech Industries, abnormal network traffic was detected from multiple workstations. Upon initial investigation, it was discovered that certain employees' search queries were being redirected to unfamiliar websites. This discovery raised concerns and prompted a more thorough investigation. Your task is to investigate this incident and gather as much information as possible.

Questions

Q1: Understanding the adversary helps defend against attacks. What is the name of the malware family that causes abnormal network traffic?

Searching the malware's hash on VirusTotal

Q2: As part of our incident response, knowing common filenames the malware uses can help scan other workstations for potential infection. What is the common filename associated with the malware discovered on our workstations?

we can find the filename in the details tab.

Q3: Determining the compilation timestamp of malware can reveal insights into its development and deployment timeline. What is the compilation timestamp of the malware that infected our network?

The history of the malware can be found in the details tab also.

Q4: Understanding when the broader cybersecurity community first identified the malware could help determine how long the malware might have been in the environment before detection. When was the malware first submitted to VirusTotal?

Q5: To completely eradicate the threat from Industries' systems, we need to identify all components dropped by the malware. What is the name of the .dat file that the malware dropped in the AppData folder?

Starting by search at the behavior tab in the File system actions section but I can't find any .dat file in the AppData folder

So let's search somewhere else.. Going back to the community tab where we previously found the malware family and go to explore it in threat graph

Open the "How to Detect Yellow Cockatoo Remote Access Trojan" node and let's explore the source link

Nothing new, let's take a look at the references

In the persistence phase, There are multiple files created and the .dat file we are looking for is one of them

Q6: It is crucial to identify the C2 servers with which the malware communicates to block its communication and prevent further data exfiltration. What is the C2 server that the malware is communicating with?

From the same Red Canary report used in the previous question, we can found the C2 server.

PreviousOski NextLespion

Last updated 8 months ago

hashtagLab Linkarrow-up-right

hashtagScenario

hashtagQuestions

hashtagQ1: Understanding the adversary helps defend against attacks. What is the name of the malware family that causes abnormal network traffic?

hashtagQ2: As part of our incident response, knowing common filenames the malware uses can help scan other workstations for potential infection. What is the common filename associated with the malware discovered on our workstations?

hashtagQ3: Determining the compilation timestamp of malware can reveal insights into its development and deployment timeline. What is the compilation timestamp of the malware that infected our network?

hashtagQ4: Understanding when the broader cybersecurity community first identified the malware could help determine how long the malware might have been in the environment before detection. When was the malware first submitted to VirusTotal?

hashtagQ5: To completely eradicate the threat from Industries' systems, we need to identify all components dropped by the malware. What is the name of the .dat file that the malware dropped in the AppData folder?

hashtagQ6: It is crucial to identify the C2 servers with which the malware communicates to block its communication and prevent further data exfiltration. What is the C2 server that the malware is communicating with?