Scenario

During a regular IT security check at GlobalTech Industries, abnormal network traffic was detected from multiple workstations. Upon initial investigation, it was discovered that certain employees’ search queries were being redirected to unfamiliar websites. This discovery raised concerns and prompted a more thorough investigation. Your task is to investigate this incident and gather as much information as possible.

malware hash: 30E527E45F50D2BA82865C5679A6FA998EE0A1755361AB01673950810D071C85

Category: Threat Intel

Tools: VirusTotal, Red Canary

Q1: Understanding the adversary helps defend against attacks. What is the name of the malware family that causes abnormal network traffic?

This challenge gave us a file hash of the malware, so we can start by searching it on VirusTotal, which can see the popular threat label of the file is not match the answer format at all, but at least we know that this is not match the anwser formate at all but at least we know that this is Jupyter Infostealer.

We could go to the “Community” tab to find out the answer since there are so many community comments on this file.

Yellow Cockatoo RAT

Q2:As part of our incident response, knowing common filenames the malware uses can help scan other workstations for potential infection. What is the common filename associated with the malware discovered on our workstations?

Take a look at the file name again; it already matches anwser for mate this question

We can go to the” Names” section in the “Details” tab to see other names in this file, but there is still only 1 that matches the answer format.

111bc461-1ca8-43c6-97ed-911e0e69fdf8.dll

Q3: Determining the compilation timestamp of malware can reveal insights into its development and deployment timeline. What is the compilation timestamp of the malware that infected our network?

Most PE files often contain their compilation timestamp in their PE header, so if we keep scrolling down for a bit to “Portable Executable Info,” then we will find the compilation timestamp of this file right here

2020-09-24 18:26

Q4:Understanding when the broader cybersecurity community first identified the malware could help determine how long the malware might have been in the environment before detection. When was the malware first submitted to VirusTotal?

If we go to the “History” section, we can see that someone submitted this file to VirusTotal almost a month after it was completed!

2020-10-15 02:47

Q5:To completely eradicate the threat from Industries’ systems, we need to identify all components dropped by the malware. What is the name of the .dat file that the malware dropped in the AppData folder?

https://redcanary.com/blog/threat-intelligence/yellow-cockatoo/

solarmarker.dat

Q6:It is crucial to identify the C2 servers with which the malware communicates to block its communication and prevent further data exfiltration. What is the C2 server that the malware is communicating with?

Red Canary also noted C2 url for their audience to add them to blacklist so we can use this as the answer of this question too!

https://gogohid[.]com