Introduction

During a regular IT security check at GlobalTech Industries, abnormal network traffic was detected from multiple workstations. Upon initial investigation, it was discovered that certain employees' search queries were being redirected to unfamiliar websites. This discovery raised concerns and prompted a more thorough investigation. Your task is to investigate this incident and gather as much information as possible.

Objective

Analyze malware artifacts using threat intelligence platforms like VirusTotal to identify IOCs, C2 servers, and understand adversary tactics.

Sources:

VirusTotal Reort: VirusTotal — File — 30e527e45f50d2ba82865c5679a6fa998ee0a1755361ab01673950810d071c85

RedCanary Blog: How to detect Yellow Cockatoo remote access trojan

Key Findings

Yellow Cockatoo typically begins with search engine poisoning or redirection, where a user searching for a document, installer, or software tool is silently led to a malicious site.

The victim is then offered a downloaded executable that is named after the original search term and disguised with a document-like appearance, often using a Microsoft Word-style icon to reduce suspicion.

Once launched, the malware relies heavily on obfuscated PowerShell, Base64 decoding, and XOR logic to reconstruct and execute a hidden .NET payload directly in memory.

Persistence is achieved through Startup folder shortcuts, and the malware stores a unique victim identifier in %USERPROFILE%\AppData\Roaming\solarmarker.dat before contacting its C2 at gogohid[.]com.

Red Canary also observed tasking that allowed the RAT to download files, execute PowerShell, and perform process hollowing using c:\windows\system32\msinfo32.exe.

Investigation Timeline

1. Initial Access

The intrusion starts when the victim performs a normal web search and is redirected to a malicious page controlled by the threat actor rather than the expected legitimate result. This matters because the attack does not rely on a phishing email in the traditional sense; instead, it abuses user trust in search results and download behavior. From a SOC perspective, this stage may leave only weak host artifacts at first, which is why web filtering, DNS telemetry, and browser download monitoring become important early signals.

2. Malicious File Delivery

On the malicious site, the victim is encouraged to download an executable whose filename closely matches the search term they originally entered. That small detail is important because it makes the file look contextually relevant, which increases the likelihood that the user will run it without hesitation. Red Canary noted that these executables are often made to resemble document-related or productivity-themed files, which helps the malware blend into routine user activity.

3. First Execution

After the victim opens the file, the malware begins execution through a staged process rather than immediately dropping a clearly visible payload. The initial binary creates command-line activity and generates a similarly named temporary file, which is one of the first useful behavioral clues defenders can hunt for. At this point, the infection starts to shift from a fake document delivery event into a PowerShell-driven loader chain.

4. PowerShell Deobfuscation

The next stage relies on obfuscated PowerShell commands that decode hidden content using Base64 and XOR operations. This is one of the most important parts of the attack because the malware avoids presenting defenders with a simple, readable script on disk. Instead, the attacker forces defenders to rely on command-line telemetry, PowerShell logs, and script block visibility to reconstruct what happened. For hunting, strings such as Base64-related content, decoding routines, and use of the -bxor operator become valuable indicators because Red Canary specifically highlighted those behaviors as part of Yellow Cockatoo activity.

5. Persistence Setup

Once the loader has prepared the next stage, it establishes persistence by creating .lnk shortcut files in the Startup path. This means the malware does not need to rely only on the initial user execution; it can survive reboot and logon events and relaunch automatically. The persistence mechanism is especially notable because it blends user-level access with a simple but effective Windows startup technique rather than a noisy service installation or driver-based method.

6. In-Memory .NET Loading

After persistence is in place, PowerShell uses System.Reflection.Assembly to load a .NET assembly directly into memory. This is a major defense evasion advantage for the attacker because it reduces the chance of defenders recovering a clean final-stage payload from disk. In many environments, this stage is where the investigation shifts from simple malware execution into reflective loading and memory-based tradecraft, which is why endpoint telemetry becomes more valuable than file-based scanning alone.

7. Host Identification

Before fully operating as a RAT, the malware gathers host details and builds a victim profile. Red Canary observed that the malware collects information such as the computer name, operating system version, CPU architecture, workgroup, and privilege level, then uses this information during check-in. The malware also creates or references %USERPROFILE%\AppData\Roaming\solarmarker.dat, which stores a unique identifier for the infected host and helps the operator track systems consistently across sessions.

8. Command-and-Control Check-In

The malware then contacts its command-and-control infrastructure using HTTPS requests to gogohid[.]com. A check-in URL pattern observed by Red Canary was https://gogohid[.]com/gate?q=..., where the query contains encoded host information. This pattern is important because the traffic may appear superficially normal as encrypted web communication, yet the timing and destination can still stand out in network logs, proxy data, or DNS records.

9. Tasking and Operator Control

Once connected, Yellow Cockatoo enters a loop in which it receives instructions from the C2, executes them locally, and reports the result back to the operator. Red Canary observed a completion URL pattern such as https://gogohid[.]com/success?i=..., which is used to notify the attacker that the assigned command finished successfully. This behavior confirms that the malware is not just a downloader but a functioning remote access trojan capable of interactive follow-on activity.

10. Follow-On Payload Delivery

The malware supports commands that download and execute additional files, including full executables delivered from attacker infrastructure. It also supports the download and execution of PowerShell scripts, which gives the operator a flexible way to stage more tooling without changing the base implant significantly. From a defender's perspective, this makes Yellow Cockatoo a platform for continued compromise rather than a one-time nuisance infection.

11. Process Hollowing

One of the more advanced behaviors documented by Red Canary is the use of process hollowing against c:\windows\system32\msinfo32.exe. In this technique, the malware prepares a payload in memory, starts a legitimate process, and then replaces or injects its contents so the malicious code runs under the appearance of a trusted Windows binary. This step significantly complicates detection because the resulting process name can look harmless unless analysts inspect parent-child relationships, memory behavior, and unusual network activity.

12. Why the Case Matters

This investigation shows that Yellow Cockatoo is effective not because of a single sophisticated exploit, but because it chains together believable delivery, obfuscated PowerShell, memory execution, reliable persistence, and flexible C2 tasking. It also shows why defenders should not rely only on antivirus verdicts, since much of the malicious value comes from the behavior chain rather than a single dropped file. For a SOC analyst, the strongest detection story comes from linking the full sequence: suspicious download, query-themed executable, PowerShell decoding, Startup shortcut creation, in-memory .NET loading, host ID storage, and outbound traffic to known C2 infrastructure.

MITRE ATT&CK Mapping

  • T1189 — Drive-by Compromise: The infection begins when a user is redirected from a search result to a malicious site hosting the fake download.
  • T1059.001 — PowerShell: The malware heavily relies on PowerShell to decode, stage, and execute the malicious payload.
  • T1027 — Obfuscated/Compressed Files and Information: Base64 encoding and XOR logic are used to hide the true script content.
  • T1547.001 — Startup Folder: Persistence is created through .lnk files in the Startup path.
  • T1620 — Reflective Code Loading: The .NET payload is loaded into memory using System.Reflection.Assembly.
  • T1082 — System Information Discovery: Host details such as system name, OS, architecture, and privilege level are collected.
  • T1071.001 — Web Protocols: The RAT communicates with its C2 using HTTPS.
  • T1105 — Ingress Tool Transfer: The malware downloads additional executables and scripts from attacker-controlled infrastructure.
  • T1055.012 — Process Hollowing: A downloaded payload is injected into msinfo32.exe for stealthier execution.

IOCs

  • SHA256: 30E527E45F50D2BA82865C5679A6FA998EE0A1755361AB01673950810D071C85
  • MD5: 4EB6170524B5E18D95BB56B937E89B36
  • Malware names: Yellow Cockatoo, Jupyter, Solarmarker, Polazert.
  • Primary C2 domain: gogohid[.]com
  • Observed IP: 45.146.165[.]221
  • Host ID file: %USERPROFILE%\AppData\Roaming\solarmarker.dat
  • Process targeted for hollowing: c:\windows\system32\msinfo32.exe
  • Variant string: DN-DN/FB1
  • Related filenames seen in campaigns: docx2rtf.exe, docx2rtf-setup-v1.0-x64.exe, photodesigner7_x86-64.exe, Expert_PDF.exe

Recommendations

  • Hunt for PowerShell command lines containing Base64 decode routines, because this is one of the earliest repeated behaviors associated with the loader.
  • Create detections for PowerShell using the -bxor operator, since Red Canary specifically highlighted XOR-based deobfuscation in this malware chain.
  • Monitor for .lnk file creation in Startup folders, especially when the shortcut launches PowerShell or command interpreters.
  • Alert on PowerShell referencing System.Reflection.Assembly, since that may indicate reflective loading of a .NET payload.
  • Investigate any unusual execution involving msinfo32.exe when preceded by suspicious download, script, or injection behavior.
  • Correlate endpoint telemetry with DNS, proxy, and web logs to identify systems communicating with gogohid[.]com or similar infrastructure.

Challenge Answers

Q1. Understanding the adversary helps defend against attacks. What is the name of the malware family that causes abnormal network traffic?Answer:- Yellow Cockatoo RAT

Q2. As part of our incident response, knowing common filenames the malware uses can help scan other workstations for potential infection. What is the common filename associated with the malware discovered on our workstations? Answer:- 111bc461–1ca8–43c6–97ed-911e0e69fdf8.dll

Q3. Determining the compilation timestamp of malware can reveal insights into its development and deployment timeline. What is the compilation timestamp of the malware that infected our network? Answer:- 2020–09–24 18:26

Q4. Understanding when the broader cybersecurity community first identified the malware could help determine how long the malware might have been in the environment before detection. When was the malware first submitted to VirusTotal? Answer:- 2020–10–15 02:47

Q5. To completely eradicate the threat from Industries' systems, we need to identify all components dropped by the malware. What is the name of the .dat file that the malware dropped in the AppData folder? Answer:- solarmarker.dat

Q6. It is crucial to identify the C2 servers with which the malware communicates to block its communication and prevent further data exfiltration. What is the C2 server that the malware is communicating with? Answer:- https://gogohid.com