ioc[.]one - OSINT Cyber Threat Intelligence Database

How to detect Yellow Cockatoo remote access trojan

Tags

attack-pattern:

Show in Graph

Common Information

Type	Value
UUID	89ff342f-3952-44ef-b94d-3097b3b0243a
Fingerprint	10ca00e7b9378fab
Analysis status	DONE
Considered CTI value	-2
Text language
Published	June 7, 2022, midnight
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	Yellow Cockatoo: Search engine redirects, in-memory remote access trojan, and more
Title	How to detect Yellow Cockatoo remote access trojan
Detected Hints/Tags/Attributes	54/1/26

Source URLs

	Redirection	Url
Details	Source	https://redcanary.com/blog/yellow-cockatoo/

URL Provider

Details	Provider	Source level domain
Details	redcanary.com	redcanary.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	gogohid.com
Details	File	1	search-query.exe
Details	File	1209	powershell.exe
Details	File	1	c:\users\redacted\e091d09fa72e9b46db8a0a512eec30c9.txt
Details	File	2127	cmd.exe
Details	File	456	mshta.exe
Details	File	1	a887c3fc4114a6ae35adcfe97686a.tar
Details	File	2	docx2rtf.exe
Details	File	3	0-x64.exe
Details	File	2	photodesigner7_x86-64.exe
Details	File	2	expert_pdf.exe
Details	File	1	111bc461-1ca8-43c6-97ed-911e0e69fdf8.dll
Details	File	1	%userprofile%\appdata\roaming\solarmarker.dat
Details	File	3	c:\windows\system32\msinfo32.exe
Details	File	1	%temp%\24_char_random_string.exe
Details	File	1	%temp%\24_char_random_string.ps1
Details	md5	1	e091d09fa72e9b46db8a0a512eec30c9
Details	md5	1	ba95ebd0d6f6e7861b75149561f1fbd3
Details	md5	1	63c9ace2fb8d1cb7eccf4e861d0e4e45
Details	md5	1	156c5402667e5aae6971faea8e87bc62
Details	md5	1	4EB6170524B5E18D95BB56B937E89B36
Details	sha256	1	30e527e45f50d2ba82865c5679a6fa998ee0a1755361ab01673950810d071c85
Details	IPv4	1	45.146.165.221
Details	MITRE ATT&CK Techniques	86	T1055.012
Details	Url	1	https://gogohid.com/gate?q=encoded_host_info
Details	Url	1	https://gogohid.com/success?i=encoded_cmd_and_host_id_info