Threat Intelligence Analysis: Yellow RAT — Hunting the Jupyter / Yellow Cockatoo Infostealer
Platform: CyberDefenders Challenge: Yellow RAT Category: Threat Intelligence Difficulty: Easy Tools: VirusTotal, Red Canary Threat Intelligence Achievement: Proof of Completion
1. Executive Summary
Incident Type: Infostealer / Backdoor / Browser Hijacking
Malware Family: Jupyter (Yellow Cockatoo / SolarMarker)
During a routine security check at GlobalTech Industries, abnormal network behavior was detected across multiple workstations — employee search queries were being silently hijacked and redirected to unfamiliar URLs. A SHA-256 hash was extracted from the affected systems and provided as the starting pivot point for this threat intelligence investigation. The hash was traced to a .NET DLL identified as the Jupyter infostealer, also tracked by Red Canary as Yellow Cockatoo. This malware family communicates with a hardcoded C2 domain, stores a unique host identifier on disk, and executes attacker commands in an infinite polling loop.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 30e527e45f50d2ba82865c5679a6fa998ee0a1755361ab01673950810d071c85 | Jupyter DLL sample |
| MD5 | 4eb6170524b5e18d95bb56b937e89b36 | Alternative hash for hunting |
| File Type | Win32 DLL (.NET Assembly) | Compiled with .NET v2.0.50727 |
| Compile Timestamp | 2020-09-24 18:26:47 UTC | PE compilation date |
| First Submission | 2020-10-15 02:47:37 UTC | First seen on VirusTotal |
| Malware Family | Jupyter / Yellow Cockatoo / SolarMarker | Multiple threat intel aliases |
| DLL Filename | 111bc461-1ca8-43c6-97ed-911e0e69fdf8.dll | GUID-format filename used for concealment |
| C2 Domain | gogohid[.]com | Command and control endpoint |
| Persistence File | %USERPROFILE%\AppData\Roaming\solarmarker.dat | Unique host identifier stored on disk |
MITRE ATT&CK Mapping Overview
| Tactic | Technique | ID |
|---|---|---|
| Defense Evasion | Masquerading — GUID-format DLL filename | T1036 |
| Persistence | Unique Host Identifier File | T1053 |
| Discovery | System Information Discovery | T1082 |
| Command & Control | Encrypted C2 Channel (HTTPS) | T1071.001 |
| Collection | Browser Session Hijacking | T1185 |
2. Phase 1: Sample Identification — VirusTotal Community Analysis (Questions 1 & 2)
Objective: Query the provided SHA-256 hash on VirusTotal and leverage community intelligence to identify the malware family.
The investigation begins with a single artifact: a hash.txt file containing the SHA-256 hash of the suspicious DLL.
Querying this hash on VirusTotal reveals community notes from researchers who have previously analyzed this sample. Multiple community members explicitly tagged the submission with #Jupyter and #YellowCockatoo, providing immediate attribution without needing to dig into detection engine names.
Analyst Note: The VirusTotal community comments section is one of the most underutilized intelligence resources available to analysts. Researchers frequently post configuration extracts, C2 infrastructure details, and malware family attributions that don’t appear anywhere in the automated detection engine results. Always check community notes before concluding a hash pivot.
Answer Q1
What malware family does this DLL belong to?
Jupyter(also known as Yellow Cockatoo)
3. Phase 2: File Properties & Compile Timestamp (Questions 2 & 3)
Objective: Extract the DLL’s first observed filename and compilation date from the VirusTotal Details tab.
The Details tab on VirusTotal surfaces the PE metadata embedded in the binary at compile time, as well as the submission history and all observed filenames.
The filename follows a GUID (Globally Unique Identifier) format — 111bc461-1ca8-43c6-97ed-911e0e69fdf8.dll — a deliberate concealment technique. Legitimate applications rarely use randomly-generated GUID filenames. When found in user profile AppData directories, this pattern is a high-fidelity indicator of malware.
Answer Q2
What is the DLL’s first observed filename?
111bc461-1ca8-43c6-97ed-911e0e69fdf8.dll
Answer Q3
What is the malware’s compilation date?
2020-09-24
4. Phase 3: Submission Timeline (Question 4)
Objective: Determine when this sample first appeared on VirusTotal to understand the threat’s age and intelligence maturity.
The VirusTotal History section records the precise timestamps for first submission, last submission, and first seen in the wild.
The 21-day gap between compilation (September 24) and first submission (October 15) is meaningful intelligence — it suggests the malware was actively deployed and operating before any defender submitted it for analysis. Threats with long pre-detection windows require retroactive hunting across historical logs.
Answer Q4
What is the malware’s first submission date to VirusTotal?
2020-10-15
5. Phase 4: Threat Intelligence — C2 Behavior & Persistence (Questions 5 & 6)
Objective: Use external threat intelligence to identify the malware’s C2 domain and on-disk persistence artifact.
The VirusTotal community comments linked to Red Canary’s published Yellow Cockatoo threat report. This document provides the deepest technical analysis of Jupyter’s behavior in a real environment.
According to Red Canary’s analysis, the Jupyter DLL operates as follows:
- Checks for the existence of
solarmarker.datin%USERPROFILE%\AppData\Roaming\. If absent, it generates a random host identifier and writes it there. - Connects to
https://gogohid[.]com/gate?q=ENCODED_HOST_INFOwith the unique identifier. - Receives commands from the C2 server and executes them in an infinite polling loop.
Analyst Note: The
solarmarker.datfile is the definitive on-host indicator of active Jupyter infection. It is small, hidden in a standard-looking directory, and survives reboots. If you find this file on an endpoint, the machine should be treated as fully compromised. Hunt for it proactively across your endpoint fleet before waiting for a detection alert.
Answer Q5
What is the name of the file the malware creates for persistence/identification?
solarmarker.dat
Answer Q6
What is the malware’s C2 domain?
gogohid.com
6. Conclusion
The Yellow RAT investigation demonstrates how a single SHA-256 hash pivot — combined with community intelligence and external threat reports — can build a complete threat profile without any dynamic analysis or malware execution. Key findings:
- Family: Jupyter / Yellow Cockatoo — a .NET-based infostealer and backdoor active since at least late 2020.
- Persistence:
solarmarker.datin%USERPROFILE%\AppData\Roaming\stores the victim’s unique identifier. - C2: HTTPS communication to
gogohid[.]comwith encoded host parameters in a continuous polling loop. - Concealment: GUID-format DLL filenames disguise the malware among legitimate AppData content.
- Impact: Browser session hijacking caused employee search queries to be silently redirected.
Key Takeaways for the SOC:
- A single SHA-256 hash can unlock a full intelligence picture: Pivot from the hash → VirusTotal community comments → vendor threat intelligence blogs for complete TTP depth. Don’t stop at the detection ratio.
solarmarker.dat= smoking gun: If you find this file, you’ve found active Jupyter. Hunt for it proactively using EDR or file integrity monitoring.- GUID-named DLLs in AppData are suspicious: Legitimate software uses consistent, readable filenames. Flag any GUID-format DLL files in roaming profile directories for immediate investigation.
- Red Canary’s threat intelligence library is an excellent free resource for detailed Yellow Cockatoo/Jupyter TTPs and detection guidance.
Analysis Date: April 18, 2026 Analyst: El OMARI Zakaria