Yellow Cockatoo RAT Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (91)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en80
ru4
es4
ar2
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us80
es2
il2
ir2
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Yellow Cockatoo RAT3
Cobalt Strike1
BumbleBee1
Qakbot1
ISFB1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined30
Content Management System10
Multimedia Player Software6
Router Operating System4
Forum Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined28
Apple8
Cisco6
Microsoft4
Craig Patchett4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Apple QuickTime4
Cisco ASA4
Craig Patchett Fileseek4
Linksys WRT1900ACS2
Adobe Commerce2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Lars Ellingsen Guestserver guestbook.cgi cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.001690.12CVE-2005-4222
2TikiWiki tiki-register.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.010759.19CVE-2006-6168
3Youxun AC Centralized Management Platform HTML File upfile.cgi HTML injection4.14.1$0-$5k$0-$5kNot DefinedNot Defined0.000490.04CVE-2023-34855
4Void Contact Form 7 Widget for Elementor Page Builder Plugin void_cf7_opt_in_user_data_track cross-site request forgery4.34.2$0-$5k$0-$5kNot DefinedNot Defined0.000630.00CVE-2022-47166
5Sun Cobalt Raq HTTP Request path traversal5.35.3$5k-$25k$0-$5kNot DefinedNot Defined0.006420.04CVE-2002-0347
6DUware DUclassmate default.asp sql injection7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.002210.05CVE-2005-2049
7s0nic Paranews news.php cross site scripting4.34.2$0-$5k$0-$5kHighUnavailable0.001950.04CVE-2008-4349
8xz m4 File malicious code9.99.9$0-$5k$0-$5kNot DefinedNot Defined0.100850.00CVE-2024-3094
9Apache Solr dynamically-managed code resources7.17.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.872420.05CVE-2023-50386
10Juniper Junos XNM Command Processor memory allocation7.56.5$5k-$25k$0-$5kUnprovenOfficial Fix0.007280.03CVE-2014-0613
11Plesk Obsidian Login Page injection5.85.7$0-$5k$0-$5kNot DefinedNot Defined0.001740.16CVE-2023-24044
12RiteCMS Admin Panel path traversal4.64.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.003360.06CVE-2022-24248
13Netgear ProSAFE Network Management System Java Debug Wire Protocol missing authentication9.89.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.002140.00CVE-2023-49693
14Joomla CMS LDAP Authentication improper authentication5.34.6$5k-$25k$0-$5kUnprovenOfficial Fix0.009990.00CVE-2014-6632
15FCKeditor Connector Module path traversal7.37.0$0-$5k$0-$5kHighOfficial Fix0.972700.04CVE-2009-2265
16Adobe Commerce File System xml injection6.46.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001400.03CVE-2023-22247
17Konga Login API random values4.03.9$0-$5k$0-$5kProof-of-ConceptWorkaround0.000920.16CVE-2023-2418
18Cisco ASA Clientless SSL VPN Portal heap-based overflow7.47.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.001090.03CVE-2022-20737
19phpMyAdmin Configuration File setup.php code injection7.37.0$5k-$25k$0-$5kHighOfficial Fix0.805860.05CVE-2009-1151
20VMware vCenter Server PSC deserialization8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.001250.04CVE-2022-31680

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
167.43.234.48Yellow Cockatoo RAT12/18/2023verifiedHigh
2XXX.XX.XXX.XXXxxxxx Xxxxxxxx Xxx11/05/2022verifiedHigh
3XXX.XXX.XXX.XXXxxxxx Xxxxxxxx Xxx12/18/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (13)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-1CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-50CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
10TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-112CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
13TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (66)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/api/baskets/{name}predictiveHigh
2File/debug/pprofpredictiveMedium
3File/forum/away.phppredictiveHigh
4File/mhds/clinic/view_details.phppredictiveHigh
5File/preview.phppredictiveMedium
6File/student/bookdetails.phppredictiveHigh
7File/upfile.cgipredictiveMedium
8Fileadclick.phppredictiveMedium
9Filexxxxxxxxx.xxxpredictiveHigh
10Filexxxxxx.xxxpredictiveMedium
11Filexxxxx_xxxxxx.xxxpredictiveHigh
12Filexxxxxxxx.xxxpredictiveMedium
13Filexx_xxxx_xx_xxxx_xxxx.xxxpredictiveHigh
14Filexxxxxxx.xxxpredictiveMedium
15Filexxxxxxxx.xxxpredictiveMedium
16Filexxxxxxxx.xxxpredictiveMedium
17Filexxxxxx_xxx.xxxpredictiveHigh
18Filexxxxxxxxxxxx_xxxx.xxxpredictiveHigh
19Filexxxxxxxxxxxxxx.xxxpredictiveHigh
20Filexxxx.xxxpredictiveMedium
21Filexxxxxxxxx.xxxpredictiveHigh
22Filexxxxxxx.xxxpredictiveMedium
23Filexxxxx.xxxpredictiveMedium
24Filexxxxx.xxx/xxxxxxxxx_xxxx/xxx_xxxxxxx_xxxxxxxxxx/predictiveHigh
25Filexxxxxxxx.xxxpredictiveMedium
26Filexxxxxxx/xxx_xxxxxxxx.xxxpredictiveHigh
27Filexxx_xxxxxxxx.xxxpredictiveHigh
28Filexxxxxxxxx.xxxpredictiveHigh
29Filexxxx.xxxpredictiveMedium
30Filexxxxxxxx.xxxpredictiveMedium
31Filexxxx.xxxpredictiveMedium
32Filexxxxx/xxxxxxx.xxxpredictiveHigh
33Filexxxxxx_xxx_xxxxxx.xxxpredictiveHigh
34Filexxxxx.xxxpredictiveMedium
35Filexxxx.xxxpredictiveMedium
36Filexxxx-xxxxxxxx.xxxpredictiveHigh
37Filexx.xxxpredictiveLow
38Filexxxxxx.xxxpredictiveMedium
39Filexx/xx_xxxxxx.xxxpredictiveHigh
40Filexxxx_xxxx.xxxpredictiveHigh
41Libraryxxxxxxxxxx/xxxxxxxxx.xpredictiveHigh
42Libraryxx/xxx.xxx.xxxpredictiveHigh
43Argument$xxxxxxxxpredictiveMedium
44ArgumentxxxxpredictiveLow
45Argumentxxxx_xxxpredictiveMedium
46ArgumentxxxxxxxxxxpredictiveMedium
47ArgumentxxxxpredictiveLow
48ArgumentxxxxxpredictiveLow
49ArgumentxxxxxxxxpredictiveMedium
50Argumentxxxx/xxxxpredictiveMedium
51ArgumentxxxxpredictiveLow
52ArgumentxxpredictiveLow
53ArgumentxxpredictiveLow
54ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
55ArgumentxxxxpredictiveLow
56ArgumentxxxxxxxpredictiveLow
57Argumentxxxx_xxxxpredictiveMedium
58Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
59Argumentxxxx_xxpredictiveLow
60ArgumentxxxxpredictiveLow
61Argumentxxx_xxx[]predictiveMedium
62Argumentxxxxx_xxxx_xxxxpredictiveHigh
63Argumentxx_xxxxpredictiveLow
64Argumentxxxxxxx_xxpredictiveMedium
65ArgumentxxxxxxpredictiveLow
66Input Value\xxx../../../../xxx/xxxxxxpredictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!