Squirrelwaffle Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (328)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en254
es64
pt6
fr2
it2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA230
ES: Spain58
BR: Brazil18
RU: Russia6
RO: Romania2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Qakbot7
Squirrelwaffle3
QBot3
Meterpreter1
Razy1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined124
Web Server34
Operating System16
Content Management System10
Application Server Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined90
Microsoft28
Apache22
Fortinet10
HP6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Apache HTTP Server16
Microsoft IIS8
Microsoft Windows6
Apple iOS4
OpenSSH4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Microsoft Windows IGMP Header input validation7.56.7$25k-$100k$0-$5kProof-of-ConceptOfficial Fix0.004250.06CVE-1999-0918
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
3OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.107370.44CVE-2016-6210
4nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002411.89CVE-2020-12440
5Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.003410.29CVE-2017-0055
6Microsoft Office Excel memory corruption7.06.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.128190.00CVE-2018-8574
7Apple macOS Kernel Coldtro out-of-bounds write7.87.6$5k-$25k$0-$5kHighOfficial Fix0.001490.03CVE-2022-32894
8Dahua DHI-HCVR7216A-S3 DVR Protocol cryptographic issues6.86.8$0-$5k$0-$5kNot DefinedNot Defined0.001590.05CVE-2017-6432
9Joomla CMS User Registration input validation7.77.5$5k-$25k$0-$5kHighOfficial Fix0.914240.05CVE-2016-8870
10Moment.js path traversal6.96.7$0-$5k$0-$5kNot DefinedOfficial Fix0.003300.04CVE-2022-24785
11ASRock RGB Driver AsrDrv103.sys unknown vulnerability5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000440.04CVE-2020-15368
12IBM AIX privileges management7.87.8$5k-$25k$0-$5kNot DefinedNot Defined0.000440.00CVE-2017-1692
13SourceCodester Library Management System index.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001140.04CVE-2022-2492
14Apache HTTP Server mod_reqtimeout resource management5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.016960.11CVE-2007-6750
15Microsoft Windows Active Directory Domain Services Privilege Escalation8.88.1$100k and more$5k-$25kUnprovenOfficial Fix0.001210.04CVE-2022-21857
16Discourse Messaging Bus path traversal3.33.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000710.05CVE-2021-43840
17Microsoft Windows MS-EFSRPC EfsRpcOpenFileRaw PetitPotam server-side request forgery7.36.7$25k-$100k$0-$5kProof-of-ConceptWorkaround0.000000.08
18WordPress class-wp-object-cache.php stats cross site scripting5.25.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.008770.05CVE-2020-11029
19DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.33CVE-2010-0966
20Grandstream GXP16xx VoIP SSH Configuration Interface command injection9.89.8$0-$5k$0-$5kNot DefinedNot Defined0.002700.05CVE-2018-17565

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • ProxyShell/ProxyLogon

IOC - Indicator of Compromise (25)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
123.111.163.24223-111-163-242.static.hvvc.usSquirrelwaffleProxyShell/ProxyLogon02/22/2022verifiedMedium
224.55.112.61dynamic.libertypr.netSquirrelwaffle06/12/2022verifiedLow
324.229.150.5424.229.150.54.cmts-static.sm.ptd.netSquirrelwaffleProxyShell/ProxyLogon02/22/2022verifiedMedium
445.46.53.140cpe-45-46-53-140.maine.res.rr.comSquirrelwaffle06/12/2022verifiedMedium
547.22.148.6ool-2f169406.static.optonline.netSquirrelwaffle06/12/2022verifiedMedium
6XX.XX.XXX.XXXxxx-xxx-xxx-xxx.xxx.xxxxxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedMedium
7XX.XXX.XXX.XXxxx-xxx-xxx-xxx.xxx.xxxxxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedMedium
8XX.XXX.XXX.XXXxxx-xxx-xxx-xxx.xxxxxx.xxxxxx.xxxxxxxxxxxxxxxxxx.xxxXxxxxxxxxxxxxxXxxxxxxxxx/xxxxxxxxxx02/22/2022verifiedMedium
9XX.XX.XX.XXxxx-xx-xx-xx-xx.xx.xxx.xx.xxxXxxxxxxxxxxxxx06/12/2022verifiedMedium
10XX.XXX.XXX.XXx-xx-xxx-xxx-xx.xxxx.xx.xxxxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedMedium
11XX.XXX.XX.XXXxxx-xx-xxx-xx-xxx.xxxxx.xx.xxxXxxxxxxxxxxxxx06/12/2022verifiedMedium
12XX.XX.XXX.XXXx-xx-xx-xxx-xxx.xxxx.xx.xxxxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedMedium
13XX.XXX.XXX.XXXxxxxxxxxxxx-xxx-x-xx-xxx.xxx-xxx.xxx.xxxxxxx.xxXxxxxxxxxxxxxx06/12/2022verifiedMedium
14XX.XX.XXX.XXXxxxxxx-xx-xx-xxx-xxx.xxxxxxx.xxxxxx.xxXxxxxxxxxxxxxx06/12/2022verifiedMedium
15XX.XX.XX.XXXxxx.xxxxxx-xx-xx.xxxxxxx.xxxxxx.xxXxxxxxxxxxxxxx06/12/2022verifiedLow
16XXX.XXX.XXX.XXXxxxxxxxxxxxxx06/12/2022verifiedMedium
17XXX.XXX.XXX.XXxxxxx-xxxx.xxxxxxxxx.xxx.xxXxxxxxxxxxxxxxXxxxxxxxxx/xxxxxxxxxx02/22/2022verifiedLow
18XXX.XXX.XXX.XXxxx.xxxxxx.xxxXxxxxxxxxxxxxxXxxxxxxxxx/xxxxxxxxxx02/22/2022verifiedMedium
19XXX.XX.XXX.XXxx.xxx.xx.xxx.xxx.xxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedMedium
20XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxx.xxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedMedium
21XXX.XX.XX.XXxxx-xx-xx-xx.xxxxxx.xxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedMedium
22XXX.XXX.XX.XXXxxxxxxxx.xxxxxxxxx.xxx.xxXxxxxxxxxxxxxx06/12/2022verifiedMedium
23XXX.XXX.XX.XXxxx-xxx-xx-xx.xxx.xxxxxxxx.xxXxxxxxxxxxxxxx06/12/2022verifiedMedium
24XXX.XX.XXX.XXXxxx-xxx-xx-xxx-xxx.xxxxxxxxxx-xxxxxxxx.xxx.xxXxxxxxxxxxxxxx06/12/2022verifiedMedium
25XXX.XXX.XXX.XXXxxxxxxxxxxxxx02/22/2022verifiedMedium

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-CWE-XXX, CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXXCAPEC-102CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-120CWE-XXXXxxxxxx Xxxxxxxxxx Xxx Xxxxxxxx Xxxxxxx Xx Xx-xxxx Xxxxxx XxxxxxxxpredictiveHigh
13TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
14TXXXX.XXXCAPEC-CWE-XXXXxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-157CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (137)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.procmailrcpredictiveMedium
2File/cgi-bin/ExportALLSettings.shpredictiveHigh
3File/cgi-bin/ExportAllSettings.shpredictiveHigh
4File/config/getuserpredictiveHigh
5File/etc/passwdpredictiveMedium
6File/include/chart_generator.phppredictiveHigh
7File/index.phppredictiveMedium
8File/mobilebroker/ServiceToBroker.svc/Json/ConnectpredictiveHigh
9File/product_list.phppredictiveHigh
10File/qsr_server/device/rebootpredictiveHigh
11File/resource/file/api/save?auto=1predictiveHigh
12File/snmpGetpredictiveMedium
13File/tmppredictiveLow
14File/uncpath/predictiveMedium
15File/wp-admin/admin-ajax.phppredictiveHigh
16Fileadministrator/components/com_media/helpers/media.phppredictiveHigh
17Filexxx_xxxxxxx/xxxxxxx/xxxxx/xxxxx_xxxxxxxx.xxxpredictiveHigh
18Filexxxx/xxxxxxxx.xxxpredictiveHigh
19Filexxxxxxxxx/xxxxxxxxxxxxxpredictiveHigh
20Filexxxx-xxxx.xpredictiveMedium
21Filexxxx.xxxpredictiveMedium
22Filexxxxx/xxx.xpredictiveMedium
23Filex:\xxxxxxx xxxxx (xxx)\xxxxxxxxxxxxx\xxxxxx.xxxpredictiveHigh
24Filexxxxx-xx-xxxxxx-xxxxx.xxxpredictiveHigh
25Filexxxxxxx.xxxpredictiveMedium
26Filexxxxxxx_xx.xxxpredictiveHigh
27Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
28Filexxxx/xxxxxxxxxx/xxxxxxx/xxxxxxx.xxxxpredictiveHigh
29Filexxxxxxx.xxxpredictiveMedium
30Filexxxxxxx/xxx/xxxxx/xxxxxxxxxxxxpredictiveHigh
31Filexxxx.xxxpredictiveMedium
32Filexxxxxxxx.xxxpredictiveMedium
33Filexxxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
34Filexxxxxxx.xxxpredictiveMedium
35Filexxxxxxxx/xxxx/xxxx.xxpredictiveHigh
36Filexxxx-xxxx.xxpredictiveMedium
37Filexxxxxx.xxxpredictiveMedium
38Filexxx/xxxxxx.xxxpredictiveHigh
39Filexxxxxxx.xxxpredictiveMedium
40Filexxxxxxxx/xxxxxxx/xxxxxxxx_xxxx.xxxpredictiveHigh
41Filexxxxx.xxxpredictiveMedium
42Filexxxxx.xxxpredictiveMedium
43Filexxxxxxx.xxxpredictiveMedium
44Filexxx.x/xxxxxx.xpredictiveHigh
45Filexxxxxxxxx/xxxxxx.xxx.xxxpredictiveHigh
46Filexxxxxxxxx/xxxxxxx/xxxx/xxxxxxxxxxxxxxxxxxxx.xxxxx.xxxpredictiveHigh
47Filexxxxxxx/xxxxxxx/xxx_xxxxxxx.xpredictiveHigh
48Filexxxxxxx/xxxx_xxx_xxxxx.xxxpredictiveHigh
49Filexxxxx.xxxxpredictiveMedium
50Filexxx.xxxpredictiveLow
51Filexxxxxxxx_xxxxxx.xxxpredictiveHigh
52Filexxxxxx/xxxxxxxxxx/xxx/xxxx.xxxpredictiveHigh
53Filexxxxx_xxxxxx_xxx.xxxpredictiveHigh
54Filexxxxx.xxxpredictiveMedium
55Filexxxxxxxxxx/xxxxxxxxxx_xxxx.xxx?xxxxxx=xxxxxxpredictiveHigh
56Filexxxxxxxxxxxxxxxx.xxpredictiveHigh
57Filexxxxxxx.xxxpredictiveMedium
58Filexxxxx.xxxxpredictiveMedium
59Filexxx-xxxx.xpredictiveMedium
60Filexxxxxxxxx.xxxpredictiveHigh
61Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
62Filexxxx-xxxxxxxx.xxxpredictiveHigh
63Filexxxxx-xx-xxxxxx="xxxxxxxxx"/predictiveHigh
64Filexxxx_xxxxxxxx.xxxpredictiveHigh
65Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
66Filexx/xxxxxx/xxxxxpredictiveHigh
67Filexxxxxxxx.xxxpredictiveMedium
68Filexxxxxx.xxxpredictiveMedium
69Filexxxxxxxxxx.xxxpredictiveHigh
70Filexxxxxxx/xxx/xxxxxxxpredictiveHigh
71Filexx-xxxxx/xxxxxxx-xxxxxxx.xxx?xxxx=xxxxxxx_xxxxxx_xxxxxxpredictiveHigh
72Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
73File\xxxxxxx\xxxxxxxxx\xxxxxxxxxxxxxxxxxxpredictiveHigh
74File~/xxxxx.xxxpredictiveMedium
75Libraryxx/xxx/xxxx_xxxxxx.xxxpredictiveHigh
76Libraryxxxxxxxxx.xxxpredictiveHigh
77Libraryxxxxxxxxxxxxx.xxxpredictiveHigh
78Libraryxxxxxx.xxxpredictiveMedium
79Libraryxxxxxxxx.xxxpredictiveMedium
80Libraryxxxxxxxxx.xxxpredictiveHigh
81Libraryxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
82Argument--xxxxxxxpredictiveMedium
83Argument-xpredictiveLow
84Argumentx@xxxxpredictiveLow
85Argumentxxxxxxxx_xxxxpredictiveHigh
86ArgumentxxxxxpredictiveLow
87ArgumentxxxxxxxxpredictiveMedium
88ArgumentxxxxxxxxxxpredictiveMedium
89ArgumentxxxpredictiveLow
90Argumentxxx_xxx_xxpredictiveMedium
91ArgumentxxxxxxxxxxxxxxxpredictiveHigh
92ArgumentxxxpredictiveLow
93ArgumentxxxxpredictiveLow
94Argumentxxxx_xxxxpredictiveMedium
95ArgumentxxxxxpredictiveLow
96Argumentxxxx_xxxxxxxpredictiveMedium
97ArgumentxxpredictiveLow
98ArgumentxxxxxxxxxxxpredictiveMedium
99Argumentxxx_xxxpredictiveLow
100Argumentxxxxxxx_xxxpredictiveMedium
101ArgumentxxpredictiveLow
102ArgumentxxxxpredictiveLow
103ArgumentxxxxpredictiveLow
104ArgumentxxxxxxxxpredictiveMedium
105ArgumentxxxxxxxxpredictiveMedium
106Argumentxxxx[xxxxxxx]predictiveHigh
107ArgumentxxxxxxxpredictiveLow
108ArgumentxxxxxxpredictiveLow
109ArgumentxxxxxxxxxxxxxxxxxxxpredictiveHigh
110ArgumentxxxxxpredictiveLow
111Argumentxx_xxxxpredictiveLow
112ArgumentxxxxxxxpredictiveLow
113Argumentxxxxx_xxxxxxpredictiveMedium
114ArgumentxxxxxxxxpredictiveMedium
115ArgumentxxxxxxxxxxpredictiveMedium
116ArgumentxxxxxxpredictiveLow
117Argumentxxxx_xxxpredictiveMedium
118ArgumentxxxxxxpredictiveLow
119Argumentxxxxxxx_xxpredictiveMedium
120Argumentxxxxx/xxxxxpredictiveMedium
121ArgumentxxxpredictiveLow
122ArgumentxxxxxxpredictiveLow
123ArgumentxxxxxxxxpredictiveMedium
124Argumentxxxxxxxx/xxxxpredictiveHigh
125Argumentxxxxxxxx:xxxxxxxxpredictiveHigh
126Argument_xxx_xxxxxxxxxxx_predictiveHigh
127Input Value..%xxpredictiveLow
128Input Valuex</xx><xxxxxx>xxxxx(x)</xxxxxx>predictiveHigh
129Input Value::$xxxxx_xxxxxxxxxxpredictiveHigh
130Input Valuexxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxxpredictiveHigh
131Input ValuexxxxxxxxpredictiveMedium
132Input Valuexxxxxxxxx:xxxxxxxxpredictiveHigh
133Input Valuexxx.xxx[xxxxx]predictiveHigh
134Network PortxxxpredictiveLow
135Network Portxxx/xx (xxx)predictiveMedium
136Network Portxxx/xxxx (xxx)predictiveHigh
137Network Portxxx xxxxxx xxxxpredictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!