Squirrelwaffle Analysis

IOB - Indicator of Behavior (261)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en200
es58
pt2
it2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us194
es36
br20
pt4
mx2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows10
Apache HTTP Server10
Apache Tomcat6
Apple iOS6
Apple iPadOS6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.040.04187CVE-2007-1192
2OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.460.49183CVE-2016-6210
3Microsoft Office Excel memory corruption7.06.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.32419CVE-2018-8574
4Apple macOS Kernel out-of-bounds write7.87.6$5k-$25k$0-$5kHighOfficial Fix0.030.01363CVE-2022-32894
5Dahua DHI-HCVR7216A-S3 DVR Protocol cryptographic issues6.86.8$0-$5k$0-$5kNot DefinedNot Defined0.000.00885CVE-2017-6432
6Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.510.25090CVE-2017-0055
7Joomla CMS User Registration input validation7.77.5$5k-$25k$0-$5kHighOfficial Fix0.040.63109CVE-2016-8870
8IBM AIX privileges management7.87.8$5k-$25k$5k-$25kNot DefinedNot Defined0.020.00890CVE-2017-1692
9SourceCodester Library Management System index.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.060.00885CVE-2022-2492
10Apache HTTP Server mod_reqtimeout resource management5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.060.03718CVE-2007-6750
11Microsoft Windows Active Directory Domain Services Privilege Escalation8.88.1$100k and more$5k-$25kUnprovenOfficial Fix0.060.01150CVE-2022-21857
12Discourse Messaging Bus path traversal3.33.2$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00885CVE-2021-43840
13Microsoft Windows MS-EFSRPC EfsRpcOpenFileRaw PetitPotam server-side request forgery7.36.7$25k-$100k$0-$5kProof-of-ConceptWorkaround0.060.00000
14WordPress class-wp-object-cache.php stats cross site scripting4.94.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.01018CVE-2020-11029
15DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.410.04187CVE-2010-0966
16Grandstream GXP16xx VoIP SSH Configuration Interface command injection9.89.8$0-$5k$0-$5kNot DefinedNot Defined0.000.00885CVE-2018-17565
17Apache HTTP Server HTTP Digest Authentication Challenge improper authentication8.58.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.07767CVE-2018-1312
18Host rexec privileges management7.37.1$0-$5k$0-$5kNot DefinedWorkaround0.030.00885CVE-1999-0618
19DotNetNuke Cookie input validation7.57.4$0-$5k$0-$5kNot DefinedOfficial Fix0.020.59278CVE-2017-9822
20HP Printer memory corruption9.89.4$25k-$100k$0-$5kNot DefinedOfficial Fix0.080.10074CVE-2018-5924

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • ProxyShell/ProxyLogon

IOC - Indicator of Compromise (25)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
123.111.163.24223-111-163-242.static.hvvc.usSquirrelwaffleProxyShell/ProxyLogonverifiedHigh
224.55.112.61dynamic.libertypr.netSquirrelwaffleverifiedHigh
324.229.150.5424.229.150.54.cmts-static.sm.ptd.netSquirrelwaffleProxyShell/ProxyLogonverifiedHigh
445.46.53.140cpe-45-46-53-140.maine.res.rr.comSquirrelwaffleverifiedHigh
547.22.148.6ool-2f169406.static.optonline.netSquirrelwaffleverifiedHigh
6XX.XX.XXX.XXXxxx-xxx-xxx-xxx.xxx.xxxxxxxx.xxxXxxxxxxxxxxxxxverifiedHigh
7XX.XXX.XXX.XXxxx-xxx-xxx-xxx.xxx.xxxxxxxx.xxxXxxxxxxxxxxxxxverifiedHigh
8XX.XXX.XXX.XXXxxx-xxx-xxx-xxx.xxxxxx.xxxxxx.xxxxxxxxxxxxxxxxxx.xxxXxxxxxxxxxxxxxXxxxxxxxxx/xxxxxxxxxxverifiedHigh
9XX.XX.XX.XXxxx-xx-xx-xx-xx.xx.xxx.xx.xxxXxxxxxxxxxxxxxverifiedHigh
10XX.XXX.XXX.XXx-xx-xxx-xxx-xx.xxxx.xx.xxxxxxx.xxxXxxxxxxxxxxxxxverifiedHigh
11XX.XXX.XX.XXXxxx-xx-xxx-xx-xxx.xxxxx.xx.xxxXxxxxxxxxxxxxxverifiedHigh
12XX.XX.XXX.XXXx-xx-xx-xxx-xxx.xxxx.xx.xxxxxxx.xxxXxxxxxxxxxxxxxverifiedHigh
13XX.XXX.XXX.XXXxxxxxxxxxxx-xxx-x-xx-xxx.xxx-xxx.xxx.xxxxxxx.xxXxxxxxxxxxxxxxverifiedHigh
14XX.XX.XXX.XXXxxxxxx-xx-xx-xxx-xxx.xxxxxxx.xxxxxx.xxXxxxxxxxxxxxxxverifiedHigh
15XX.XX.XX.XXXxxx.xxxxxx-xx-xx.xxxxxxx.xxxxxx.xxXxxxxxxxxxxxxxverifiedHigh
16XXX.XXX.XXX.XXXxxxxxxxxxxxxxverifiedHigh
17XXX.XXX.XXX.XXxxxxx-xxxx.xxxxxxxxx.xxx.xxXxxxxxxxxxxxxxXxxxxxxxxx/xxxxxxxxxxverifiedHigh
18XXX.XXX.XXX.XXxxx.xxxxxx.xxxXxxxxxxxxxxxxxXxxxxxxxxx/xxxxxxxxxxverifiedHigh
19XXX.XX.XXX.XXxx.xxx.xx.xxx.xxx.xxx.xxxXxxxxxxxxxxxxxverifiedHigh
20XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxx.xxx.xxxXxxxxxxxxxxxxxverifiedHigh
21XXX.XX.XX.XXxxx-xx-xx-xx.xxxxxx.xxxxx.xxxXxxxxxxxxxxxxxverifiedHigh
22XXX.XXX.XX.XXXxxxxxxxx.xxxxxxxxx.xxx.xxXxxxxxxxxxxxxxverifiedHigh
23XXX.XXX.XX.XXxxx-xxx-xx-xx.xxx.xxxxxxxx.xxXxxxxxxxxxxxxxverifiedHigh
24XXX.XX.XXX.XXXxxx-xxx-xx-xxx-xxx.xxxxxxxxxx-xxxxxxxx.xxx.xxXxxxxxxxxxxxxxverifiedHigh
25XXX.XXX.XXX.XXXxxxxxxxxxxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (16)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IOA - Indicator of Attack (120)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.procmailrcpredictiveMedium
2File/cgi-bin/ExportALLSettings.shpredictiveHigh
3File/cgi-bin/ExportAllSettings.shpredictiveHigh
4File/config/getuserpredictiveHigh
5File/etc/passwdpredictiveMedium
6File/include/chart_generator.phppredictiveHigh
7File/index.phppredictiveMedium
8File/product_list.phppredictiveHigh
9File/snmpGetpredictiveMedium
10File/tmppredictiveLow
11File/uncpath/predictiveMedium
12File/wp-admin/admin-ajax.phppredictiveHigh
13Fileadministrator/components/com_media/helpers/media.phppredictiveHigh
14Fileadm_program/modules/dates/dates_function.phppredictiveHigh
15Filexxxx/xxxxxxxx.xxxpredictiveHigh
16Filexxxxxxxxx/xxxxxxxxxxxxxpredictiveHigh
17Filexxxx-xxxx.xpredictiveMedium
18Filexxxx.xxxpredictiveMedium
19Filexxxxx/xxx.xpredictiveMedium
20Filexxxxx-xx-xxxxxx-xxxxx.xxxpredictiveHigh
21Filexxxxxxx.xxxpredictiveMedium
22Filexxxxxxx_xx.xxxpredictiveHigh
23Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
24Filexxxx/xxxxxxxxxx/xxxxxxx/xxxxxxx.xxxxpredictiveHigh
25Filexxxxxxx.xxxpredictiveMedium
26Filexxxxxxx/xxx/xxxxx/xxxxxxxxxxxxpredictiveHigh
27Filexxxx.xxxpredictiveMedium
28Filexxxxxxxx.xxxpredictiveMedium
29Filexxxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
30Filexxxxxxxx/xxxx/xxxx.xxpredictiveHigh
31Filexxxx-xxxx.xxpredictiveMedium
32Filexxxxxx.xxxpredictiveMedium
33Filexxx/xxxxxx.xxxpredictiveHigh
34Filexxxxxxx.xxxpredictiveMedium
35Filexxxxx.xxxpredictiveMedium
36Filexxxxx.xxxpredictiveMedium
37Filexxxxxxx.xxxpredictiveMedium
38Filexxx.x/xxxxxx.xpredictiveHigh
39Filexxxxxxxxx/xxxxxx.xxx.xxxpredictiveHigh
40Filexxxxxxxxx/xxxxxxx/xxxx/xxxxxxxxxxxxxxxxxxxx.xxxxx.xxxpredictiveHigh
41Filexxxxxxx/xxxxxxx/xxx_xxxxxxx.xpredictiveHigh
42Filexxxxxxx/xxxx_xxx_xxxxx.xxxpredictiveHigh
43Filexxxxx.xxxxpredictiveMedium
44Filexxxxxxxx_xxxxxx.xxxpredictiveHigh
45Filexxxxxx/xxxxxxxxxx/xxx/xxxx.xxxpredictiveHigh
46Filexxxxx_xxxxxx_xxx.xxxpredictiveHigh
47Filexxxxx.xxxpredictiveMedium
48Filexxxxxxxxxx/xxxxxxxxxx_xxxx.xxx?xxxxxx=xxxxxxpredictiveHigh
49Filexxxxxxxxxxxxxxxx.xxpredictiveHigh
50Filexxxxxxx.xxxpredictiveMedium
51Filexxxxx.xxxxpredictiveMedium
52Filexxx-xxxx.xpredictiveMedium
53Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
54Filexxxx-xxxxxxxx.xxxpredictiveHigh
55Filexxxxx-xx-xxxxxx="xxxxxxxxx"/predictiveHigh
56Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
57Filexx/xxxxxx/xxxxxpredictiveHigh
58Filexxxxxxxx.xxxpredictiveMedium
59Filexxxxxxxxxx.xxxpredictiveHigh
60Filexx-xxxxx/xxxxxxx-xxxxxxx.xxx?xxxx=xxxxxxx_xxxxxx_xxxxxxpredictiveHigh
61Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
62File\xxxxxxx\xxxxxxxxx\xxxxxxxxxxxxxxxxxxpredictiveHigh
63File~/xxxxx.xxxpredictiveMedium
64Libraryxx/xxx/xxxx_xxxxxx.xxxpredictiveHigh
65Libraryxxxxxxxxx.xxxpredictiveHigh
66Libraryxxxxxxxxxxxxx.xxxpredictiveHigh
67Libraryxxxxxx.xxxpredictiveMedium
68Libraryxxxxxxxx.xxxpredictiveMedium
69Libraryxxxxxxxxx.xxxpredictiveHigh
70Libraryxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
71Argument--xxxxxxxpredictiveMedium
72Argument-xpredictiveLow
73Argumentx@xxxxpredictiveLow
74Argumentxxxxxxxx_xxxxpredictiveHigh
75ArgumentxxxxxxxxpredictiveMedium
76ArgumentxxxpredictiveLow
77Argumentxxx_xxx_xxpredictiveMedium
78ArgumentxxxxxxxxxxxxxxxpredictiveHigh
79ArgumentxxxpredictiveLow
80ArgumentxxxxpredictiveLow
81Argumentxxxx_xxxxpredictiveMedium
82ArgumentxxxxxpredictiveLow
83Argumentxxxx_xxxxxxxpredictiveMedium
84ArgumentxxpredictiveLow
85ArgumentxxxxxxxxxxxpredictiveMedium
86Argumentxxx_xxxpredictiveLow
87Argumentxxxxxxx_xxxpredictiveMedium
88ArgumentxxpredictiveLow
89ArgumentxxxxpredictiveLow
90ArgumentxxxxxxxxpredictiveMedium
91ArgumentxxxxxxxxpredictiveMedium
92Argumentxxxx[xxxxxxx]predictiveHigh
93ArgumentxxxxxxpredictiveLow
94ArgumentxxxxxpredictiveLow
95Argumentxx_xxxxpredictiveLow
96ArgumentxxxxxxxpredictiveLow
97Argumentxxxxx_xxxxxxpredictiveMedium
98ArgumentxxxxxxxxpredictiveMedium
99ArgumentxxxxxxxxxxpredictiveMedium
100ArgumentxxxxxxpredictiveLow
101Argumentxxxx_xxxpredictiveMedium
102ArgumentxxxxxxpredictiveLow
103Argumentxxxxxxx_xxpredictiveMedium
104Argumentxxxxx/xxxxxpredictiveMedium
105ArgumentxxxpredictiveLow
106ArgumentxxxxxxpredictiveLow
107ArgumentxxxxxxxxpredictiveMedium
108Argumentxxxxxxxx/xxxxpredictiveHigh
109Argumentxxxxxxxx:xxxxxxxxpredictiveHigh
110Argument_xxx_xxxxxxxxxxx_predictiveHigh
111Input Value..%xxpredictiveLow
112Input Valuex</xx><xxxxxx>xxxxx(x)</xxxxxx>predictiveHigh
113Input Value::$xxxxx_xxxxxxxxxxpredictiveHigh
114Input Valuexxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxxpredictiveHigh
115Input Valuexxxxxxxxx:xxxxxxxxpredictiveHigh
116Input Valuexxx.xxx[xxxxx]predictiveHigh
117Network PortxxxpredictiveLow
118Network Portxxx/xx (xxx)predictiveMedium
119Network Portxxx/xxxx (xxx)predictiveHigh
120Network Portxxx xxxxxx xxxxpredictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

Do you need the next level of professionalism?

Upgrade your account now!