Squirrelwaffle Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (320)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en246
es62
fr4
pt4
it2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us212
es54
br28
mx6
pt4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Squirrelwaffle4
Qakbot2
Meterpreter1
Razy1
Cobalt Strike1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined112
Web Server24
Operating System20
Content Management System12
Connectivity Software10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined92
Microsoft28
Apache16
Apple8
Cisco6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Apache HTTP Server12
Microsoft Windows12
OpenSSH6
Apple iOS4
Apple iPadOS4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.107370.31CVE-2016-6210
3nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002411.67CVE-2020-12440
4Microsoft Windows IGMP Header input validation7.56.7$25k-$100k$0-$5kProof-of-ConceptOfficial Fix0.004250.00CVE-1999-0918
5Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.03CVE-2017-0055
6Microsoft Office Excel memory corruption7.06.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.117800.02CVE-2018-8574
7Apple macOS Kernel Coldtro out-of-bounds write7.87.6$5k-$25k$0-$5kHighOfficial Fix0.001490.00CVE-2022-32894
8Dahua DHI-HCVR7216A-S3 DVR Protocol cryptographic issues6.86.8$0-$5k$0-$5kNot DefinedNot Defined0.001590.04CVE-2017-6432
9Joomla CMS User Registration input validation7.77.5$5k-$25k$0-$5kHighOfficial Fix0.914240.07CVE-2016-8870
10Moment.js path traversal6.96.7$0-$5k$0-$5kNot DefinedOfficial Fix0.003300.21CVE-2022-24785
11ASRock RGB Driver AsrDrv103.sys unknown vulnerability5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000440.04CVE-2020-15368
12IBM AIX privileges management7.87.8$5k-$25k$5k-$25kNot DefinedNot Defined0.000440.02CVE-2017-1692
13SourceCodester Library Management System index.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001140.04CVE-2022-2492
14Apache HTTP Server mod_reqtimeout resource management5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.016960.04CVE-2007-6750
15Microsoft Windows Active Directory Domain Services Privilege Escalation8.88.1$100k and more$5k-$25kUnprovenOfficial Fix0.001210.00CVE-2022-21857
16Discourse Messaging Bus path traversal3.33.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000710.00CVE-2021-43840
17Microsoft Windows MS-EFSRPC EfsRpcOpenFileRaw PetitPotam server-side request forgery7.36.7$25k-$100k$0-$5kProof-of-ConceptWorkaround0.000000.03
18WordPress class-wp-object-cache.php stats cross site scripting4.94.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.008770.05CVE-2020-11029
19DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.49CVE-2010-0966
20Grandstream GXP16xx VoIP SSH Configuration Interface command injection9.89.8$0-$5k$0-$5kNot DefinedNot Defined0.002700.03CVE-2018-17565

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • ProxyShell/ProxyLogon

IOC - Indicator of Compromise (25)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
123.111.163.24223-111-163-242.static.hvvc.usSquirrelwaffleProxyShell/ProxyLogon02/22/2022verifiedHigh
224.55.112.61dynamic.libertypr.netSquirrelwaffle06/12/2022verifiedHigh
324.229.150.5424.229.150.54.cmts-static.sm.ptd.netSquirrelwaffleProxyShell/ProxyLogon02/22/2022verifiedHigh
445.46.53.140cpe-45-46-53-140.maine.res.rr.comSquirrelwaffle06/12/2022verifiedHigh
547.22.148.6ool-2f169406.static.optonline.netSquirrelwaffle06/12/2022verifiedHigh
6XX.XX.XXX.XXXxxx-xxx-xxx-xxx.xxx.xxxxxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedHigh
7XX.XXX.XXX.XXxxx-xxx-xxx-xxx.xxx.xxxxxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedHigh
8XX.XXX.XXX.XXXxxx-xxx-xxx-xxx.xxxxxx.xxxxxx.xxxxxxxxxxxxxxxxxx.xxxXxxxxxxxxxxxxxXxxxxxxxxx/xxxxxxxxxx02/22/2022verifiedHigh
9XX.XX.XX.XXxxx-xx-xx-xx-xx.xx.xxx.xx.xxxXxxxxxxxxxxxxx06/12/2022verifiedHigh
10XX.XXX.XXX.XXx-xx-xxx-xxx-xx.xxxx.xx.xxxxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedHigh
11XX.XXX.XX.XXXxxx-xx-xxx-xx-xxx.xxxxx.xx.xxxXxxxxxxxxxxxxx06/12/2022verifiedHigh
12XX.XX.XXX.XXXx-xx-xx-xxx-xxx.xxxx.xx.xxxxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedHigh
13XX.XXX.XXX.XXXxxxxxxxxxxx-xxx-x-xx-xxx.xxx-xxx.xxx.xxxxxxx.xxXxxxxxxxxxxxxx06/12/2022verifiedHigh
14XX.XX.XXX.XXXxxxxxx-xx-xx-xxx-xxx.xxxxxxx.xxxxxx.xxXxxxxxxxxxxxxx06/12/2022verifiedHigh
15XX.XX.XX.XXXxxx.xxxxxx-xx-xx.xxxxxxx.xxxxxx.xxXxxxxxxxxxxxxx06/12/2022verifiedHigh
16XXX.XXX.XXX.XXXxxxxxxxxxxxxx06/12/2022verifiedHigh
17XXX.XXX.XXX.XXxxxxx-xxxx.xxxxxxxxx.xxx.xxXxxxxxxxxxxxxxXxxxxxxxxx/xxxxxxxxxx02/22/2022verifiedHigh
18XXX.XXX.XXX.XXxxx.xxxxxx.xxxXxxxxxxxxxxxxxXxxxxxxxxx/xxxxxxxxxx02/22/2022verifiedHigh
19XXX.XX.XXX.XXxx.xxx.xx.xxx.xxx.xxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedHigh
20XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxx.xxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedHigh
21XXX.XX.XX.XXxxx-xx-xx-xx.xxxxxx.xxxxx.xxxXxxxxxxxxxxxxx06/12/2022verifiedHigh
22XXX.XXX.XX.XXXxxxxxxxx.xxxxxxxxx.xxx.xxXxxxxxxxxxxxxx06/12/2022verifiedHigh
23XXX.XXX.XX.XXxxx-xxx-xx-xx.xxx.xxxxxxxx.xxXxxxxxxxxxxxxx06/12/2022verifiedHigh
24XXX.XX.XXX.XXXxxx-xxx-xx-xxx-xxx.xxxxxxxxxx-xxxxxxxx.xxx.xxXxxxxxxxxxxxxx06/12/2022verifiedHigh
25XXX.XXX.XXX.XXXxxxxxxxxxxxxx02/22/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-CWE-XXX, CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXXCAPEC-102CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-120CWE-XXXXxxxxxx Xxxxxxxxxx Xxx Xxxxxxxx Xxxxxxx Xx Xx-xxxx Xxxxxx XxxxxxxxpredictiveHigh
13TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
14TXXXX.XXXCAPEC-CWE-XXXXxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-157CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (135)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.procmailrcpredictiveMedium
2File/cgi-bin/ExportALLSettings.shpredictiveHigh
3File/cgi-bin/ExportAllSettings.shpredictiveHigh
4File/config/getuserpredictiveHigh
5File/etc/passwdpredictiveMedium
6File/include/chart_generator.phppredictiveHigh
7File/index.phppredictiveMedium
8File/mobilebroker/ServiceToBroker.svc/Json/ConnectpredictiveHigh
9File/product_list.phppredictiveHigh
10File/qsr_server/device/rebootpredictiveHigh
11File/resource/file/api/save?auto=1predictiveHigh
12File/snmpGetpredictiveMedium
13File/tmppredictiveLow
14File/uncpath/predictiveMedium
15File/wp-admin/admin-ajax.phppredictiveHigh
16Fileadministrator/components/com_media/helpers/media.phppredictiveHigh
17Filexxx_xxxxxxx/xxxxxxx/xxxxx/xxxxx_xxxxxxxx.xxxpredictiveHigh
18Filexxxx/xxxxxxxx.xxxpredictiveHigh
19Filexxxxxxxxx/xxxxxxxxxxxxxpredictiveHigh
20Filexxxx-xxxx.xpredictiveMedium
21Filexxxx.xxxpredictiveMedium
22Filexxxxx/xxx.xpredictiveMedium
23Filex:\xxxxxxx xxxxx (xxx)\xxxxxxxxxxxxx\xxxxxx.xxxpredictiveHigh
24Filexxxxx-xx-xxxxxx-xxxxx.xxxpredictiveHigh
25Filexxxxxxx.xxxpredictiveMedium
26Filexxxxxxx_xx.xxxpredictiveHigh
27Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
28Filexxxx/xxxxxxxxxx/xxxxxxx/xxxxxxx.xxxxpredictiveHigh
29Filexxxxxxx.xxxpredictiveMedium
30Filexxxxxxx/xxx/xxxxx/xxxxxxxxxxxxpredictiveHigh
31Filexxxx.xxxpredictiveMedium
32Filexxxxxxxx.xxxpredictiveMedium
33Filexxxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
34Filexxxxxxx.xxxpredictiveMedium
35Filexxxxxxxx/xxxx/xxxx.xxpredictiveHigh
36Filexxxx-xxxx.xxpredictiveMedium
37Filexxxxxx.xxxpredictiveMedium
38Filexxx/xxxxxx.xxxpredictiveHigh
39Filexxxxxxx.xxxpredictiveMedium
40Filexxxxxxxx/xxxxxxx/xxxxxxxx_xxxx.xxxpredictiveHigh
41Filexxxxx.xxxpredictiveMedium
42Filexxxxx.xxxpredictiveMedium
43Filexxxxxxx.xxxpredictiveMedium
44Filexxx.x/xxxxxx.xpredictiveHigh
45Filexxxxxxxxx/xxxxxx.xxx.xxxpredictiveHigh
46Filexxxxxxxxx/xxxxxxx/xxxx/xxxxxxxxxxxxxxxxxxxx.xxxxx.xxxpredictiveHigh
47Filexxxxxxx/xxxxxxx/xxx_xxxxxxx.xpredictiveHigh
48Filexxxxxxx/xxxx_xxx_xxxxx.xxxpredictiveHigh
49Filexxxxx.xxxxpredictiveMedium
50Filexxx.xxxpredictiveLow
51Filexxxxxxxx_xxxxxx.xxxpredictiveHigh
52Filexxxxxx/xxxxxxxxxx/xxx/xxxx.xxxpredictiveHigh
53Filexxxxx_xxxxxx_xxx.xxxpredictiveHigh
54Filexxxxx.xxxpredictiveMedium
55Filexxxxxxxxxx/xxxxxxxxxx_xxxx.xxx?xxxxxx=xxxxxxpredictiveHigh
56Filexxxxxxxxxxxxxxxx.xxpredictiveHigh
57Filexxxxxxx.xxxpredictiveMedium
58Filexxxxx.xxxxpredictiveMedium
59Filexxx-xxxx.xpredictiveMedium
60Filexxxxxxxxx.xxxpredictiveHigh
61Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
62Filexxxx-xxxxxxxx.xxxpredictiveHigh
63Filexxxxx-xx-xxxxxx="xxxxxxxxx"/predictiveHigh
64Filexxxx_xxxxxxxx.xxxpredictiveHigh
65Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
66Filexx/xxxxxx/xxxxxpredictiveHigh
67Filexxxxxxxx.xxxpredictiveMedium
68Filexxxxxx.xxxpredictiveMedium
69Filexxxxxxxxxx.xxxpredictiveHigh
70Filexx-xxxxx/xxxxxxx-xxxxxxx.xxx?xxxx=xxxxxxx_xxxxxx_xxxxxxpredictiveHigh
71Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
72File\xxxxxxx\xxxxxxxxx\xxxxxxxxxxxxxxxxxxpredictiveHigh
73File~/xxxxx.xxxpredictiveMedium
74Libraryxx/xxx/xxxx_xxxxxx.xxxpredictiveHigh
75Libraryxxxxxxxxx.xxxpredictiveHigh
76Libraryxxxxxxxxxxxxx.xxxpredictiveHigh
77Libraryxxxxxx.xxxpredictiveMedium
78Libraryxxxxxxxx.xxxpredictiveMedium
79Libraryxxxxxxxxx.xxxpredictiveHigh
80Libraryxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
81Argument--xxxxxxxpredictiveMedium
82Argument-xpredictiveLow
83Argumentx@xxxxpredictiveLow
84Argumentxxxxxxxx_xxxxpredictiveHigh
85ArgumentxxxxxpredictiveLow
86ArgumentxxxxxxxxpredictiveMedium
87ArgumentxxxxxxxxxxpredictiveMedium
88ArgumentxxxpredictiveLow
89Argumentxxx_xxx_xxpredictiveMedium
90ArgumentxxxxxxxxxxxxxxxpredictiveHigh
91ArgumentxxxpredictiveLow
92ArgumentxxxxpredictiveLow
93Argumentxxxx_xxxxpredictiveMedium
94ArgumentxxxxxpredictiveLow
95Argumentxxxx_xxxxxxxpredictiveMedium
96ArgumentxxpredictiveLow
97ArgumentxxxxxxxxxxxpredictiveMedium
98Argumentxxx_xxxpredictiveLow
99Argumentxxxxxxx_xxxpredictiveMedium
100ArgumentxxpredictiveLow
101ArgumentxxxxpredictiveLow
102ArgumentxxxxpredictiveLow
103ArgumentxxxxxxxxpredictiveMedium
104ArgumentxxxxxxxxpredictiveMedium
105Argumentxxxx[xxxxxxx]predictiveHigh
106ArgumentxxxxxxxpredictiveLow
107ArgumentxxxxxxpredictiveLow
108ArgumentxxxxxpredictiveLow
109Argumentxx_xxxxpredictiveLow
110ArgumentxxxxxxxpredictiveLow
111Argumentxxxxx_xxxxxxpredictiveMedium
112ArgumentxxxxxxxxpredictiveMedium
113ArgumentxxxxxxxxxxpredictiveMedium
114ArgumentxxxxxxpredictiveLow
115Argumentxxxx_xxxpredictiveMedium
116ArgumentxxxxxxpredictiveLow
117Argumentxxxxxxx_xxpredictiveMedium
118Argumentxxxxx/xxxxxpredictiveMedium
119ArgumentxxxpredictiveLow
120ArgumentxxxxxxpredictiveLow
121ArgumentxxxxxxxxpredictiveMedium
122Argumentxxxxxxxx/xxxxpredictiveHigh
123Argumentxxxxxxxx:xxxxxxxxpredictiveHigh
124Argument_xxx_xxxxxxxxxxx_predictiveHigh
125Input Value..%xxpredictiveLow
126Input Valuex</xx><xxxxxx>xxxxx(x)</xxxxxx>predictiveHigh
127Input Value::$xxxxx_xxxxxxxxxxpredictiveHigh
128Input Valuexxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxxpredictiveHigh
129Input ValuexxxxxxxxpredictiveMedium
130Input Valuexxxxxxxxx:xxxxxxxxpredictiveHigh
131Input Valuexxx.xxx[xxxxx]predictiveHigh
132Network PortxxxpredictiveLow
133Network Portxxx/xx (xxx)predictiveMedium
134Network Portxxx/xxxx (xxx)predictiveHigh
135Network Portxxx xxxxxx xxxxpredictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!