-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-09-29 SquirrelWaffle IOCs
52 lines (38 loc) · 1.09 KB
/
2021-09-29 SquirrelWaffle IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
THREAT ATTRIBUTION: SQUIRREL WAFFLE / QAKBOT
SUBJECTS OBSERVED
Subjects were from stolen email threads
SENDERS OBSERVED
ZIP FILE DISTRIBUTION URLS
https://callgirlsandescortkenya.site/quos-placeat/dignissimos.zip
https://callgirlsandescortkenya.site/quos-placeat/charts-1268143290.zip
https://sanbari.mx/alias-qui/eligendi.zip
https://sanbari.mx/alias-qui/charts-1268143290.zip
ZIP FILE HASHES
eligendi.zip
c3e0f556c869bd4304f60c3b20904bbb
dignissimos.zip
6b23e5b424b5ec7665ab73a22c4a33e3
MALDOC FILE HASHES
recital-45050349.xls
730adbb8cad5a918f3c570597564fabb
recital-450899828.xls
c0a2f3ddbda13614b0697c7e8215d655
PAYLOAD DOWNLOAD URLs
https://gillcart.com/Cdpmoyhr/key.xml
https://geit.in/MeOlE9Xxd/key.xml
https://mercanets.com/9DPZqAfZdq5z/key.xml
gillcart.com
geit.in
mercanets.com
PAYLOAD FILE HASHES
test2.test
9c3800e4cf625794ae2ca9ed668eb556
test1.test
a50644e7e52d017004cac366a65138d5
SQUIRREL WAFFLE C2 (POST DATA TO)
No Squirrel Waffle C2 traffic was observed
QAKBOT C2
Pulled from strings in memory:
https://181.118.183.94/t4