System Repair, Windows system tools ,Security research.

Joined December 2015
David Ledbetter retweeted
In response to this method from @IcsNick, I created an easy recipe to extract URLs related to #SquirrelWaffle weaponized maldocs. bit.ly/3ziKZhu (*PS - It's a slightly modified version of the simple recipe I tweeted about the other day 🙃 nitter.fdn.fr/Kostastsale/stat……)
#squirrelwaffle downloaders vs Strings.
2
8
1
25
David Ledbetter retweeted
I got fed up with subnet calculators not doing what I want so I built my own. Try this one. tunnelsup.com/subnet-calcula…
22
147
2
955
oops, forgot to clean an old autostart Scheduled task for the 5.t dll and thought it was part of the Squirrel waffle thing. 🤦‍♂️
1
0
0
1
David Ledbetter retweeted
Looks like #Confucius #AP maldoc: Doc: decrypted-Alert#6285.docx 47cbf19af54979b0b8461e8ce2e832ee Template (#PEGASUS): THE PEGASUS PROJECT “A Global Investigation”. Private Israeli Spyware hacking cellphones of Pak Defence Personnel
2
11
0
36
Show this thread
Do they really have to make medicare so confusing and finding information to make an intelligent choice so difficult? Even the Goverment Website is confusing. 1 Part talks about having to apply during an open enrollment and nother says 3 months before 65th birthday 🙄🤷‍♂️
0
0
0
0
Continuing on my office document external reference research. I pivoted to running a yara search for the xml file I already extracted by hand with the external references. That narrowed my search down to 116 hits from over 1000. An Interesting one found was a xml external ref.
1
0
0
1
Sample nitter.fdn.fr/James_inthe_box/… It comes as a Xlsb file and we can convert to an Xlsm file Xlsb look for xl/worksheets/_rels/sheet1.bin.rels Xlsm look for xl/worksheets/_rels/sheet1.xml.rels In this test we can extract the data from both versions.
Replying to @James_inthe_box
FYI these are coming in via freight xlsb lures: app.any.run/tasks/ce41d1e0-a…
Show this thread
1
0
0
0
Although the malware in this example is actually in the sheet data as a array this is still w was to find external links in Excel files.
0
0
0
0
David Ledbetter retweeted
2021-09-17 (Friday) - #Squirrelwaffle Loader with #CobaltStrike - IOCs, malware samples, and #pcap from an infection available at: malware-traffic-analysis.net…
5
67
3
165
Show this thread
David Ledbetter retweeted
A fun one: http://transfer[.]sh/get/Bu2lYU/Server.txt ultimately #nanocore, c2: 20.52.46.119 cc @pmelson @Ledtech3 @remco_verhoef also http://transfer[.]sh/get/5QljDp/bypass.txt
2
7
1
18
David Ledbetter retweeted
I also saw one #aggah #hagga email today. It's odd - as usual. .doc --> Excel --> bit[.]ly --> blogspot url Messy endless loop with Excel. I never really got a download - need a blogspot login. Here are the IOCs: github.com/executemalware/Ma…
2
13
0
25
🚨🚨🚨 #Malspam pushing #OskiStealer ➡️ Maldoc: 3e87d91d79ea2b800ec1e0ab3f8d3e70 ➡️ Download URL: http://195.242.110.13/Anye.exe ➡️ Downloader: (It downloads the encrypted Oski payload from Discord) 16e153201be41825d56aaeac47183efd ➡️ C2: 103.141.138.110
4
12
0
20
David Ledbetter retweeted
First time I've seen REMOTESIGNED as a powershell execution policy: app.any.run/tasks/1d10e471-7… cc @LNadav on the newish looking #snip3 and also @sanjuanswan on: https://github[.]com/Homi1759/MyRepository
1
11
0
26
Show this thread
David Ledbetter retweeted
This skimmer (adminet[.]site/utils.js) is injected into Magento database after 3,400+ empty lines.
2
6
0
15