Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack IoCs



Indicator				SHA256									Notes				Detection
C:\Temp\Msedge.dll	 		ef1b604bf2e2d598437d97af38cbed4e6dbdb3fde771eaaf8389b46c86391a0d	C&C Agent			Backdoor.Win64.COBEACON
C:\ProgramData\wss.exe	 		129eec0c999653e30a659f6a336c76d3b6ce810d459a7f860bacbc06fd556277	WSSocks Tunnel			HackTool.MSIL.WSSocks
%USERPROFILE%\Documents\debug.exe	d713d7e9C&C7d81fdaee7C&Ce10a37062d34783303654a870b3d8a0efd42e3c032	DCSync Attack tool		HackTool.Win64.DCSync
C:\ProgramData\old_x64.exe		e7722bC&C344fc02f60708c00305c7033180e4be9a3d68b3c97e4cbe4d2963914	Mimikatz Termservice Patcher	HackTool.Win64.RAdmin
C:\ProgramData\rdp_patch_x64.exe	N/A									RDP Patcher			N/A
C:\windows\debug\code-insiders.exe	34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4	VSCode CLI Tool			N/A
C:\ProgramData\yuze.dll			b5b01937291ed8660d725b8466c9b901c0daa1aab657736aC&C7a231f52af017d	Yuze SocksV5 Proxy Tool		HackTool.Win64.Yuze
C:\Users\Public\TrendSecurity.exe	9a3b6cf6aec6df3e5b43dc024d288d06ae03d2a909f188f38ba275a5ac6d3bf0	BYOVD AV Killer			Trojan.Win64.KILLAV
C:\Users\Public\NSecKrnl.sys		206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261	NSecKrnl Kernel Driver		N/A


Link													Notes				Detection	SHA256			
hxxps[:]//github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi	CloudFlared Tunnel Client	N/A		06142acc825e0d799d12ff0a03fd714b119c69dce868c98bb5def165b2425454
 
auth[.]qgtxtebl[.]workers[.]dev										Velociraptor C&C 		C&C Server
hxxps://litter[.]catbox[.]moe/zqqxb3.txt								URL that downloads wssocks.exe	Disease Vector
hxxps://litter[.]catbox[.]moe/uaw2gm.txt								URL that downloads wssocks.exe	Disease Vector
hxxps://files[.]catbox[.]moe/wzsjlw.dll									URL that downloads wssocks.exe	Disease Vector