Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-09-2021 14:45
General
-
Target
www2.bin.dll
Malware Config
Extracted
squirrelwaffle
spiritofprespa.com/9783Tci2SGF6
amjsys.com/RIZszf8vR
hrms.prodigygroupindia.com/SKyufGZV
centralfloridaasphalt.com/GCN0FChS
jhehosting.com/rUuKheB7
shoeclearanceoutlet.co.uk/46awDTJjI4l
kmslogistik.com/aS1mjTkJIy
bartek-lenart.pl/1bWJ57V9vx
voip.voipcallhub.com/ZVmfdGHs4T
mercyfoundationcio.org/XF9aQrXnakeG
key4net.com/a8A2kcc1J
chaturanga.groopy.com/mxN3lxZoVApc
voipcallhub.com/ilGht5r26
ems.prodigygroupindia.com/v5RvVJTz
novamarketing.com.pk/k8l36uus
lenartsa.webd.pro/fz16DjmKmHtl
lead.jhinfotech.co/YERjiAMaupaz
-
blocklist
94.46.179.80
206.189.205.251
88.242.66.45
85.75.110.214
87.104.3.136
207.244.91.171
49.230.88.160
91.149.252.75
91.149.252.88
92.211.109.152
178.0.250.168
88.69.16.230
95.223.77.160
99.234.62.23
2.206.105.223
84.222.8.201
89.183.239.142
5.146.132.101
77.7.60.154
45.41.106.122
45.74.72.13
74.58.152.123
88.87.68.197
211.107.25.121
109.70.100.25
185.67.82.114
207.102.138.19
204.101.161.14
193.128.108.251
111.7.100.17
111.7.100.16
74.125.210.62
74.125.210.36
104.244.74.57
185.220.101.145
185.220.101.144
185.220.101.18
185.220.100.246
185.220.101.228
185.220.100.243
185.220.101.229
185.220.101.147
185.220.102.250
185.220.100.241
199.195.251.84
213.164.204.94
74.125.213.7
74.125.213.9
185.220.100.249
37.71.173.58
93.2.220.100
188.10.191.109
81.36.17.247
70.28.47.118
45.133.172.222
108.41.227.196
37.235.53.46
162.216.47.22
154.3.42.51
45.86.200.60
212.230.181.152
185.192.70.11
14.33.131.72
94.46.179.80
206.189.205.251
178.255.172.194
84.221.205.40
155.138.242.103
178.212.98.156
85.65.32.191
31.167.184.201
88.242.66.45
36.65.102.42
203.213.127.79
85.75.110.214
93.78.214.187
204.152.81.185
183.171.72.218
168.194.101.130
87.104.3.136
92.211.196.33
197.92.140.125
207.244.91.171
49.230.88.160
196.74.16.153
91.149.252.75
91.149.252.88
92.206.15.202
82.21.114.63
92.211.109.152
178.0.250.168
178.203.145.135
85.210.36.4
199.83.207.72
86.132.134.203
88.69.16.230
99.247.129.88
37.201.195.12
87.140.192.0
88.152.185.188
87.156.177.91
99.229.57.160
95.223.77.160
88.130.54.214
99.234.62.23
2.206.105.223
94.134.179.130
84.221.255.199
84.222.8.201
89.183.239.142
87.158.21.26
93.206.148.216
5.146.132.101
77.7.60.154
95.223.75.85
162.254.173.187
50.99.254.163
45.41.106.122
99.237.13.3
45.74.72.13
108.171.64.202
74.58.152.123
216.209.253.121
88.87.68.197
211.107.25.121
109.70.100.25
185.67.82.114
207.102.138.19
204.101.161.14
193.128.108.251
111.7.100.17
111.7.100.16
74.125.210.62
74.125.210.36
104.244.74.57
185.220.101.145
185.220.101.144
185.220.101.18
185.220.100.246
185.220.101.228
185.220.100.243
185.220.101.229
185.220.101.147
185.220.102.250
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
squirrelwaffle 2 IoCs
Squirrelwaffle Payload
-
Blocklisted process makes network request 5 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\www2.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\www2.bin.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-114-0x0000000000000000-mapping.dmp
-
memory/1108-116-0x0000000073F10000-0x0000000073F72000-memory.dmpFilesize
392KB
-
memory/1108-115-0x0000000073F10000-0x0000000073F21000-memory.dmpFilesize
68KB
-
memory/1108-117-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB