Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/09/2021, 14:21 UTC

210924-rpcsdshca9 10

16/09/2021, 14:45 UTC

210916-r477vagebj 8

Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    16/09/2021, 14:45 UTC

General

  • Target

    www2.bin.dll

Malware Config

Extracted

Family

squirrelwaffle

C2

spiritofprespa.com/9783Tci2SGF6

amjsys.com/RIZszf8vR

hrms.prodigygroupindia.com/SKyufGZV

centralfloridaasphalt.com/GCN0FChS

jhehosting.com/rUuKheB7

shoeclearanceoutlet.co.uk/46awDTJjI4l

kmslogistik.com/aS1mjTkJIy

bartek-lenart.pl/1bWJ57V9vx

voip.voipcallhub.com/ZVmfdGHs4T

mercyfoundationcio.org/XF9aQrXnakeG

key4net.com/a8A2kcc1J

chaturanga.groopy.com/mxN3lxZoVApc

voipcallhub.com/ilGht5r26

ems.prodigygroupindia.com/v5RvVJTz

novamarketing.com.pk/k8l36uus

lenartsa.webd.pro/fz16DjmKmHtl

lead.jhinfotech.co/YERjiAMaupaz

Attributes
  • blocklist

    94.46.179.80

    206.189.205.251

    88.242.66.45

    85.75.110.214

    87.104.3.136

    207.244.91.171

    49.230.88.160

    91.149.252.75

    91.149.252.88

    92.211.109.152

    178.0.250.168

    88.69.16.230

    95.223.77.160

    99.234.62.23

    2.206.105.223

    84.222.8.201

    89.183.239.142

    5.146.132.101

    77.7.60.154

    45.41.106.122

    45.74.72.13

    74.58.152.123

    88.87.68.197

    211.107.25.121

    109.70.100.25

    185.67.82.114

    207.102.138.19

    204.101.161.14

    193.128.108.251

    111.7.100.17

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

  • squirrelwaffle 2 IoCs

    Squirrelwaffle Payload

  • Blocklisted process makes network request 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\www2.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\www2.bin.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1108

Network

  • flag-us
    DNS
    lead.jhinfotech.co
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    lead.jhinfotech.co
    IN A
    Response
    lead.jhinfotech.co
    IN A
    166.62.28.139
  • flag-sg
    POST
    http://lead.jhinfotech.co/YERjiAMaupaz/OQsaDixzHTgtfjMcGypGenplfX9lemV9fQ==
    rundll32.exe
    Remote address:
    166.62.28.139:80
    Request
    POST /YERjiAMaupaz/OQsaDixzHTgtfjMcGypGenplfX9lemV9fQ== HTTP/1.1
    Host: lead.jhinfotech.co
    Content-Length: 80
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Sep 2021 14:46:44 GMT
    Server: Apache
    X-Powered-By: PHP/7.3.29
    Upgrade: h2,h2c
    Connection: Upgrade
    Vary: Accept-Encoding,User-Agent
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    spiritofprespa.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    spiritofprespa.com
    IN A
    Response
    spiritofprespa.com
    IN A
    160.153.131.187
  • flag-nl
    POST
    http://spiritofprespa.com/9783Tci2SGF6/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6emV8YXp4
    rundll32.exe
    Remote address:
    160.153.131.187:80
    Request
    POST /9783Tci2SGF6/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6emV8YXp4 HTTP/1.1
    Host: spiritofprespa.com
    Content-Length: 80
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Sep 2021 14:47:09 GMT
    Server: Apache
    X-Powered-By: PHP/5.6.40
    Upgrade: h2,h2c
    Connection: Upgrade
    Content-Length: 262
    Vary: Accept-Encoding,User-Agent
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    http://spiritofprespa.com/9783Tci2SGF6/fXMKNg0nKzN/DA15DggBI0N6fGF6emV8YXp4
    rundll32.exe
    Remote address:
    160.153.131.187:80
    Request
    POST /9783Tci2SGF6/fXMKNg0nKzN/DA15DggBI0N6fGF6emV8YXp4 HTTP/1.1
    Host: spiritofprespa.com
    Content-Length: 80
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Sep 2021 14:47:33 GMT
    Server: Apache
    X-Powered-By: PHP/5.6.40
    Upgrade: h2,h2c
    Connection: Upgrade
    Content-Length: 262
    Vary: Accept-Encoding,User-Agent
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    http://spiritofprespa.com/9783Tci2SGF6/eDkkAA0bInx9Rnp6ZX1/ZXplfX0=
    rundll32.exe
    Remote address:
    160.153.131.187:80
    Request
    POST /9783Tci2SGF6/eDkkAA0bInx9Rnp6ZX1/ZXplfX0= HTTP/1.1
    Host: spiritofprespa.com
    Content-Length: 80
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Sep 2021 14:47:58 GMT
    Server: Apache
    X-Powered-By: PHP/5.6.40
    Upgrade: h2,h2c
    Connection: Upgrade
    Content-Length: 262
    Vary: Accept-Encoding,User-Agent
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    http://spiritofprespa.com/9783Tci2SGF6/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfntkenxhe2R6fg==
    rundll32.exe
    Remote address:
    160.153.131.187:80
    Request
    POST /9783Tci2SGF6/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfntkenxhe2R6fg== HTTP/1.1
    Host: spiritofprespa.com
    Content-Length: 80
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Sep 2021 14:48:22 GMT
    Server: Apache
    X-Powered-By: PHP/5.6.40
    Upgrade: h2,h2c
    Connection: Upgrade
    Content-Length: 262
    Vary: Accept-Encoding,User-Agent
    Content-Type: text/html; charset=UTF-8
  • 166.62.28.139:80
    http://lead.jhinfotech.co/YERjiAMaupaz/OQsaDixzHTgtfjMcGypGenplfX9lemV9fQ==
    http
    rundll32.exe
    428 B
    729 B
    5
    5

    HTTP Request

    POST http://lead.jhinfotech.co/YERjiAMaupaz/OQsaDixzHTgtfjMcGypGenplfX9lemV9fQ==

    HTTP Response

    200
  • 160.153.131.187:80
    http://spiritofprespa.com/9783Tci2SGF6/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6emV8YXp4
    http
    rundll32.exe
    428 B
    705 B
    5
    5

    HTTP Request

    POST http://spiritofprespa.com/9783Tci2SGF6/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6emV8YXp4

    HTTP Response

    200
  • 160.153.131.187:80
    http://spiritofprespa.com/9783Tci2SGF6/fXMKNg0nKzN/DA15DggBI0N6fGF6emV8YXp4
    http
    rundll32.exe
    428 B
    705 B
    5
    5

    HTTP Request

    POST http://spiritofprespa.com/9783Tci2SGF6/fXMKNg0nKzN/DA15DggBI0N6fGF6emV8YXp4

    HTTP Response

    200
  • 160.153.131.187:80
    http://spiritofprespa.com/9783Tci2SGF6/eDkkAA0bInx9Rnp6ZX1/ZXplfX0=
    http
    rundll32.exe
    420 B
    705 B
    5
    5

    HTTP Request

    POST http://spiritofprespa.com/9783Tci2SGF6/eDkkAA0bInx9Rnp6ZX1/ZXplfX0=

    HTTP Response

    200
  • 160.153.131.187:80
    http://spiritofprespa.com/9783Tci2SGF6/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfntkenxhe2R6fg==
    http
    rundll32.exe
    440 B
    705 B
    5
    5

    HTTP Request

    POST http://spiritofprespa.com/9783Tci2SGF6/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfntkenxhe2R6fg==

    HTTP Response

    200
  • 8.8.8.8:53
    lead.jhinfotech.co
    dns
    rundll32.exe
    64 B
    80 B
    1
    1

    DNS Request

    lead.jhinfotech.co

    DNS Response

    166.62.28.139

  • 8.8.8.8:53
    spiritofprespa.com
    dns
    rundll32.exe
    64 B
    80 B
    1
    1

    DNS Request

    spiritofprespa.com

    DNS Response

    160.153.131.187

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1108-116-0x0000000073F10000-0x0000000073F72000-memory.dmp

    Filesize

    392KB

  • memory/1108-115-0x0000000073F10000-0x0000000073F21000-memory.dmp

    Filesize

    68KB

  • memory/1108-117-0x0000000000930000-0x0000000000931000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.