Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-09-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
090921.gif.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
090921.gif.dll
Resource
win10-en-20210920
General
-
Target
090921.gif.dll
-
Size
383KB
-
MD5
479dae0f72f4d57bd20e0bf8cb3ebdf7
-
SHA1
b49f31a7d8f68ca307f3d0abcf4d05313ee2b844
-
SHA256
4f68558fb7a921b837926ca4e87fecba073f551a44c88109453a1a8099d003b6
-
SHA512
afb0a6fc0c7783f04a22ec721543084e0532f87c7903c42b831c8954aceb231b099f87c3da3edabd1c9b36045cc4b3747b27e386f37b3fbac349c0036717d63d
Malware Config
Extracted
squirrelwaffle
msrsac.com/nvaaLwe9
u522712.gluweb.nl/n2fshwgq
serverplanner.com/LkkAWHLc8
bengali.iu.ac.bd/xNM4FTUzqRRk
owfix.net/NVNCI3qMl4
pcbsi.com.ph/IcLNSd9sO
enlacelaboral.com/3cKldxdt
-
blocklist
94.46.179.80
206.189.205.251
88.242.66.45
36.65.102.42
85.75.110.214
93.78.214.187
87.104.3.136
207.244.91.171
49.230.88.160
91.149.252.75
91.149.252.88
92.211.109.152
178.0.250.168
178.203.145.135
88.69.16.230
95.223.77.160
99.234.62.23
2.206.105.223
84.222.8.201
89.183.239.142
93.206.148.216
5.146.132.101
77.7.60.154
45.41.106.122
45.74.72.13
74.58.152.123
88.87.68.197
211.107.25.121
109.70.100.25
185.67.82.114
207.102.138.19
204.101.161.14
193.128.108.251
111.7.100.17
111.7.100.16
74.125.210.62
74.125.210.36
104.244.74.57
185.220.101.145
185.220.101.144
185.220.101.18
185.220.100.246
185.220.101.228
185.220.100.243
185.220.101.229
185.220.101.147
185.220.102.250
94.46.179.80
206.189.205.251
178.255.172.194
84.221.205.40
155.138.242.103
178.212.98.156
85.65.32.191
31.167.184.201
88.242.66.45
36.65.102.42
203.213.127.79
85.75.110.214
93.78.214.187
204.152.81.185
183.171.72.218
168.194.101.130
87.104.3.136
92.211.196.33
197.92.140.125
207.244.91.171
49.230.88.160
196.74.16.153
91.149.252.75
91.149.252.88
92.206.15.202
82.21.114.63
92.211.109.152
178.0.250.168
178.203.145.135
85.210.36.4
199.83.207.72
86.132.134.203
88.69.16.230
99.247.129.88
37.201.195.12
87.140.192.0
88.152.185.188
87.156.177.91
99.229.57.160
95.223.77.160
88.130.54.214
99.234.62.23
2.206.105.223
94.134.179.130
84.221.255.199
84.222.8.201
89.183.239.142
87.158.21.26
93.206.148.216
5.146.132.101
77.7.60.154
95.223.75.85
162.254.173.187
50.99.254.163
45.41.106.122
99.237.13.3
45.74.72.13
108.171.64.202
74.58.152.123
216.209.253.121
88.87.68.197
211.107.25.121
109.70.100.25
185.67.82.114
207.102.138.19
204.101.161.14
193.128.108.251
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
squirrelwaffle 1 IoCs
Squirrelwaffle Payload
resource yara_rule behavioral2/memory/2648-117-0x0000000010000000-0x000000001005E000-memory.dmp squirrelwaffle -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2648 2468 regsvr32.exe 70 PID 2468 wrote to memory of 2648 2468 regsvr32.exe 70 PID 2468 wrote to memory of 2648 2468 regsvr32.exe 70