Analysis

  • max time kernel
    146s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    24-09-2021 20:38

General

  • Target

    test1.test.dll

  • Size

    309KB

  • MD5

    3d77d7a2e2697d35b281123afe4b030c

  • SHA1

    4087259179a6761e376dcfbf2e981e1c0cacc287

  • SHA256

    07c7cb49350bf3c6de4193fb2eeb8dd92d6662d60393ebd483a54bac80fb0b44

  • SHA512

    8c1645fa7bf81be88533e9aff8a308311f637e3d0b64244a4fa1679de53f706b9222d4bc9caa82f1340dea641d33feb3dfa3b67b2cd324a65bf570b18bf3a17c

Malware Config

Extracted

Family

squirrelwaffle

C2

hutraders.com/0eeUtmJf8O

goodartishard.com/0JXDM9kMwx

now.byteinsure.com/tnjUrmlhN

asceaub.com/Xl8UCLSU

colchonesmanzur.com/GjVgBnKaNIC

sistemasati.com/0SzGNkx6P

maldivehost.net/zLIisQRWZI9

lrdgon.org/l7r96tjAJ

binnawaz.com.pk/jhSZGWS76C

fhstorse.com/vJlgdjJnpIop

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

  • squirrelwaffle 2 IoCs

    Squirrelwaffle Payload

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
      2⤵
        PID:2012

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2012-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

      Filesize

      8KB

    • memory/2012-55-0x0000000074840000-0x0000000074850000-memory.dmp

      Filesize

      64KB

    • memory/2012-56-0x0000000074840000-0x000000007491F000-memory.dmp

      Filesize

      892KB

    • memory/2012-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

      Filesize

      4KB