Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-09-2021 00:04
Static task
static1
Behavioral task
behavioral1
Sample
test1.test.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
test1.test.dll
Resource
win10v20210408
General
-
Target
test1.test.dll
-
Size
309KB
-
MD5
3d77d7a2e2697d35b281123afe4b030c
-
SHA1
4087259179a6761e376dcfbf2e981e1c0cacc287
-
SHA256
07c7cb49350bf3c6de4193fb2eeb8dd92d6662d60393ebd483a54bac80fb0b44
-
SHA512
8c1645fa7bf81be88533e9aff8a308311f637e3d0b64244a4fa1679de53f706b9222d4bc9caa82f1340dea641d33feb3dfa3b67b2cd324a65bf570b18bf3a17c
Malware Config
Extracted
squirrelwaffle
hutraders.com/0eeUtmJf8O
goodartishard.com/0JXDM9kMwx
now.byteinsure.com/tnjUrmlhN
asceaub.com/Xl8UCLSU
colchonesmanzur.com/GjVgBnKaNIC
sistemasati.com/0SzGNkx6P
maldivehost.net/zLIisQRWZI9
lrdgon.org/l7r96tjAJ
binnawaz.com.pk/jhSZGWS76C
fhstorse.com/vJlgdjJnpIop
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
squirrelwaffle 2 IoCs
Squirrelwaffle Payload
resource yara_rule behavioral2/memory/4064-116-0x0000000073E70000-0x0000000073F4F000-memory.dmp squirrelwaffle behavioral2/memory/4064-115-0x0000000073E70000-0x0000000073E80000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 5 IoCs
flow pid Process 2 4064 rundll32.exe 12 4064 rundll32.exe 15 4064 rundll32.exe 16 4064 rundll32.exe 17 4064 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4016 wrote to memory of 4064 4016 rundll32.exe 68 PID 4016 wrote to memory of 4064 4016 rundll32.exe 68 PID 4016 wrote to memory of 4064 4016 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#12⤵
- Blocklisted process makes network request
PID:4064
-