Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-09-2021 00:05
Static task
static1
Behavioral task
behavioral1
Sample
test1.test.dll
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
test1.test.dll
Resource
win7v20210408
Behavioral task
behavioral3
Sample
test1.test.dll
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
test1.test.dll
Resource
win11
Behavioral task
behavioral5
Sample
test1.test.dll
Resource
win10v20210408
Behavioral task
behavioral6
Sample
test1.test.dll
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
test1.test.dll
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
test1.test.dll
Resource
win10-de-20210920
General
-
Target
test1.test.dll
-
Size
309KB
-
MD5
3d77d7a2e2697d35b281123afe4b030c
-
SHA1
4087259179a6761e376dcfbf2e981e1c0cacc287
-
SHA256
07c7cb49350bf3c6de4193fb2eeb8dd92d6662d60393ebd483a54bac80fb0b44
-
SHA512
8c1645fa7bf81be88533e9aff8a308311f637e3d0b64244a4fa1679de53f706b9222d4bc9caa82f1340dea641d33feb3dfa3b67b2cd324a65bf570b18bf3a17c
Malware Config
Extracted
squirrelwaffle
hutraders.com/0eeUtmJf8O
goodartishard.com/0JXDM9kMwx
now.byteinsure.com/tnjUrmlhN
asceaub.com/Xl8UCLSU
colchonesmanzur.com/GjVgBnKaNIC
sistemasati.com/0SzGNkx6P
maldivehost.net/zLIisQRWZI9
lrdgon.org/l7r96tjAJ
binnawaz.com.pk/jhSZGWS76C
fhstorse.com/vJlgdjJnpIop
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
-
squirrelwaffle 2 IoCs
Squirrelwaffle Payload
resource yara_rule behavioral7/memory/3680-116-0x00000000741E0000-0x00000000741F0000-memory.dmp squirrelwaffle behavioral7/memory/3680-117-0x00000000741E0000-0x00000000742BF000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 5 IoCs
flow pid Process 10 3680 rundll32.exe 11 3680 rundll32.exe 12 3680 rundll32.exe 13 3680 rundll32.exe 17 3680 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3572 wrote to memory of 3680 3572 rundll32.exe 70 PID 3572 wrote to memory of 3680 3572 rundll32.exe 70 PID 3572 wrote to memory of 3680 3572 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#12⤵
- Blocklisted process makes network request
PID:3680
-