Analysis

  • max time kernel
    138s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-09-2021 12:50

General

  • Target

    test1.test.0.dr.dll

  • Size

    235KB

  • MD5

    8e37795097400f6a609525749d154cd0

  • SHA1

    8e1502c2aa56e6a8c7c1d2c75f3946332a5bb8c0

  • SHA256

    6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b

  • SHA512

    c7453b8f50e557a5990ac3708931845eeb6dc2992cd907d5534733524f523226d8d013be6e09bb2b5210f6f5ad2303625f8998a5111d3b0925bb4228b6c9152a

Malware Config

Extracted

Family

squirrelwaffle

C2

acdlimited.com/2u6aW9Pfe

jornaldasoficinas.com/ZF8GKIGVDupL

orldofjain.com/lMsTA7tSYpe

altayaralsudani.net/SSUsPgb7PHgC

hoteloaktree.com/QthLWsZsVgb

aterwellnessinc.com/U7D0sswwp

sirifinco.com/Urbhq9wO50j

ordpress17.com/5WG6Z62sKWo

mohsinkhanfoundation.com/pcQLeLMbur

lendbiz.vn/xj3BhHtMbf

geosever.rs/ObHP1CHt

nuevainfotech.com/xCNyTjzkoe

dadabhoy.pk/m6rQE94U

111

sjgrand.lk/zvMYuQqEZj

erogholding.com/GFM1QcCFk

armordetailing.rs/lgfrZb4Re6WO

lefrenchwineclub.com/eRUGdDox

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

  • suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

    suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

  • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

  • suricata: ET MALWARE SQUIRRELWAFFLE Server Response

    suricata: ET MALWARE SQUIRRELWAFFLE Server Response

  • squirrelwaffle 2 IoCs

    Squirrelwaffle Payload

  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.0.dr.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.0.dr.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/804-115-0x0000000000310000-0x0000000000311000-memory.dmp

    Filesize

    4KB

  • memory/804-117-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

  • memory/804-116-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB