Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-09-2021 12:50
Static task
static1
Behavioral task
behavioral1
Sample
test1.test.0.dr.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
test1.test.0.dr.dll
Resource
win10v20210408
General
-
Target
test1.test.0.dr.dll
-
Size
235KB
-
MD5
8e37795097400f6a609525749d154cd0
-
SHA1
8e1502c2aa56e6a8c7c1d2c75f3946332a5bb8c0
-
SHA256
6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b
-
SHA512
c7453b8f50e557a5990ac3708931845eeb6dc2992cd907d5534733524f523226d8d013be6e09bb2b5210f6f5ad2303625f8998a5111d3b0925bb4228b6c9152a
Malware Config
Extracted
squirrelwaffle
acdlimited.com/2u6aW9Pfe
jornaldasoficinas.com/ZF8GKIGVDupL
orldofjain.com/lMsTA7tSYpe
altayaralsudani.net/SSUsPgb7PHgC
hoteloaktree.com/QthLWsZsVgb
aterwellnessinc.com/U7D0sswwp
sirifinco.com/Urbhq9wO50j
ordpress17.com/5WG6Z62sKWo
mohsinkhanfoundation.com/pcQLeLMbur
lendbiz.vn/xj3BhHtMbf
geosever.rs/ObHP1CHt
nuevainfotech.com/xCNyTjzkoe
dadabhoy.pk/m6rQE94U
111
sjgrand.lk/zvMYuQqEZj
erogholding.com/GFM1QcCFk
armordetailing.rs/lgfrZb4Re6WO
lefrenchwineclub.com/eRUGdDox
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
-
squirrelwaffle 2 IoCs
Squirrelwaffle Payload
resource yara_rule behavioral2/memory/804-117-0x0000000010000000-0x00000000100D6000-memory.dmp squirrelwaffle behavioral2/memory/804-116-0x0000000010000000-0x0000000010010000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 4 IoCs
flow pid Process 12 804 rundll32.exe 15 804 rundll32.exe 16 804 rundll32.exe 17 804 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 636 wrote to memory of 804 636 rundll32.exe 68 PID 636 wrote to memory of 804 636 rundll32.exe 68 PID 636 wrote to memory of 804 636 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.0.dr.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.0.dr.dll,#12⤵
- Blocklisted process makes network request
PID:804
-