Overview

overview

10

Static

static

test1.test.dll

windows7_x64

10

test1.test.dll

windows10_x64

10

Resubmissions

27-09-2021 13:35

210927-qvskcshbbk 10

27-09-2021 13:12

210927-qfkk7shafj 10

Analysis

  • max time kernel
    1782s
  • max time network
    1784s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-09-2021 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test1.test.dll

  • Size

    235KB

  • MD5

    8e37795097400f6a609525749d154cd0

  • SHA1

    8e1502c2aa56e6a8c7c1d2c75f3946332a5bb8c0

  • SHA256

    6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b

  • SHA512

    c7453b8f50e557a5990ac3708931845eeb6dc2992cd907d5534733524f523226d8d013be6e09bb2b5210f6f5ad2303625f8998a5111d3b0925bb4228b6c9152a

Score
10/10
squirrelwaffledownloadersuricata

Malware Config

Extracted

Family

squirrelwaffle

C2

acdlimited.com/2u6aW9Pfe

jornaldasoficinas.com/ZF8GKIGVDupL

orldofjain.com/lMsTA7tSYpe

altayaralsudani.net/SSUsPgb7PHgC

hoteloaktree.com/QthLWsZsVgb

aterwellnessinc.com/U7D0sswwp

sirifinco.com/Urbhq9wO50j

ordpress17.com/5WG6Z62sKWo

mohsinkhanfoundation.com/pcQLeLMbur

lendbiz.vn/xj3BhHtMbf

geosever.rs/ObHP1CHt

nuevainfotech.com/xCNyTjzkoe

dadabhoy.pk/m6rQE94U

111

sjgrand.lk/zvMYuQqEZj

erogholding.com/GFM1QcCFk

armordetailing.rs/lgfrZb4Re6WO

lefrenchwineclub.com/eRUGdDox

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

    downloadersquirrelwaffle
  • suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

    suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

    suricata
  • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    suricata
  • suricata: ET MALWARE SQUIRRELWAFFLE Server Response

    suricata: ET MALWARE SQUIRRELWAFFLE Server Response

    suricata
  • squirrelwaffle 2 IoCs

    Squirrelwaffle Payload

  • Blocklisted process makes network request 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:4032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4032-116-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/4032-115-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4032-117-0x0000000003080000-0x00000000031CA000-memory.dmp

    Filesize

    1.3MB

    Download