Analysis
-
max time kernel
129s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-10-2021 13:19
Static task
static1
Behavioral task
behavioral1
Sample
test2.test.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
test2.test.dll
Resource
win10v20210408
General
-
Target
test2.test.dll
-
Size
468KB
-
MD5
5ac65b28e1852283c612ca7e1aaa7d3f
-
SHA1
da1277f3549453023446290bf5d278c89343ffa5
-
SHA256
dd372a40f76e4df61316e014ac9e25a36981e07d9064944776ce41d933e19530
-
SHA512
c16ce4e628b8564b955d8d322a1d13af90831c6638b97547c720fb6706603b1f30542298aa11eb39494d9dea7284eab6233cee6a06b57e3a51e16342abfc11b0
Malware Config
Extracted
squirrelwaffle
profitshub.in/eJDLM6siEv
hynot-adventures.com/siRmGWRAqRR
giversherbalproducts.com/lBawcxb5
opulent-imports.com/DlOBqKAf
nitro2point0.com/9SqebpSMu
streamline-trade.com/7fTwg0V7
sologicgroup.com/hWo6FObvrdp
pedroaros.cl/gnYxifRY
apimar.eu/QFm9qbfjT
baetrading.com/IfpAV6qS
ditrpshop.in/oHbAKuM0
surveillantfire.com/s6ImD3DAJs
dhananialegalaid.com/VIVB6kFar
aulaintelimundo.com/n1n3Sh4NSO08
muwatin.net/IvyhnWs8j
nkp.hr/a9TmwEDR
kvrassociates.net/Y3kzp0WtE0
marianaleyton.com/4ByNgaVdId6
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
squirrelwaffle 1 IoCs
Squirrelwaffle Payload
resource yara_rule behavioral2/memory/908-116-0x0000000010000000-0x0000000014574000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 5 IoCs
flow pid Process 2 908 rundll32.exe 13 908 rundll32.exe 17 908 rundll32.exe 20 908 rundll32.exe 23 908 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 740 wrote to memory of 908 740 rundll32.exe 68 PID 740 wrote to memory of 908 740 rundll32.exe 68 PID 740 wrote to memory of 908 740 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test2.test.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test2.test.dll,#12⤵
- Blocklisted process makes network request
PID:908
-