Analysis
-
max time kernel
1783s -
max time network
1796s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
04-10-2021 13:37
Static task
static1
Behavioral task
behavioral1
Sample
test2.test.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
test2.test.dll
Resource
win10-en-20210920
General
-
Target
test2.test.dll
-
Size
468KB
-
MD5
5ac65b28e1852283c612ca7e1aaa7d3f
-
SHA1
da1277f3549453023446290bf5d278c89343ffa5
-
SHA256
dd372a40f76e4df61316e014ac9e25a36981e07d9064944776ce41d933e19530
-
SHA512
c16ce4e628b8564b955d8d322a1d13af90831c6638b97547c720fb6706603b1f30542298aa11eb39494d9dea7284eab6233cee6a06b57e3a51e16342abfc11b0
Malware Config
Extracted
squirrelwaffle
profitshub.in/eJDLM6siEv
hynot-adventures.com/siRmGWRAqRR
giversherbalproducts.com/lBawcxb5
opulent-imports.com/DlOBqKAf
nitro2point0.com/9SqebpSMu
streamline-trade.com/7fTwg0V7
sologicgroup.com/hWo6FObvrdp
pedroaros.cl/gnYxifRY
apimar.eu/QFm9qbfjT
baetrading.com/IfpAV6qS
ditrpshop.in/oHbAKuM0
surveillantfire.com/s6ImD3DAJs
dhananialegalaid.com/VIVB6kFar
aulaintelimundo.com/n1n3Sh4NSO08
muwatin.net/IvyhnWs8j
nkp.hr/a9TmwEDR
kvrassociates.net/Y3kzp0WtE0
marianaleyton.com/4ByNgaVdId6
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
squirrelwaffle 1 IoCs
Squirrelwaffle Payload
resource yara_rule behavioral2/memory/3564-117-0x0000000010000000-0x0000000014574000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 64 IoCs
flow pid Process 8 3564 rundll32.exe 10 3564 rundll32.exe 12 3564 rundll32.exe 14 3564 rundll32.exe 18 3564 rundll32.exe 20 3564 rundll32.exe 29 3564 rundll32.exe 30 3564 rundll32.exe 32 3564 rundll32.exe 36 3564 rundll32.exe 38 3564 rundll32.exe 40 3564 rundll32.exe 42 3564 rundll32.exe 44 3564 rundll32.exe 46 3564 rundll32.exe 48 3564 rundll32.exe 50 3564 rundll32.exe 52 3564 rundll32.exe 54 3564 rundll32.exe 55 3564 rundll32.exe 57 3564 rundll32.exe 58 3564 rundll32.exe 59 3564 rundll32.exe 60 3564 rundll32.exe 62 3564 rundll32.exe 63 3564 rundll32.exe 64 3564 rundll32.exe 65 3564 rundll32.exe 66 3564 rundll32.exe 67 3564 rundll32.exe 68 3564 rundll32.exe 69 3564 rundll32.exe 70 3564 rundll32.exe 71 3564 rundll32.exe 72 3564 rundll32.exe 73 3564 rundll32.exe 75 3564 rundll32.exe 76 3564 rundll32.exe 78 3564 rundll32.exe 79 3564 rundll32.exe 80 3564 rundll32.exe 81 3564 rundll32.exe 83 3564 rundll32.exe 84 3564 rundll32.exe 86 3564 rundll32.exe 87 3564 rundll32.exe 88 3564 rundll32.exe 90 3564 rundll32.exe 91 3564 rundll32.exe 92 3564 rundll32.exe 93 3564 rundll32.exe 94 3564 rundll32.exe 95 3564 rundll32.exe 97 3564 rundll32.exe 98 3564 rundll32.exe 100 3564 rundll32.exe 101 3564 rundll32.exe 102 3564 rundll32.exe 103 3564 rundll32.exe 105 3564 rundll32.exe 106 3564 rundll32.exe 107 3564 rundll32.exe 108 3564 rundll32.exe 109 3564 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3592 wrote to memory of 3564 3592 rundll32.exe 70 PID 3592 wrote to memory of 3564 3592 rundll32.exe 70 PID 3592 wrote to memory of 3564 3592 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test2.test.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test2.test.dll,#12⤵
- Blocklisted process makes network request
PID:3564
-