Analysis
-
max time kernel
1787s -
max time network
1790s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-10-2021 13:41
Static task
static1
Behavioral task
behavioral1
Sample
repo.html.3.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
repo.html.3.dll
Resource
win10v20210408
General
-
Target
repo.html.3.dll
-
Size
475KB
-
MD5
267aa0f6d02c470db4951b3d9b80d8f7
-
SHA1
a9627760018699a0ce48499fd58b43e3d33c51c7
-
SHA256
da031faf0a918be7bf90705dac2ce63cfda65226360202ac1d53a6849592e9b3
-
SHA512
cf0ab54048b096bf05bc4f222473a962f2e18133e195165b582f041ee3b38536cc4e67a49dcc762c838aaeafcd164d63765ac42d58762db9f21217c12bc4eff6
Malware Config
Extracted
squirrelwaffle
profitshub.in/eJDLM6siEv
hynot-adventures.com/siRmGWRAqRR
giversherbalproducts.com/lBawcxb5
opulent-imports.com/DlOBqKAf
nitro2point0.com/9SqebpSMu
streamline-trade.com/7fTwg0V7
sologicgroup.com/hWo6FObvrdp
pedroaros.cl/gnYxifRY
apimar.eu/QFm9qbfjT
baetrading.com/IfpAV6qS
ditrpshop.in/oHbAKuM0
surveillantfire.com/s6ImD3DAJs
dhananialegalaid.com/VIVB6kFar
aulaintelimundo.com/n1n3Sh4NSO08
muwatin.net/IvyhnWs8j
nkp.hr/a9TmwEDR
kvrassociates.net/Y3kzp0WtE0
marianaleyton.com/4ByNgaVdId6
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
squirrelwaffle 1 IoCs
Squirrelwaffle Payload
resource yara_rule behavioral2/memory/508-116-0x0000000010000000-0x0000000014574000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 64 IoCs
flow pid Process 2 508 rundll32.exe 9 508 rundll32.exe 15 508 rundll32.exe 19 508 rundll32.exe 22 508 rundll32.exe 23 508 rundll32.exe 25 508 rundll32.exe 27 508 rundll32.exe 29 508 rundll32.exe 31 508 rundll32.exe 39 508 rundll32.exe 41 508 rundll32.exe 43 508 rundll32.exe 47 508 rundll32.exe 49 508 rundll32.exe 51 508 rundll32.exe 53 508 rundll32.exe 55 508 rundll32.exe 57 508 rundll32.exe 58 508 rundll32.exe 59 508 rundll32.exe 60 508 rundll32.exe 62 508 rundll32.exe 63 508 rundll32.exe 64 508 rundll32.exe 65 508 rundll32.exe 66 508 rundll32.exe 67 508 rundll32.exe 68 508 rundll32.exe 69 508 rundll32.exe 70 508 rundll32.exe 71 508 rundll32.exe 72 508 rundll32.exe 73 508 rundll32.exe 75 508 rundll32.exe 76 508 rundll32.exe 78 508 rundll32.exe 79 508 rundll32.exe 80 508 rundll32.exe 81 508 rundll32.exe 83 508 rundll32.exe 84 508 rundll32.exe 86 508 rundll32.exe 87 508 rundll32.exe 89 508 rundll32.exe 90 508 rundll32.exe 91 508 rundll32.exe 92 508 rundll32.exe 93 508 rundll32.exe 94 508 rundll32.exe 95 508 rundll32.exe 97 508 rundll32.exe 98 508 rundll32.exe 100 508 rundll32.exe 101 508 rundll32.exe 102 508 rundll32.exe 103 508 rundll32.exe 105 508 rundll32.exe 106 508 rundll32.exe 107 508 rundll32.exe 108 508 rundll32.exe 109 508 rundll32.exe 110 508 rundll32.exe 111 508 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 744 wrote to memory of 508 744 rundll32.exe 68 PID 744 wrote to memory of 508 744 rundll32.exe 68 PID 744 wrote to memory of 508 744 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\repo.html.3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\repo.html.3.dll,#12⤵
- Blocklisted process makes network request
PID:508
-