Resubmissions
14-10-2021 12:23
211014-pkhrqsaccp 1006-10-2021 13:07
211006-qc4vnsbdem 1006-10-2021 07:58
211006-jtztqaagc4 10Analysis
-
max time kernel
1185s -
max time network
1187s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-10-2021 13:07
Static task
static1
Behavioral task
behavioral1
Sample
da031faf0a918be7bf90705dac2ce63cfda65226360202ac1d53a6849592e9b3 (1).dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
da031faf0a918be7bf90705dac2ce63cfda65226360202ac1d53a6849592e9b3 (1).dll
Resource
win10v20210408
General
-
Target
da031faf0a918be7bf90705dac2ce63cfda65226360202ac1d53a6849592e9b3 (1).dll
-
Size
475KB
-
MD5
267aa0f6d02c470db4951b3d9b80d8f7
-
SHA1
a9627760018699a0ce48499fd58b43e3d33c51c7
-
SHA256
da031faf0a918be7bf90705dac2ce63cfda65226360202ac1d53a6849592e9b3
-
SHA512
cf0ab54048b096bf05bc4f222473a962f2e18133e195165b582f041ee3b38536cc4e67a49dcc762c838aaeafcd164d63765ac42d58762db9f21217c12bc4eff6
Malware Config
Extracted
squirrelwaffle
http://profitshub.in/eJDLM6siEv
http://hynot-adventures.com/siRmGWRAqRR
http://giversherbalproducts.com/lBawcxb5
http://opulent-imports.com/DlOBqKAf
http://nitro2point0.com/9SqebpSMu
http://streamline-trade.com/7fTwg0V7
http://sologicgroup.com/hWo6FObvrdp
http://pedroaros.cl/gnYxifRY
http://apimar.eu/QFm9qbfjT
http://baetrading.com/IfpAV6qS
http://ditrpshop.in/oHbAKuM0
http://surveillantfire.com/s6ImD3DAJs
http://dhananialegalaid.com/VIVB6kFar
http://aulaintelimundo.com/n1n3Sh4NSO08
http://muwatin.net/IvyhnWs8j
http://nkp.hr/a9TmwEDR
http://kvrassociates.net/Y3kzp0WtE0
http://marianaleyton.com/4ByNgaVdId6
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
Squirrelwaffle Payload 1 IoCs
resource yara_rule behavioral2/memory/408-116-0x0000000010000000-0x0000000014574000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 48 IoCs
flow pid Process 2 408 rundll32.exe 14 408 rundll32.exe 18 408 rundll32.exe 20 408 rundll32.exe 23 408 rundll32.exe 24 408 rundll32.exe 26 408 rundll32.exe 28 408 rundll32.exe 30 408 rundll32.exe 32 408 rundll32.exe 37 408 rundll32.exe 42 408 rundll32.exe 49 408 rundll32.exe 51 408 rundll32.exe 53 408 rundll32.exe 57 408 rundll32.exe 59 408 rundll32.exe 61 408 rundll32.exe 63 408 rundll32.exe 64 408 rundll32.exe 65 408 rundll32.exe 66 408 rundll32.exe 68 408 rundll32.exe 69 408 rundll32.exe 71 408 rundll32.exe 72 408 rundll32.exe 73 408 rundll32.exe 74 408 rundll32.exe 75 408 rundll32.exe 76 408 rundll32.exe 77 408 rundll32.exe 78 408 rundll32.exe 79 408 rundll32.exe 80 408 rundll32.exe 82 408 rundll32.exe 83 408 rundll32.exe 85 408 rundll32.exe 86 408 rundll32.exe 87 408 rundll32.exe 88 408 rundll32.exe 90 408 rundll32.exe 91 408 rundll32.exe 92 408 rundll32.exe 93 408 rundll32.exe 94 408 rundll32.exe 96 408 rundll32.exe 97 408 rundll32.exe 98 408 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 992 wrote to memory of 408 992 rundll32.exe 68 PID 992 wrote to memory of 408 992 rundll32.exe 68 PID 992 wrote to memory of 408 992 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\da031faf0a918be7bf90705dac2ce63cfda65226360202ac1d53a6849592e9b3 (1).dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\da031faf0a918be7bf90705dac2ce63cfda65226360202ac1d53a6849592e9b3 (1).dll",#12⤵
- Blocklisted process makes network request
PID:408
-