Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

Analysis

  • max time kernel
    161s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    14-10-2021 01:44

General

  • Target

    26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618.dll

  • Size

    518KB

  • MD5

    c9b2167e784286fcf1835c0d9ba0eade

  • SHA1

    8035bf4ada5abdffa9a7566c965b3caf897f3fed

  • SHA256

    26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618

  • SHA512

    aef1eaadf55f3a49182588d348e985775960eec11e2240ca874cc5b502b1825ab61f29edbc72b9e8b6d9e68713325ef8c3a5a21606603e477a6bc09b7b841138

Malware Config

Extracted

Family

squirrelwaffle

C2

http://agora.360cyberlink.com/wpuDolwbH9c9

http://panel.betfredtakeaway.com/awJPDGElQ

http://believeinus.net/S6y8WsHm

http://onlinecourses.mirrainternationaluniversity.com/VnCSkt13PkuT

http://reward.tyrehamperpromotion.co.uk/GWJ3gHMtUdk

http://panels.betfredtakeaway.com/0PKIQI4OFxD

http://ambassade-mauritanie-rabat.net/hovwkJJaIt8

http://bitcoinup.bafflepoetry.org/uTyCcQUDkCX3

http://pwcgov-x.gq/doMZFSHYs

http://business-a.ml/lDyw7Vs3x

http://unifarma.com.br/6GREencD

http://digitalmaster.online/rgzce1W5g

http://patatec.com/OTfcXmew

http://megasoftsol.com/R26csFnDY

http://authentification.scanandrace.com/m1xwraBcBFN

http://new.actsgeneration.org/1vXSPxRR3bR

http://lagochapala.com.mx/DplUgNSqWfc

Attributes
  • blocklist

    94.46.179.80

    206.189.205.251

    88.242.66.45

    85.75.110.214

    87.104.3.136

    207.244.91.171

    49.230.88.160

    91.149.252.75

    91.149.252.88

    92.211.109.152

    178.0.250.168

    88.69.16.230

    95.223.77.160

    99.234.62.23

    2.206.105.223

    84.222.8.201

    89.183.239.142

    5.146.132.101

    77.7.60.154

    45.41.106.122

    45.74.72.13

    74.58.152.123

    88.87.68.197

    109.70.100.25

    185.67.82.114

    207.102.138.19

    204.101.161.14

    193.128.108.251

    111.7.100.17

    111.7.100.16

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

  • Squirrelwaffle Payload 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1904-116-0x0000000004EA0000-0x0000000004EAE000-memory.dmp

    Filesize

    56KB

  • memory/1904-117-0x0000000073820000-0x00000000738AA000-memory.dmp

    Filesize

    552KB