Analysis
-
max time kernel
126s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 18:23
Static task
static1
Behavioral task
behavioral1
Sample
test1.test.dll
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
test1.test.dll
Resource
win10-en-20210920
General
-
Target
test1.test.dll
-
Size
532KB
-
MD5
510b2569ff4ed686227d4fafd4c04dfc
-
SHA1
a311db42d9b019b7f1fa1337fb88772fad9175d2
-
SHA256
653e066782817e5c09ca75786c3740b391dc7bbd8c76f38748c0d5e684b4292c
-
SHA512
29d0fcece323c7c25e2126f2636d83d267d63f43095333f9346822d089a36b3bcf46bbd718483f2a51f2d183f3d2590b5d88a4d2148438b986af2a79b9b98061
Malware Config
Extracted
squirrelwaffle
http://bostoncarservice.us/ttv8fU9U19
http://payparq-cloud-3513-01.com/bON7gU8BpvAU
http://luckysoxs.com/3FbCi7ej09p
http://payparq-cloud-8799-02.com/0yXFxtYs0Z
http://rjmholding.com/JKu3ByhTE
http://centroparquekrahmer.cl/iXIdCvMk5TD7
http://capaxion.cl/xigRVxm0X
http://bimcrea.cl/CRUKqDjn
http://payparq-cloud-8899-00.com/yeoXYV97
http://18pixels.org/mDZYHjiJi
http://e2eprocess.cl/EUsDZTqM
http://payparq.com/1DT7hrizVB
http://sammlerstore.pe/KKFuUiXVI5
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
-
Squirrelwaffle Payload 2 IoCs
resource yara_rule behavioral2/memory/3720-117-0x0000000073B80000-0x0000000073B90000-memory.dmp squirrelwaffle behavioral2/memory/3720-118-0x0000000073B80000-0x0000000074510000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 4 IoCs
flow pid Process 25 3720 rundll32.exe 29 3720 rundll32.exe 30 3720 rundll32.exe 31 3720 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3364 wrote to memory of 3720 3364 rundll32.exe 69 PID 3364 wrote to memory of 3720 3364 rundll32.exe 69 PID 3364 wrote to memory of 3720 3364 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#12⤵
- Blocklisted process makes network request
PID:3720
-