Overview

overview

10

Static

static

029b714502...39.dll

windows10_x64

10

061dfb6a25...52.dll

windows10_x64

10

06d55f75d7...d2.dll

windows10_x64

10

24401ac43b...65.dll

windows10_x64

3

260e2d5769...40.dll

windows10_x64

10

26cd036960...18.dll

windows10_x64

10

2a0a88a2e5...4a.dll

windows10_x64

3

2f33217d51...94.dll

windows10_x64

10

336cdd146b...da.dll

windows10_x64

10

417c1828d9...73.dll

windows10_x64

10

4d3095c796...ee.dll

windows10_x64

10

54e526fe05...4c.dll

windows10_x64

1

6402b33d72...3b.dll

windows10_x64

10

64c044cb3e...db.dll

windows10_x64

10

671f477c30...4e.dll

windows10_x64

10

67785724b6...ce.dll

windows10_x64

3

6c6934613a...fb.dll

windows10_x64

10

6f63742c25...fd.dll

windows10_x64

10

813a9b03c6...48.dll

windows10_x64

10

839ac59a78...e3.dll

windows10_x64

10

85d0b72fe8...39.dll

windows10_x64

10

a34cb4049e...c4.dll

windows10_x64

10

a55c19c552...60.dll

windows10_x64

10

a98e988f03...48.dll

windows10_x64

10

acc31f97c3...27.dll

windows10_x64

10

b194eec1e5...c7.dll

windows10_x64

10

bac73f9cce...00.dll

windows10_x64

10

c5d2f0da18...0c.dll

windows10_x64

10

d559ee0a26...7e.dll

windows10_x64

1

db5276c0d5...79.dll

windows10_x64

10

e5efde9740...15.dll

windows10_x64

10

fe028e6f99...1c.dll

windows10_x64

10

Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

Analysis

  • max time kernel
    3834s
  • max time network
    3852s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    31-10-2021 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e.dll

  • Size

    334KB

  • MD5

    84a32095bcbc0ed694f09f1dd8f2a70f

  • SHA1

    23f7334db6979f04d5a2a9a846f82c526bfe6736

  • SHA256

    671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e

  • SHA512

    e3db14700e24210d1e2f1c19fcbb1b7074d73f5cdc4cbaf737b9a92a4f3b8d9b71efaa450aac9f7f4baef1ca8463f0668a3d72b888e0d39195e4c6115de5012a

Score
10/10
squirrelwaffledownloadersuricata

Malware Config

Extracted

Family

squirrelwaffle

C2

http://spiritofprespa.com/9783Tci2SGF6

http://amjsys.com/RIZszf8vR

http://hrms.prodigygroupindia.com/SKyufGZV

http://centralfloridaasphalt.com/GCN0FChS

http://jhehosting.com/rUuKheB7

http://shoeclearanceoutlet.co.uk/46awDTJjI4l

http://kmslogistik.com/aS1mjTkJIy

http://bartek-lenart.pl/1bWJ57V9vx

http://voip.voipcallhub.com/ZVmfdGHs4T

http://mercyfoundationcio.org/XF9aQrXnakeG

http://key4net.com/a8A2kcc1J

http://chaturanga.groopy.com/mxN3lxZoVApc

http://voipcallhub.com/ilGht5r26

http://ems.prodigygroupindia.com/v5RvVJTz

http://novamarketing.com.pk/k8l36uus

http://lenartsa.webd.pro/fz16DjmKmHtl

http://lead.jhinfotech.co/YERjiAMaupaz
Attributes
  • blocklist

    94.46.179.80

    206.189.205.251

    88.242.66.45

    85.75.110.214

    87.104.3.136

    207.244.91.171

    49.230.88.160

    91.149.252.75

    91.149.252.88

    92.211.109.152

    178.0.250.168

    88.69.16.230

    95.223.77.160

    99.234.62.23

    2.206.105.223

    84.222.8.201

    89.183.239.142

    5.146.132.101

    77.7.60.154

    45.41.106.122

    45.74.72.13

    74.58.152.123

    88.87.68.197

    211.107.25.121

    109.70.100.25

    185.67.82.114

    207.102.138.19

    204.101.161.14

    193.128.108.251

    111.7.100.17

    111.7.100.16

    74.125.210.62

    74.125.210.36

    104.244.74.57

    185.220.101.145

    185.220.101.144

    185.220.101.18

    185.220.100.246

    185.220.101.228

    185.220.100.243

    185.220.101.229

    185.220.101.147

    185.220.102.250

    185.220.100.241

    199.195.251.84

    213.164.204.94

    74.125.213.7

    74.125.213.9

    185.220.100.249

    37.71.173.58

    93.2.220.100

    188.10.191.109

    81.36.17.247

    70.28.47.118

    45.133.172.222

    108.41.227.196

    37.235.53.46

    162.216.47.22

    154.3.42.51

    45.86.200.60

    212.230.181.152

    185.192.70.11

    14.33.131.72

    94.46.179.80

    206.189.205.251

    178.255.172.194

    84.221.205.40

    155.138.242.103

    178.212.98.156

    85.65.32.191

    31.167.184.201

    88.242.66.45

    36.65.102.42

    203.213.127.79

    85.75.110.214

    93.78.214.187

    204.152.81.185

    183.171.72.218

    168.194.101.130

    87.104.3.136

    92.211.196.33

    197.92.140.125

    207.244.91.171

    49.230.88.160

    196.74.16.153

    91.149.252.75

    91.149.252.88

    92.206.15.202

    82.21.114.63

    92.211.109.152

    178.0.250.168

    178.203.145.135

    85.210.36.4

    199.83.207.72

    86.132.134.203

    88.69.16.230

    99.247.129.88

    37.201.195.12

    87.140.192.0

    88.152.185.188

    87.156.177.91

    99.229.57.160

    95.223.77.160

    88.130.54.214

    99.234.62.23

    2.206.105.223

    94.134.179.130

    84.221.255.199

    84.222.8.201

    89.183.239.142

    87.158.21.26

    93.206.148.216

    5.146.132.101

    77.7.60.154

    95.223.75.85

    162.254.173.187

    50.99.254.163

    45.41.106.122

    99.237.13.3

    45.74.72.13

    108.171.64.202

    74.58.152.123

    216.209.253.121

    88.87.68.197

    211.107.25.121

    109.70.100.25

    185.67.82.114

    207.102.138.19

    204.101.161.14

    193.128.108.251

    111.7.100.17

    111.7.100.16

    74.125.210.62

    74.125.210.36

    104.244.74.57

    185.220.101.145

    185.220.101.144

    185.220.101.18

    185.220.100.246

    185.220.101.228

    185.220.100.243

    185.220.101.229

    185.220.101.147

    185.220.102.250

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

    downloadersquirrelwaffle
  • suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

    suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

    suricata
  • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    suricata
  • suricata: ET MALWARE SQUIRRELWAFFLE Server Response

    suricata: ET MALWARE SQUIRRELWAFFLE Server Response

    suricata
  • Squirrelwaffle Payload 2 IoCs
  • Blocklisted process makes network request 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1112-116-0x0000000000000000-mapping.dmp
    Download
  • memory/1112-117-0x00000000744B0000-0x0000000074512000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1112-118-0x0000000000600000-0x000000000074A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1112-120-0x00000000744B0000-0x0000000074512000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1112-119-0x00000000744B0000-0x00000000744C1000-memory.dmp
    Filesize

    68KB

    Download