Analysis
-
max time kernel
155s -
max time network
180s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:05
Static task
static1
Behavioral task
behavioral1
Sample
d547358d7506e4985ccbf497c58ca5a1767b38e35913521ebd50928f896f7ac7.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d547358d7506e4985ccbf497c58ca5a1767b38e35913521ebd50928f896f7ac7.dll
Resource
win10-en-20211208
General
-
Target
d547358d7506e4985ccbf497c58ca5a1767b38e35913521ebd50928f896f7ac7.dll
-
Size
360KB
-
MD5
5e840e5cc4167379d7efd5b85fd31e43
-
SHA1
5245f1fe2a99267891a50593539929d02414c421
-
SHA256
d547358d7506e4985ccbf497c58ca5a1767b38e35913521ebd50928f896f7ac7
-
SHA512
bd66cc24b3ded27cb333f5908be365f55423c3898636c4fffd3fcbf53a8471c8e84773d13fe71d1cfb210ec3552684fa94a8d169e05a07af3f4339b65581a345
Malware Config
Extracted
squirrelwaffle
http://msrsac.com/nvaaLwe9
http://u522712.gluweb.nl/n2fshwgq
http://serverplanner.com/LkkAWHLc8
http://bengali.iu.ac.bd/xNM4FTUzqRRk
http://owfix.net/NVNCI3qMl4
http://pcbsi.com.ph/IcLNSd9sO
http://enlacelaboral.com/3cKldxdt
-
blocklist
94.46.179.80
206.189.205.251
88.242.66.45
36.65.102.42
85.75.110.214
93.78.214.187
87.104.3.136
207.244.91.171
49.230.88.160
91.149.252.75
91.149.252.88
92.211.109.152
178.0.250.168
178.203.145.135
88.69.16.230
95.223.77.160
99.234.62.23
2.206.105.223
84.222.8.201
89.183.239.142
93.206.148.216
5.146.132.101
77.7.60.154
45.41.106.122
45.74.72.13
74.58.152.123
88.87.68.197
211.107.25.121
109.70.100.25
185.67.82.114
207.102.138.19
204.101.161.14
193.128.108.251
111.7.100.17
111.7.100.16
74.125.210.62
74.125.210.36
104.244.74.57
185.220.101.145
185.220.101.144
185.220.101.18
185.220.100.246
185.220.101.228
185.220.100.243
185.220.101.229
185.220.101.147
185.220.102.250
94.46.179.80
206.189.205.251
178.255.172.194
84.221.205.40
155.138.242.103
178.212.98.156
85.65.32.191
31.167.184.201
88.242.66.45
36.65.102.42
203.213.127.79
85.75.110.214
93.78.214.187
204.152.81.185
183.171.72.218
168.194.101.130
87.104.3.136
92.211.196.33
197.92.140.125
207.244.91.171
49.230.88.160
196.74.16.153
91.149.252.75
91.149.252.88
92.206.15.202
82.21.114.63
92.211.109.152
178.0.250.168
178.203.145.135
85.210.36.4
199.83.207.72
86.132.134.203
88.69.16.230
99.247.129.88
37.201.195.12
87.140.192.0
88.152.185.188
87.156.177.91
99.229.57.160
95.223.77.160
88.130.54.214
99.234.62.23
2.206.105.223
94.134.179.130
84.221.255.199
84.222.8.201
89.183.239.142
87.158.21.26
93.206.148.216
5.146.132.101
77.7.60.154
95.223.75.85
162.254.173.187
50.99.254.163
45.41.106.122
99.237.13.3
45.74.72.13
108.171.64.202
74.58.152.123
216.209.253.121
88.87.68.197
211.107.25.121
109.70.100.25
185.67.82.114
207.102.138.19
204.101.161.14
193.128.108.251
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
Squirrelwaffle Payload 1 IoCs
resource yara_rule behavioral2/memory/2884-116-0x0000000010000000-0x0000000010067000-memory.dmp squirrelwaffle -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2884 2396 regsvr32.exe 69 PID 2396 wrote to memory of 2884 2396 regsvr32.exe 69 PID 2396 wrote to memory of 2884 2396 regsvr32.exe 69
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d547358d7506e4985ccbf497c58ca5a1767b38e35913521ebd50928f896f7ac7.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\d547358d7506e4985ccbf497c58ca5a1767b38e35913521ebd50928f896f7ac7.dll2⤵PID:2884
-