Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:05
Static task
static1
Behavioral task
behavioral1
Sample
d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll
Resource
win10-en-20211208
General
-
Target
d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll
-
Size
202KB
-
MD5
af7afdb0dbf28384f83a1692e381bd38
-
SHA1
b508ccaeb6f40ed8bcf03380fc448120f8297b02
-
SHA256
d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d
-
SHA512
fcf289c36fbfb5488f764fc690a2bfb4c689ab26c2a0334d8889c2162e55e831cb2cc65d0983ec3bd75f9a6448af43cbc57b500eedf1c9f70228cc8026525013
Malware Config
Extracted
squirrelwaffle
http://pop.vicamtaynam.com/VtyiHAft
http://snsvidyapeeth.in/aXmo2Dr3
http://trinitytesttubebaby.com/QR2JvfE3Sv
http://iconskw.com/cqdPtAbZ
http://ebookchuyennganh.com/v9PMvQDxHK8W
http://alsader.net/BHdQaiQ9rt
http://avyanshglobal.com/6pYjPlqf
http://primahills-online.com/ypCiZn7tMx
http://antoniocastroycia.com.co/WHe08obY
http://apexbiotech.net/VQgunQ4t5Ue
http://vscm.in/V3tYKxDz
http://sinaloworx.co.za/3GilA8Eo3r
http://dancongnghe.xyz/yRByhX6J3REI
http://trajesuniformes.com.br/qQofZMaJm
http://fiorenzapaes.com.br/PGYpETW7
http://astetinternational.com/arW5e44Y7vzO
http://razisystem.ir/MqvvkX0cWvn
http://krishnaiti.org.in/rWA02HQY4
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
Squirrelwaffle Payload 1 IoCs
resource yara_rule behavioral1/memory/1588-57-0x0000000010000000-0x0000000014030000-memory.dmp squirrelwaffle -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll,#12⤵PID:1588
-