Analysis
-
max time kernel
165s -
max time network
185s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:05
Static task
static1
Behavioral task
behavioral1
Sample
d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll
Resource
win10-en-20211208
General
-
Target
d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll
-
Size
202KB
-
MD5
af7afdb0dbf28384f83a1692e381bd38
-
SHA1
b508ccaeb6f40ed8bcf03380fc448120f8297b02
-
SHA256
d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d
-
SHA512
fcf289c36fbfb5488f764fc690a2bfb4c689ab26c2a0334d8889c2162e55e831cb2cc65d0983ec3bd75f9a6448af43cbc57b500eedf1c9f70228cc8026525013
Malware Config
Extracted
squirrelwaffle
http://pop.vicamtaynam.com/VtyiHAft
http://snsvidyapeeth.in/aXmo2Dr3
http://trinitytesttubebaby.com/QR2JvfE3Sv
http://iconskw.com/cqdPtAbZ
http://ebookchuyennganh.com/v9PMvQDxHK8W
http://alsader.net/BHdQaiQ9rt
http://avyanshglobal.com/6pYjPlqf
http://primahills-online.com/ypCiZn7tMx
http://antoniocastroycia.com.co/WHe08obY
http://apexbiotech.net/VQgunQ4t5Ue
http://vscm.in/V3tYKxDz
http://sinaloworx.co.za/3GilA8Eo3r
http://dancongnghe.xyz/yRByhX6J3REI
http://trajesuniformes.com.br/qQofZMaJm
http://fiorenzapaes.com.br/PGYpETW7
http://astetinternational.com/arW5e44Y7vzO
http://razisystem.ir/MqvvkX0cWvn
http://krishnaiti.org.in/rWA02HQY4
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
Squirrelwaffle Payload 1 IoCs
resource yara_rule behavioral2/memory/3436-119-0x0000000010000000-0x0000000014030000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 5 IoCs
flow pid Process 15 3436 rundll32.exe 19 3436 rundll32.exe 35 3436 rundll32.exe 44 3436 rundll32.exe 48 3436 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2060 wrote to memory of 3436 2060 rundll32.exe 69 PID 2060 wrote to memory of 3436 2060 rundll32.exe 69 PID 2060 wrote to memory of 3436 2060 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d718b0e17e6dc671f63cf0e5740b377f351cdfba11dc17986f25bbdae0eaae6d.dll,#12⤵
- Blocklisted process makes network request
PID:3436
-