Analysis

  • max time kernel
    120s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 22:53

General

  • Target

    f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb.dll

  • Size

    200KB

  • MD5

    513f7018d84e2c07071b861f0fef91a2

  • SHA1

    540676b81aff320e8d786c92572c5871edd11b21

  • SHA256

    f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb

  • SHA512

    7f3e44606a4c825943e0ac9dbd9fe76bef7879e3134188100aafcfe0d3cb716c82f20f3d004443542cfaf6990ffceb86bff116dd5f3f239750201a5dd1ce6412

Malware Config

Extracted

Family

squirrelwaffle

C2

http://hutraders.com/0eeUtmJf8O

http://goodartishard.com/0JXDM9kMwx

http://now.byteinsure.com/tnjUrmlhN

http://asceaub.com/Xl8UCLSU

http://colchonesmanzur.com/GjVgBnKaNIC

http://sistemasati.com/0SzGNkx6P

http://maldivehost.net/zLIisQRWZI9

http://lrdgon.org/l7r96tjAJ

http://binnawaz.com.pk/jhSZGWS76C

http://fhstorse.com/vJlgdjJnpIop

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

  • Squirrelwaffle Payload 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb.dll,#1
      2⤵
        PID:1068

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1068-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

      Filesize

      8KB

    • memory/1068-55-0x0000000002040000-0x000000000605A000-memory.dmp

      Filesize

      64.1MB

    • memory/1068-56-0x0000000010000000-0x0000000014030000-memory.dmp

      Filesize

      64.2MB