Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 22:53
Static task
static1
Behavioral task
behavioral1
Sample
f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb.dll
Resource
win10-en-20211208
General
-
Target
f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb.dll
-
Size
200KB
-
MD5
513f7018d84e2c07071b861f0fef91a2
-
SHA1
540676b81aff320e8d786c92572c5871edd11b21
-
SHA256
f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb
-
SHA512
7f3e44606a4c825943e0ac9dbd9fe76bef7879e3134188100aafcfe0d3cb716c82f20f3d004443542cfaf6990ffceb86bff116dd5f3f239750201a5dd1ce6412
Malware Config
Extracted
squirrelwaffle
http://hutraders.com/0eeUtmJf8O
http://goodartishard.com/0JXDM9kMwx
http://now.byteinsure.com/tnjUrmlhN
http://asceaub.com/Xl8UCLSU
http://colchonesmanzur.com/GjVgBnKaNIC
http://sistemasati.com/0SzGNkx6P
http://maldivehost.net/zLIisQRWZI9
http://lrdgon.org/l7r96tjAJ
http://binnawaz.com.pk/jhSZGWS76C
http://fhstorse.com/vJlgdjJnpIop
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
Squirrelwaffle Payload 1 IoCs
resource yara_rule behavioral2/memory/2848-119-0x0000000010000000-0x0000000014030000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 5 IoCs
flow pid Process 19 2848 rundll32.exe 28 2848 rundll32.exe 32 2848 rundll32.exe 34 2848 rundll32.exe 36 2848 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2848 2780 rundll32.exe 68 PID 2780 wrote to memory of 2848 2780 rundll32.exe 68 PID 2780 wrote to memory of 2848 2780 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1849e434ef586e5667211b35761490cb99d9f0f327380a8a60518537765a6bb.dll,#12⤵
- Blocklisted process makes network request
PID:2848
-