Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 22:55
Static task
static1
Behavioral task
behavioral1
Sample
e9351a0fff4822696aee8aae560d01b10305dc4f150ec7fa8e0326d2e9eb8f4d.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e9351a0fff4822696aee8aae560d01b10305dc4f150ec7fa8e0326d2e9eb8f4d.dll
Resource
win10-en-20211208
General
-
Target
e9351a0fff4822696aee8aae560d01b10305dc4f150ec7fa8e0326d2e9eb8f4d.dll
-
Size
261KB
-
MD5
12bd6cc3f403abbb3c44e59924e36711
-
SHA1
7c7c57c6bfd4d6f329c2609a82885234807d9a73
-
SHA256
e9351a0fff4822696aee8aae560d01b10305dc4f150ec7fa8e0326d2e9eb8f4d
-
SHA512
0cb812d13eace00947ed4c9c4f1a328204cd22dfcb941b0491bf945f36ef94544e5fbe516c32b76ffeda838722700f7a1aa61d4fd6c274e80c022ec906ee53d2
Malware Config
Extracted
squirrelwaffle
http://acdlimited.com/2u6aW9Pfe
http://jornaldasoficinas.com/ZF8GKIGVDupL
http://orldofjain.com/lMsTA7tSYpe
http://altayaralsudani.net/SSUsPgb7PHgC
http://hoteloaktree.com/QthLWsZsVgb
http://aterwellnessinc.com/U7D0sswwp
http://sirifinco.com/Urbhq9wO50j
http://ordpress17.com/5WG6Z62sKWo
http://mohsinkhanfoundation.com/pcQLeLMbur
http://lendbiz.vn/xj3BhHtMbf
http://geosever.rs/ObHP1CHt
http://nuevainfotech.com/xCNyTjzkoe
http://dadabhoy.pk/m6rQE94U
http://111
http://sjgrand.lk/zvMYuQqEZj
http://erogholding.com/GFM1QcCFk
http://armordetailing.rs/lgfrZb4Re6WO
http://lefrenchwineclub.com/eRUGdDox
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
Squirrelwaffle Payload 2 IoCs
resource yara_rule behavioral2/memory/3280-116-0x0000000010000000-0x0000000010010000-memory.dmp squirrelwaffle behavioral2/memory/3280-117-0x0000000010000000-0x00000000100D6000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 4 IoCs
flow pid Process 28 3280 rundll32.exe 47 3280 rundll32.exe 51 3280 rundll32.exe 57 3280 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3912 wrote to memory of 3280 3912 rundll32.exe 69 PID 3912 wrote to memory of 3280 3912 rundll32.exe 69 PID 3912 wrote to memory of 3280 3912 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9351a0fff4822696aee8aae560d01b10305dc4f150ec7fa8e0326d2e9eb8f4d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9351a0fff4822696aee8aae560d01b10305dc4f150ec7fa8e0326d2e9eb8f4d.dll,#12⤵
- Blocklisted process makes network request
PID:3280
-