Analysis

  • max time kernel
    118s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 23:02

General

  • Target

    e0bf0ac97cac5a4bffa907ebd81bcb687904f42a600b87ecb0e73bd808c7701a.dll

  • Size

    269KB

  • MD5

    a51ca1527549bfb42ac08e5ad0bb10a6

  • SHA1

    4d4e0f43435052113d12d06504417a3b58ba44d9

  • SHA256

    e0bf0ac97cac5a4bffa907ebd81bcb687904f42a600b87ecb0e73bd808c7701a

  • SHA512

    eab406ff74aae30d57de51ddd8a520db6ea4dfdf868526dc0c8b83b04d547401dab99d37dc118e5060a68c5dd6e2ea95f2d46b54916d6277a4929e053b8ad926

Malware Config

Extracted

Family

squirrelwaffle

C2

http://deanandwilconstruction.com/UXEvfuIlhws

http://arimeto.lv/Nm70oAfwB

http://gitamschool.com/oZbs0Oqw7uv

http://eresourcesmoneymarket.com/JbVwdgaV6l

http://flyershipmanager.com/SGAsORYsywt

Attributes
  • blocklist

    94.46.179.80

    206.189.205.251

    88.242.66.45

    85.75.110.214

    87.104.3.136

    207.244.91.171

    49.230.88.160

    91.149.252.75

    91.149.252.88

    92.211.109.152

    178.0.250.168

    88.69.16.230

    95.223.77.160

    99.234.62.23

    2.206.105.223

    84.222.8.201

    89.183.239.142

    5.146.132.101

    77.7.60.154

    45.41.106.122

    45.74.72.13

    74.58.152.123

    88.87.68.197

    109.70.100.25

    185.67.82.114

    207.102.138.19

    204.101.161.14

    193.128.108.251

    111.7.100.17

    111.7.100.16

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

  • Squirrelwaffle Payload 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0bf0ac97cac5a4bffa907ebd81bcb687904f42a600b87ecb0e73bd808c7701a.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0bf0ac97cac5a4bffa907ebd81bcb687904f42a600b87ecb0e73bd808c7701a.dll,#1
      2⤵
        PID:308

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/308-54-0x0000000076491000-0x0000000076493000-memory.dmp

      Filesize

      8KB

    • memory/308-55-0x0000000000120000-0x000000000013E000-memory.dmp

      Filesize

      120KB

    • memory/308-56-0x0000000010000000-0x0000000010044000-memory.dmp

      Filesize

      272KB