Analysis
-
max time kernel
134s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:20
Static task
static1
Behavioral task
behavioral1
Sample
aa3ff385ea80149fddbc8dbec7b7a5cd4071da3dc6133dbe35efdc33a6db06b0.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aa3ff385ea80149fddbc8dbec7b7a5cd4071da3dc6133dbe35efdc33a6db06b0.dll
Resource
win10-en-20211208
General
-
Target
aa3ff385ea80149fddbc8dbec7b7a5cd4071da3dc6133dbe35efdc33a6db06b0.dll
-
Size
318KB
-
MD5
18e015758c96c940e1303d0be78d7630
-
SHA1
b3548fedf1fe5cdfc143fec47fca3fdedf1ec312
-
SHA256
aa3ff385ea80149fddbc8dbec7b7a5cd4071da3dc6133dbe35efdc33a6db06b0
-
SHA512
8f7cf002d255ee20be5924be50c6e263a9cddc34d0c479a9ab0a3860b5ad4c114979bf7922ae755094a23546dd0f21f1d759742e3d8758cf987d67af4f47b6b0
Malware Config
Extracted
squirrelwaffle
http://atertreat.in/5iPPVRKPPX9
http://incentivaconsultores.com.co/55jHpKCc9DWy
http://cdelean.org/0qvbbmu9g
http://bazy.ps/M6SjrMSYC
http://sukmabali.com/ZXxcLYs3rzRQ
http://bugwilliam.tk/cbB56YrugdbW
http://bestbeatsgh.com/42D7OwuPen
http://krumaila.com/UZ4NdDoDh4Tu
http://razehub.com/NN70nExbtLO
http://arcb.ro/aHUUNxE3Me5
http://cfmi.tg/m40YS6gDO0
http://sweetlittle.mx/ZCXP0dT2h
http://alkimia-prod.com/nT0imyzmo
http://almexperts.co.za/fEoJ3pdWZbF
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
Squirrelwaffle Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2656-119-0x0000000010000000-0x000000001004D000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 19 2656 rundll32.exe 25 2656 rundll32.exe 28 2656 rundll32.exe 30 2656 rundll32.exe 32 2656 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2468 wrote to memory of 2656 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2656 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2656 2468 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa3ff385ea80149fddbc8dbec7b7a5cd4071da3dc6133dbe35efdc33a6db06b0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa3ff385ea80149fddbc8dbec7b7a5cd4071da3dc6133dbe35efdc33a6db06b0.dll,#12⤵
- Blocklisted process makes network request