Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21/01/2022, 23:49
Static task
static1
Behavioral task
behavioral1
Sample
5970db6c0bdefe4bf0a991c0c8c67633c5cc44af5a3203b709c242c8460a782e.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5970db6c0bdefe4bf0a991c0c8c67633c5cc44af5a3203b709c242c8460a782e.dll
Resource
win10-en-20211208
General
-
Target
5970db6c0bdefe4bf0a991c0c8c67633c5cc44af5a3203b709c242c8460a782e.dll
-
Size
256KB
-
MD5
99fcd17998659990b15b77423e7fc580
-
SHA1
a78884c01f5188f0eb12eeb19bae04ace2348686
-
SHA256
5970db6c0bdefe4bf0a991c0c8c67633c5cc44af5a3203b709c242c8460a782e
-
SHA512
b5d88e7093fd72bae36ffb9e46727821049988ea16403c1899143d37f080399874726ae875f0ceb6f3d92e87c0421b018ce07258f07265644fe0493c5f2b8bb8
Malware Config
Extracted
squirrelwaffle
http://acdlimited.com/2u6aW9Pfe
http://jornaldasoficinas.com/ZF8GKIGVDupL
http://orldofjain.com/lMsTA7tSYpe
http://altayaralsudani.net/SSUsPgb7PHgC
http://hoteloaktree.com/QthLWsZsVgb
http://aterwellnessinc.com/U7D0sswwp
http://sirifinco.com/Urbhq9wO50j
http://ordpress17.com/5WG6Z62sKWo
http://mohsinkhanfoundation.com/pcQLeLMbur
http://lendbiz.vn/xj3BhHtMbf
http://geosever.rs/ObHP1CHt
http://nuevainfotech.com/xCNyTjzkoe
http://dadabhoy.pk/m6rQE94U
http://111
http://sjgrand.lk/zvMYuQqEZj
http://erogholding.com/GFM1QcCFk
http://armordetailing.rs/lgfrZb4Re6WO
http://lefrenchwineclub.com/eRUGdDox
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
Squirrelwaffle Payload 2 IoCs
resource yara_rule behavioral1/memory/1108-58-0x0000000010000000-0x0000000010010000-memory.dmp squirrelwaffle behavioral1/memory/1108-59-0x0000000010000000-0x00000000100D6000-memory.dmp squirrelwaffle -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 864 wrote to memory of 1108 864 rundll32.exe 27 PID 864 wrote to memory of 1108 864 rundll32.exe 27 PID 864 wrote to memory of 1108 864 rundll32.exe 27 PID 864 wrote to memory of 1108 864 rundll32.exe 27 PID 864 wrote to memory of 1108 864 rundll32.exe 27 PID 864 wrote to memory of 1108 864 rundll32.exe 27 PID 864 wrote to memory of 1108 864 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5970db6c0bdefe4bf0a991c0c8c67633c5cc44af5a3203b709c242c8460a782e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5970db6c0bdefe4bf0a991c0c8c67633c5cc44af5a3203b709c242c8460a782e.dll,#12⤵PID:1108
-