Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 15:38
Static task
static1
Behavioral task
behavioral1
Sample
309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd.dll
Resource
win10-en-20211208
General
-
Target
309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd.dll
-
Size
235KB
-
MD5
7d00207e3d8c2c562ab3d3bfd8a71fe2
-
SHA1
1529d54632c0289440154c6f11e2730e609a0663
-
SHA256
309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd
-
SHA512
06d9632cd00e3f2ec168a3b0c6327d6ec70f40b75607234e71bd09b7b7bec30995ee8d1733e5cd13ead2f343b33e21ac673dea06773b043c32361468212ee979
Malware Config
Extracted
squirrelwaffle
http://acdlimited.com/2u6aW9Pfe
http://jornaldasoficinas.com/ZF8GKIGVDupL
http://orldofjain.com/lMsTA7tSYpe
http://altayaralsudani.net/SSUsPgb7PHgC
http://hoteloaktree.com/QthLWsZsVgb
http://aterwellnessinc.com/U7D0sswwp
http://sirifinco.com/Urbhq9wO50j
http://ordpress17.com/5WG6Z62sKWo
http://mohsinkhanfoundation.com/pcQLeLMbur
http://lendbiz.vn/xj3BhHtMbf
http://geosever.rs/ObHP1CHt
http://nuevainfotech.com/xCNyTjzkoe
http://dadabhoy.pk/m6rQE94U
http://111
http://sjgrand.lk/zvMYuQqEZj
http://erogholding.com/GFM1QcCFk
http://armordetailing.rs/lgfrZb4Re6WO
http://lefrenchwineclub.com/eRUGdDox
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
Squirrelwaffle Payload 2 IoCs
resource yara_rule behavioral2/memory/2400-116-0x0000000010000000-0x0000000010010000-memory.dmp squirrelwaffle behavioral2/memory/2400-117-0x0000000010000000-0x00000000100D6000-memory.dmp squirrelwaffle -
Blocklisted process makes network request 3 IoCs
flow pid Process 29 2400 rundll32.exe 34 2400 rundll32.exe 35 2400 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3156 wrote to memory of 2400 3156 rundll32.exe 69 PID 3156 wrote to memory of 2400 3156 rundll32.exe 69 PID 3156 wrote to memory of 2400 3156 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd.dll,#12⤵
- Blocklisted process makes network request
PID:2400
-