Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 15:38

General

  • Target

    309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd.dll

  • Size

    235KB

  • MD5

    7d00207e3d8c2c562ab3d3bfd8a71fe2

  • SHA1

    1529d54632c0289440154c6f11e2730e609a0663

  • SHA256

    309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd

  • SHA512

    06d9632cd00e3f2ec168a3b0c6327d6ec70f40b75607234e71bd09b7b7bec30995ee8d1733e5cd13ead2f343b33e21ac673dea06773b043c32361468212ee979

Malware Config

Extracted

Family

squirrelwaffle

C2

http://acdlimited.com/2u6aW9Pfe

http://jornaldasoficinas.com/ZF8GKIGVDupL

http://orldofjain.com/lMsTA7tSYpe

http://altayaralsudani.net/SSUsPgb7PHgC

http://hoteloaktree.com/QthLWsZsVgb

http://aterwellnessinc.com/U7D0sswwp

http://sirifinco.com/Urbhq9wO50j

http://ordpress17.com/5WG6Z62sKWo

http://mohsinkhanfoundation.com/pcQLeLMbur

http://lendbiz.vn/xj3BhHtMbf

http://geosever.rs/ObHP1CHt

http://nuevainfotech.com/xCNyTjzkoe

http://dadabhoy.pk/m6rQE94U

http://111

http://sjgrand.lk/zvMYuQqEZj

http://erogholding.com/GFM1QcCFk

http://armordetailing.rs/lgfrZb4Re6WO

http://lefrenchwineclub.com/eRUGdDox

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

  • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

  • Squirrelwaffle Payload 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\309252610b617ea7a4ae736381f6364c6bb154ce81ce0883c69ca98a284943bd.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:2400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2400-115-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

  • memory/2400-116-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

  • memory/2400-117-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

  • memory/2400-118-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB