Overview

overview

10

Static

static

3

6402b33d72...3b.dll

windows7-x64

1

6402b33d72...3b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2023, 03:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b.dll

  • Size

    235KB

  • MD5

    8e37795097400f6a609525749d154cd0

  • SHA1

    8e1502c2aa56e6a8c7c1d2c75f3946332a5bb8c0

  • SHA256

    6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b

  • SHA512

    c7453b8f50e557a5990ac3708931845eeb6dc2992cd907d5534733524f523226d8d013be6e09bb2b5210f6f5ad2303625f8998a5111d3b0925bb4228b6c9152a

  • SSDEEP

    3072:CmmeuJ6jkhHVFpvq69D6UkqGFpMdsiOXdaygQ6YToG+rt:BmRJAkbFJqVvBpMZOcQ3Gt

Score
10/10
squirrelwaffledownloader

Malware Config

Extracted

Family

squirrelwaffle

C2

http://acdlimited.com/2u6aW9Pfe

http://jornaldasoficinas.com/ZF8GKIGVDupL

http://orldofjain.com/lMsTA7tSYpe

http://altayaralsudani.net/SSUsPgb7PHgC

http://hoteloaktree.com/QthLWsZsVgb

http://aterwellnessinc.com/U7D0sswwp

http://sirifinco.com/Urbhq9wO50j

http://ordpress17.com/5WG6Z62sKWo

http://mohsinkhanfoundation.com/pcQLeLMbur

http://lendbiz.vn/xj3BhHtMbf

http://geosever.rs/ObHP1CHt

http://nuevainfotech.com/xCNyTjzkoe

http://dadabhoy.pk/m6rQE94U

http://111

http://sjgrand.lk/zvMYuQqEZj

http://erogholding.com/GFM1QcCFk

http://armordetailing.rs/lgfrZb4Re6WO

http://lefrenchwineclub.com/eRUGdDox

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

    downloadersquirrelwaffle
  • Squirrelwaffle payload 5 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1144

Network

  • flag-us
    DNS
    1.202.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.202.248.87.in-addr.arpa
    IN PTR
    Response
    1.202.248.87.in-addr.arpa
    IN PTR
    https-87-248-202-1amsllnwnet
  • flag-us
    DNS
    45.8.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.8.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    altayaralsudani.net
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    altayaralsudani.net
    IN A
    Response
    altayaralsudani.net
    IN A
    166.62.27.56
  • flag-sg
    POST
    http://altayaralsudani.net/SSUsPgb7PHgC/OQsaDixzHTgtfjMcGypGenplfX18ZHtifnJ6
    rundll32.exe
    Remote address:
    166.62.27.56:80
    Request
    POST /SSUsPgb7PHgC/OQsaDixzHTgtfjMcGypGenplfX18ZHtifnJ6 HTTP/1.1
    Host: altayaralsudani.net
    Content-Length: 80
    Response
    HTTP/1.1 302 Found
    Date: Mon, 26 Jun 2023 03:27:55 GMT
    Server: Apache
    Location: http://altayaralsudani.net/cgi-sys/suspendedpage.cgi
    Content-Length: 236
    Content-Type: text/html; charset=iso-8859-1
  • flag-sg
    undefined
    rundll32.exe
    Remote address:
    166.62.27.56:80
    Request
  • flag-us
    DNS
    56.27.62.166.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.27.62.166.in-addr.arpa
    IN PTR
    Response
    56.27.62.166.in-addr.arpa
    IN PTR
    562762166host secureservernet
  • flag-us
    DNS
    hoteloaktree.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    hoteloaktree.com
    IN A
    Response
    hoteloaktree.com
    IN A
    172.105.33.133
  • flag-in
    POST
    http://hoteloaktree.com/QthLWsZsVgb/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6eHxif2V7cnw=
    rundll32.exe
    Remote address:
    172.105.33.133:80
    Request
    POST /QthLWsZsVgb/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6eHxif2V7cnw= HTTP/1.1
    Host: hoteloaktree.com
    Content-Length: 80
    Response
    HTTP/1.1 404 Not Found
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    content-type: text/html
    content-length: 1238
    date: Mon, 26 Jun 2023 03:28:20 GMT
    server: LiteSpeed
  • flag-in
    undefined
    rundll32.exe
    Remote address:
    172.105.33.133:80
    Request
  • flag-us
    DNS
    133.33.105.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.33.105.172.in-addr.arpa
    IN PTR
    Response
    133.33.105.172.in-addr.arpa
    IN PTR
    inpro1fcometcom
  • flag-us
    DNS
    aterwellnessinc.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    aterwellnessinc.com
    IN A
    Response
  • flag-us
    DNS
    sirifinco.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    sirifinco.com
    IN A
    Response
  • flag-us
    DNS
    ordpress17.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    ordpress17.com
    IN A
    Response
  • flag-us
    DNS
    mohsinkhanfoundation.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    mohsinkhanfoundation.com
    IN A
    Response
    mohsinkhanfoundation.com
    IN A
    208.109.225.113
  • flag-us
    POST
    http://mohsinkhanfoundation.com/pcQLeLMbur/fXMKNg0nKzN/DA15DggBI0N6fGF6eHxif2V7cnw=
    rundll32.exe
    Remote address:
    208.109.225.113:80
    Request
    POST /pcQLeLMbur/fXMKNg0nKzN/DA15DggBI0N6fGF6eHxif2V7cnw= HTTP/1.1
    Host: mohsinkhanfoundation.com
    Content-Length: 80
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 26 Jun 2023 03:28:44 GMT
    Server: Apache
    X-Powered-By: Express, Phusion Passenger 6.0.7
    Access-Control-Allow-Origin: *
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'none'
    Upgrade: h2,h2c
    Content-Length: 191
    Status: 404 Not Found
    Vary: Accept-Encoding
    Content-Type: text/html; charset=utf-8
  • flag-us
    undefined
    rundll32.exe
    Remote address:
    208.109.225.113:80
    Request
  • flag-us
    DNS
    113.225.109.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    113.225.109.208.in-addr.arpa
    IN PTR
    Response
    113.225.109.208.in-addr.arpa
    IN PTR
    113225109208host secureservernet
  • flag-us
    DNS
    sirifinco.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    sirifinco.com
    IN A
    Response
  • flag-us
    DNS
    ordpress17.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    ordpress17.com
    IN A
    Response
  • flag-us
    POST
    http://mohsinkhanfoundation.com/pcQLeLMbur/eDkkAA0bInx9Rnp6ZX19fGR7Yn5yeg==
    rundll32.exe
    Remote address:
    208.109.225.113:80
    Request
    POST /pcQLeLMbur/eDkkAA0bInx9Rnp6ZX19fGR7Yn5yeg== HTTP/1.1
    Host: mohsinkhanfoundation.com
    Content-Length: 80
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 26 Jun 2023 03:29:09 GMT
    Server: Apache
    X-Powered-By: Express, Phusion Passenger 6.0.7
    Access-Control-Allow-Origin: *
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'none'
    Upgrade: h2,h2c
    Content-Length: 183
    Status: 404 Not Found
    Vary: Accept-Encoding
    Content-Type: text/html; charset=utf-8
  • flag-us
    undefined
    rundll32.exe
    Remote address:
    208.109.225.113:80
    Request
  • 20.42.73.27:443
    322 B
     7
  • 192.229.221.95:80
    322 B
     7
  • 166.62.27.56:80
    altayaralsudani.net
    http
    rundll32.exe
    429 B
     613 B
     5
    4

    HTTP Request

    POST http://altayaralsudani.net/SSUsPgb7PHgC/OQsaDixzHTgtfjMcGypGenplfX18ZHtifnJ6

    HTTP Request

    HTTP Response

    302
  • 172.105.33.133:80
    hoteloaktree.com
    http
    rundll32.exe
    475 B
     1.7kB
     6
    5

    HTTP Request

    POST http://hoteloaktree.com/QthLWsZsVgb/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6eHxif2V7cnw=

    HTTP Request

    HTTP Response

    404
  • 208.109.225.113:80
    mohsinkhanfoundation.com
    http
    rundll32.exe
    436 B
     724 B
     5
    4

    HTTP Request

    POST http://mohsinkhanfoundation.com/pcQLeLMbur/fXMKNg0nKzN/DA15DggBI0N6fGF6eHxif2V7cnw=

    HTTP Request

    HTTP Response

    404
  • 208.109.225.113:80
    mohsinkhanfoundation.com
    http
    rundll32.exe
    428 B
     716 B
     5
    4

    HTTP Request

    POST http://mohsinkhanfoundation.com/pcQLeLMbur/eDkkAA0bInx9Rnp6ZX19fGR7Yn5yeg==

    HTTP Request

    HTTP Response

    404
  • 8.8.8.8:53
    1.202.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    1.202.248.87.in-addr.arpa

  • 8.8.8.8:53
    45.8.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    45.8.109.52.in-addr.arpa

  • 8.8.8.8:53
    altayaralsudani.net
    dns
    rundll32.exe
    65 B
     81 B
     1
    1

    DNS Request

    altayaralsudani.net

    DNS Response

    166.62.27.56

  • 8.8.8.8:53
    56.27.62.166.in-addr.arpa
    dns
    71 B
     119 B
     1
    1

    DNS Request

    56.27.62.166.in-addr.arpa

  • 8.8.8.8:53
    hoteloaktree.com
    dns
    rundll32.exe
    62 B
     78 B
     1
    1

    DNS Request

    hoteloaktree.com

    DNS Response

    172.105.33.133

  • 8.8.8.8:53
    133.33.105.172.in-addr.arpa
    dns
    73 B
     104 B
     1
    1

    DNS Request

    133.33.105.172.in-addr.arpa

  • 8.8.8.8:53
    aterwellnessinc.com
    dns
    rundll32.exe
    65 B
     138 B
     1
    1

    DNS Request

    aterwellnessinc.com

  • 8.8.8.8:53
    sirifinco.com
    dns
    rundll32.exe
    59 B
     132 B
     1
    1

    DNS Request

    sirifinco.com

  • 8.8.8.8:53
    ordpress17.com
    dns
    rundll32.exe
    60 B
     133 B
     1
    1

    DNS Request

    ordpress17.com

  • 8.8.8.8:53
    mohsinkhanfoundation.com
    dns
    rundll32.exe
    70 B
     86 B
     1
    1

    DNS Request

    mohsinkhanfoundation.com

    DNS Response

    208.109.225.113

  • 8.8.8.8:53
    113.225.109.208.in-addr.arpa
    dns
    74 B
     125 B
     1
    1

    DNS Request

    113.225.109.208.in-addr.arpa

  • 8.8.8.8:53
    sirifinco.com
    dns
    rundll32.exe
    59 B
     132 B
     1
    1

    DNS Request

    sirifinco.com

  • 8.8.8.8:53
    ordpress17.com
    dns
    rundll32.exe
    60 B
     133 B
     1
    1

    DNS Request

    ordpress17.com

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1144-133-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1144-134-0x0000000001070000-0x0000000001071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1144-135-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1144-136-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1144-137-0x0000000001070000-0x0000000001071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1144-139-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1144-142-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1144-145-0x0000000010000000-0x00000000100D6000-memory.dmp

    Filesize

    856KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.