squirrelwaffle | 5582447866948a38cb3d1013759854142cbbdc812de3d821c5d4c151e4ebbe6f

General

Target

squiwaf.dll
Size

260KB
MD5

6373e3b1950d7529d63262ebc9c76ea9
SHA1

4a1e34488f21c336599dc7b576bdfda066f98522
SHA256

5582447866948a38cb3d1013759854142cbbdc812de3d821c5d4c151e4ebbe6f
SHA512

830e0a6c97afe0ab07a62abb55a89fa51ec793cab631d7f16a619921cc09e1d799db21e5bb9c1f89726f7d261fe1bd54a1030496ec4296bb3e47d0f15897803c

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

C2

deanandwilconstruction.com/UXEvfuIlhws

arimeto.lv/Nm70oAfwB

gitamschool.com/oZbs0Oqw7uv

eresourcesmoneymarket.com/JbVwdgaV6l

flyershipmanager.com/SGAsORYsywt

Attributes

blocklist
94.46.179.80

206.189.205.251

88.242.66.45

85.75.110.214

87.104.3.136

207.244.91.171

49.230.88.160

91.149.252.75

91.149.252.88

92.211.109.152

178.0.250.168

88.69.16.230

95.223.77.160

99.234.62.23

2.206.105.223

84.222.8.201

89.183.239.142

5.146.132.101

77.7.60.154

45.41.106.122

45.74.72.13

74.58.152.123

88.87.68.197

109.70.100.25

185.67.82.114

207.102.138.19

204.101.161.14

193.128.108.251

111.7.100.17

111.7.100.16

74.125.210.62

74.125.210.36

104.244.74.57

185.220.101.145

185.220.101.144

185.220.101.18

185.220.100.246

185.220.101.228

185.220.100.243

185.220.101.229

185.220.101.147

185.220.102.250

185.220.100.241

199.195.251.84

213.164.204.94

74.125.213.7

74.125.213.9

185.220.100.249

37.71.173.58

93.2.220.100

188.10.191.109

81.36.17.247

70.28.47.118

45.133.172.222

108.41.227.196

37.235.53.46

162.216.47.22

154.3.42.51

45.86.200.60

212.230.181.152

185.192.70.11

37.142.65.69

87.166.51.31

178.198.76.175

128.90.172.136

172.58.227.224

201.77.112.133

64.124.12.162

87.166.51.28

104.244.72.115

109.70.100.23

192.145.127.220

194.186.142.122

185.207.249.217

52.250.42.144

45.86.201.156

195.245.199.125

213.33.190.70

154.61.71.13

154.13.1.22

191.96.185.151

40.94.25.22

40.94.25.39

40.94.25.5

40.94.25.79

40.94.25.69

40.94.25.71

40.94.25.60

40.94.25.64

40.94.25.29

40.94.25.23

40.94.25.89

40.94.26.165

40.94.26.210

40.94.26.208

40.94.26.166

40.94.26.216

40.94.26.173

40.94.26.182

40.94.35.75

40.94.35.97

40.94.35.27

40.94.35.38

40.94.35.46

40.94.35.76

40.94.35.70

40.94.35.80

40.94.35.98

40.94.35.40

45.86.200.23

198.167.212.98

40.94.31.87

40.94.31.85

40.94.31.29

40.94.31.97

40.94.31.88

40.94.31.80

40.94.31.65

198.167.195.112

40.94.31.58

40.94.31.48

40.94.31.64

40.94.31.26

40.94.31.66

40.94.31.90

40.94.31.46

40.94.31.47

212.119.227.184

72.12.194.93

72.12.194.94

72.12.194.92

134.209.213.55

35.198.84.59

89.208.29.2

40.94.30.159

40.94.30.139

40.94.30.152

40.94.30.167

40.94.30.164

40.94.30.166

40.94.30.174

40.94.30.151

154.61.71.53

40.94.30.157

40.94.30.136

40.94.30.149

52.154.162.74

213.33.190.161

83.84.25.214

162.251.62.154

188.241.177.152

92.211.110.221

185.183.107.236

72.12.194.90

40.94.25.36

40.94.29.4

40.94.25.50

40.94.29.31

40.94.25.31

40.94.29.41

40.94.31.5

40.94.25.80

40.94.29.82

40.94.31.81

40.94.25.96

40.94.29.59

40.94.31.3

40.94.25.58

40.94.31.61

40.94.31.49

40.94.31.54

40.94.31.62

40.94.31.70

40.94.30.211

40.94.30.148

40.94.30.218

40.94.30.147

40.94.30.129

40.94.31.15

40.94.30.169

40.94.31.36

40.94.30.223

40.94.30.203

95.211.36.179

64.233.172.102

153.246.206.71

198.167.193.35

90.187.12.209

37.49.116.179

52.167.22.240

160.177.96.15

185.123.143.220

167.99.172.253

40.94.36.81

86.107.21.203

24.37.31.38

71.19.154.84

192.160.102.170

216.251.130.74

49.44.76.43

109.147.65.157

86.217.130.91

178.174.15.54

86.242.244.97

92.46.70.105

81.201.234.26

78.94.217.60

141.226.236.91

95.26.228.102

89.208.29.3

213.33.190.205

213.33.190.121

5.154.174.45

23.154.177.3

195.65.152.138

93.231.174.227

185.220.101.132

54.36.101.21

72.12.194.91

46.14.116.174

141.19.232.57

185.220.101.149

45.74.46.69

157.230.210.133

82.199.130.36

104.237.193.28

187.46.138.56

195.164.49.162

156.146.49.135

195.164.49.191

79.104.209.54

35.245.134.90

20.52.139.186

189.139.144.151

94.31.102.187

39.43.45.71

107.189.10.143

39.43.123.57

106.75.76.179

194.186.142.131

210.22.129.194

45.130.83.77

154.6.16.175

162.247.73.192

107.189.1.160

185.107.47.215

46.166.139.111

185.56.80.65

185.220.100.245

209.141.59.180

77.247.181.163

185.220.101.137

185.220.100.242

104.244.76.13

185.83.214.69

185.220.100.252

185.112.146.73

185.57.82.28

89.187.171.116

66.220.242.222

39.43.72.17

5.171.90.80

185.152.32.77

23.129.64.157

92.151.9.187

106.75.31.237

122.167.79.251

109.70.100.33

199.249.230.154

64.233.172.108

64.233.172.106

64.233.172.104

77.247.181.165

107.189.12.240

79.142.76.203

193.128.114.34

185.92.26.59

185.65.210.119

70.39.159.79

70.39.159.29

151.48.26.15

151.48.26.15

2.228.159.178

188.174.248.154

188.174.248.154

95.90.198.182

95.90.198.182

193.0.200.36

193.0.200.36

151.127.13.232

89.97.249.158

212.115.152.225

185.217.117.179

199.249.230.164

80.233.134.134

109.74.154.92

65.39.88.250

90.84.192.187

37.70.202.24

85.203.45.30

109.190.93.219

151.8.114.194

176.235.38.106

149.56.99.85

138.128.136.169

213.82.23.224

192.42.123.107

128.90.151.188

162.245.206.249

85.203.45.40

95.211.95.242

185.220.102.251

66.203.112.160

193.128.108.246

193.128.108.242

31.204.150.74

34.141.245.25

122.167.85.191

212.6.86.133

171.25.193.25

149.3.170.147

162.247.74.217

109.70.100.34

89.208.29.5

79.104.209.91

79.104.209.157

194.186.142.205

198.167.217.20

198.167.193.112

204.101.161.31

198.167.219.82

195.74.76.222

87.118.110.27

185.247.225.43

193.128.108.250

188.212.135.7

106.75.75.245

86.142.177.106

185.192.69.77

198.167.209.37

59.144.163.235

193.128.108.243

31.204.152.150

87.166.49.39

82.127.202.176

58.40.175.6

92.222.212.17

88.123.105.51

45.114.130.4

216.251.130.75

187.22.129.46

187.22.129.46

45.153.160.129

80.155.50.158

80.155.50.158

212.234.209.161

213.9.159.210

88.149.207.35

88.149.207.35

88.149.207.35

37.159.148.162

151.8.6.86

91.62.233.251

109.3.219.42

109.3.219.42

109.3.219.42

196.23.168.132

192.87.28.103

207.244.70.35

79.104.209.172

89.208.29.6

195.239.51.18

79.104.209.52

194.154.78.73

185.220.102.240

109.70.100.27

208.68.5.17

185.191.124.143

45.153.160.130

163.172.213.212

193.128.108.245

51.83.131.42

109.62.69.3

109.62.69.3

147.135.68.11

209.58.188.133

193.128.108.253

94.242.243.171

185.183.106.148

185.220.102.248

109.70.100.20

37.58.58.249

69.167.10.41

109.62.69.2

45.141.56.7

104.244.74.55

193.128.108.247

185.31.175.243

45.61.185.125

185.57.82.27

122.182.203.3

82.221.105.78

37.187.196.70

45.153.160.138

89.163.252.12

193.128.108.252

198.167.199.100

198.167.199.106

70.39.116.252

193.128.108.248

188.43.68.132

79.104.209.46

213.33.190.122

95.25.38.53

80.255.7.72

212.119.227.132

212.119.227.169

194.186.142.52

38.132.118.67

37.120.143.139

193.128.108.249

66.249.88.48

66.249.88.50

66.249.88.46

104.244.74.28

198.96.155.3

205.185.124.200

109.70.100.36

193.189.100.202

185.31.175.215

84.147.60.16

45.242.1.134

5.22.190.138

84.147.62.235

89.208.29.7

194.154.78.130

106.75.66.75

185.217.1.11

103.254.153.204

198.167.201.23

185.31.175.231

23.184.48.9

18.27.197.252

107.189.11.153

128.199.56.132

104.248.166.43

192.145.127.221

185.100.87.202

94.46.179.80

206.189.205.251

178.255.172.194

84.221.205.40

155.138.242.103

178.212.98.156

85.65.32.191

31.167.184.201

88.242.66.45

36.65.102.42

203.213.127.79

85.75.110.214

93.78.214.187

204.152.81.185

183.171.72.218

168.194.101.130

87.104.3.136

92.211.196.33

197.92.140.125

207.244.91.171

49.230.88.160

196.74.16.153

91.149.252.75

91.149.252.88

92.206.15.202

82.21.114.63

92.211.109.152

178.0.250.168

178.203.145.135

85.210.36.4

199.83.207.72

86.132.134.203

88.69.16.230

99.247.129.88

37.201.195.12

87.140.192.0

88.152.185.188

87.156.177.91

99.229.57.160

95.223.77.160

88.130.54.214

99.234.62.23

2.206.105.223

94.134.179.130

84.221.255.199

84.222.8.201

89.183.239.142

87.158.21.26

93.206.148.216

5.146.132.101

77.7.60.154

95.223.75.85

162.254.173.187

50.99.254.163

45.41.106.122

99.237.13.3

45.74.72.13

108.171.64.202

74.58.152.123

216.209.253.121

88.87.68.197

211.107.25.121

109.70.100.25

185.67.82.114

207.102.138.19

204.101.161.14

193.128.108.251

111.7.100.17

111.7.100.16

74.125.210.62

74.125.210.36

104.244.74.57

185.220.101.145

185.220.101.144

185.220.101.18

185.220.100.246

185.220.101.228

185.220.100.243

185.220.101.229

185.220.101.147

185.220.102.250

185.220.100.241

199.195.251.84

213.164.204.94

74.125.213.7

74.125.213.9

177.38.183.13

185.220.100.249

85.55.1.73

85.55.1.73

37.71.173.58

82.65.34.224

93.2.220.100

188.10.191.109

24.100.23.115

81.36.17.247

90.161.75.4

213.194.157.212

117.211.140.154

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

squirrelwaffle 1 IoCs

Squirrelwaffle Payload

Processes:

resource	yara_rule
behavioral1/memory/3668-117-0x0000000010000000-0x0000000010044000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow	pid	Process
25	3668	rundll32.exe
26	3668	rundll32.exe
30	3668	rundll32.exe
31	3668	rundll32.exe
34	3668	rundll32.exe

Drops file in System32 directory 4 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeC2RClient.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeC2RClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OfficeC2RClient.exe

pid	Process
4168	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 4268 wrote to memory of 3668	4268	rundll32.exe	75
PID 4268 wrote to memory of 3668	4268	rundll32.exe	75
PID 4268 wrote to memory of 3668	4268	rundll32.exe	75

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\squiwaf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\squiwaf.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3668

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3668-115-0x0000000000000000-mapping.dmp

Download
memory/3668-116-0x0000000000970000-0x0000000000ABA000-memory.dmp

Filesize
1.3MB

Download
memory/3668-117-0x0000000010000000-0x0000000010044000-memory.dmp

Filesize
272KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads