squirrelwaffle | 27fe65cd73ff1a6419ec3fd67afae07f0bbdbc241d43faa7f9257d27f93c5bf2

General

Target

www2.bin.dll
Size

334KB
MD5

84a32095bcbc0ed694f09f1dd8f2a70f
SHA1

23f7334db6979f04d5a2a9a846f82c526bfe6736
SHA256

671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e
SHA512

e3db14700e24210d1e2f1c19fcbb1b7074d73f5cdc4cbaf737b9a92a4f3b8d9b71efaa450aac9f7f4baef1ca8463f0668a3d72b888e0d39195e4c6115de5012a

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

C2

spiritofprespa.com/9783Tci2SGF6

amjsys.com/RIZszf8vR

hrms.prodigygroupindia.com/SKyufGZV

centralfloridaasphalt.com/GCN0FChS

jhehosting.com/rUuKheB7

shoeclearanceoutlet.co.uk/46awDTJjI4l

kmslogistik.com/aS1mjTkJIy

bartek-lenart.pl/1bWJ57V9vx

voip.voipcallhub.com/ZVmfdGHs4T

mercyfoundationcio.org/XF9aQrXnakeG

key4net.com/a8A2kcc1J

chaturanga.groopy.com/mxN3lxZoVApc

voipcallhub.com/ilGht5r26

ems.prodigygroupindia.com/v5RvVJTz

novamarketing.com.pk/k8l36uus

lenartsa.webd.pro/fz16DjmKmHtl

lead.jhinfotech.co/YERjiAMaupaz

Attributes

blocklist
94.46.179.80

206.189.205.251

88.242.66.45

85.75.110.214

87.104.3.136

207.244.91.171

49.230.88.160

91.149.252.75

91.149.252.88

92.211.109.152

178.0.250.168

88.69.16.230

95.223.77.160

99.234.62.23

2.206.105.223

84.222.8.201

89.183.239.142

5.146.132.101

77.7.60.154

45.41.106.122

45.74.72.13

74.58.152.123

88.87.68.197

211.107.25.121

109.70.100.25

185.67.82.114

207.102.138.19

204.101.161.14

193.128.108.251

111.7.100.17

111.7.100.16

74.125.210.62

74.125.210.36

104.244.74.57

185.220.101.145

185.220.101.144

185.220.101.18

185.220.100.246

185.220.101.228

185.220.100.243

185.220.101.229

185.220.101.147

185.220.102.250

185.220.100.241

199.195.251.84

213.164.204.94

74.125.213.7

74.125.213.9

185.220.100.249

37.71.173.58

93.2.220.100

188.10.191.109

81.36.17.247

70.28.47.118

45.133.172.222

108.41.227.196

37.235.53.46

162.216.47.22

154.3.42.51

45.86.200.60

212.230.181.152

185.192.70.11

14.33.131.72

94.46.179.80

206.189.205.251

178.255.172.194

84.221.205.40

155.138.242.103

178.212.98.156

85.65.32.191

31.167.184.201

88.242.66.45

36.65.102.42

203.213.127.79

85.75.110.214

93.78.214.187

204.152.81.185

183.171.72.218

168.194.101.130

87.104.3.136

92.211.196.33

197.92.140.125

207.244.91.171

49.230.88.160

196.74.16.153

91.149.252.75

91.149.252.88

92.206.15.202

82.21.114.63

92.211.109.152

178.0.250.168

178.203.145.135

85.210.36.4

199.83.207.72

86.132.134.203

88.69.16.230

99.247.129.88

37.201.195.12

87.140.192.0

88.152.185.188

87.156.177.91

99.229.57.160

95.223.77.160

88.130.54.214

99.234.62.23

2.206.105.223

94.134.179.130

84.221.255.199

84.222.8.201

89.183.239.142

87.158.21.26

93.206.148.216

5.146.132.101

77.7.60.154

95.223.75.85

162.254.173.187

50.99.254.163

45.41.106.122

99.237.13.3

45.74.72.13

108.171.64.202

74.58.152.123

216.209.253.121

88.87.68.197

211.107.25.121

109.70.100.25

185.67.82.114

207.102.138.19

204.101.161.14

193.128.108.251

111.7.100.17

111.7.100.16

74.125.210.62

74.125.210.36

104.244.74.57

185.220.101.145

185.220.101.144

185.220.101.18

185.220.100.246

185.220.101.228

185.220.100.243

185.220.101.229

185.220.101.147

185.220.102.250

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

squirrelwaffle 2 IoCs

Squirrelwaffle Payload

Processes:

resource	yara_rule
behavioral1/memory/3020-147-0x00000000752D0000-0x00000000752E1000-memory.dmp	squirrelwaffle
behavioral1/memory/3020-148-0x00000000752D0000-0x0000000075332000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 64 IoCs

Processes:

rundll32.exe

flow	pid	process
10	3020	rundll32.exe
11	3020	rundll32.exe
22	3020	rundll32.exe
23	3020	rundll32.exe
25	3020	rundll32.exe
26	3020	rundll32.exe
27	3020	rundll32.exe
28	3020	rundll32.exe
29	3020	rundll32.exe
30	3020	rundll32.exe
31	3020	rundll32.exe
33	3020	rundll32.exe
34	3020	rundll32.exe
35	3020	rundll32.exe
36	3020	rundll32.exe
37	3020	rundll32.exe
38	3020	rundll32.exe
39	3020	rundll32.exe
40	3020	rundll32.exe
41	3020	rundll32.exe
42	3020	rundll32.exe
43	3020	rundll32.exe
44	3020	rundll32.exe
45	3020	rundll32.exe
46	3020	rundll32.exe
47	3020	rundll32.exe
48	3020	rundll32.exe
49	3020	rundll32.exe
50	3020	rundll32.exe
51	3020	rundll32.exe
52	3020	rundll32.exe
53	3020	rundll32.exe
54	3020	rundll32.exe
55	3020	rundll32.exe
56	3020	rundll32.exe
57	3020	rundll32.exe
58	3020	rundll32.exe
59	3020	rundll32.exe
60	3020	rundll32.exe
61	3020	rundll32.exe
62	3020	rundll32.exe
63	3020	rundll32.exe
64	3020	rundll32.exe
65	3020	rundll32.exe
66	3020	rundll32.exe
67	3020	rundll32.exe
68	3020	rundll32.exe
69	3020	rundll32.exe
70	3020	rundll32.exe
71	3020	rundll32.exe
72	3020	rundll32.exe
73	3020	rundll32.exe
74	3020	rundll32.exe
75	3020	rundll32.exe
76	3020	rundll32.exe
77	3020	rundll32.exe
78	3020	rundll32.exe
79	3020	rundll32.exe
80	3020	rundll32.exe
81	3020	rundll32.exe
82	3020	rundll32.exe
83	3020	rundll32.exe
84	3020	rundll32.exe
85	3020	rundll32.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1416 wrote to memory of 3020	1416	rundll32.exe	rundll32.exe
PID 1416 wrote to memory of 3020	1416	rundll32.exe	rundll32.exe
PID 1416 wrote to memory of 3020	1416	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\www2.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\www2.bin.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3020

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.2
1⤵
- Modifies data under HKEY_USERS
PID:3828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-155-0x000001A2FCF40000-0x000001A2FCF44000-memory.dmp

Filesize
16KB

Download
memory/1660-150-0x000001A2FA890000-0x000001A2FA8A0000-memory.dmp

Filesize
64KB

Download
memory/1660-151-0x000001A2FA910000-0x000001A2FA920000-memory.dmp

Filesize
64KB

Download
memory/1660-152-0x000001A2FCF10000-0x000001A2FCF14000-memory.dmp

Filesize
16KB

Download
memory/1660-153-0x000001A2FD200000-0x000001A2FD204000-memory.dmp

Filesize
16KB

Download
memory/1660-154-0x000001A2FD1C0000-0x000001A2FD1C1000-memory.dmp

Filesize
4KB

Download
memory/1660-156-0x000001A2FCF30000-0x000001A2FCF31000-memory.dmp

Filesize
4KB

Download
memory/1660-157-0x000001A2FCF30000-0x000001A2FCF34000-memory.dmp

Filesize
16KB

Download
memory/1660-158-0x000001A2FCE10000-0x000001A2FCE11000-memory.dmp

Filesize
4KB

Download
memory/3020-147-0x00000000752D0000-0x00000000752E1000-memory.dmp

Filesize
68KB

Download
memory/3020-148-0x00000000752D0000-0x0000000075332000-memory.dmp

Filesize
392KB

Download
memory/3020-149-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3020-146-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads