squirrelwaffle | 85569f094eae1b6e66e0ab9d3dc0f653e3a411ef01b4fbed5ef6e462d3afeb77

Resubmissions

24-09-2021 20:14

210924-yz1ershhg5 10

24-09-2021 19:48

210924-yjkdlshha8 10

Analysis

max time kernel
128s
max time network
130s
platform
windows10_x64
resource
win10v20210408
submitted
24-09-2021 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test1.test.dll
Size

211KB
MD5

78e20bf482434bc2f64245ab86c0856f
SHA1

cf79862d895d744741a261432d6f7a087818d66d
SHA256

85569f094eae1b6e66e0ab9d3dc0f653e3a411ef01b4fbed5ef6e462d3afeb77
SHA512

1f20e16050bd76e330ad9b51dd5e942e1a6e1c97aa5508b367ae47acc900f9c5fa5f3fafc76aad1a0502add53dec5642321eeb098cc8b81d159568877fba15a2

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

pop.vicamtaynam.com/VtyiHAft

snsvidyapeeth.in/aXmo2Dr3

trinitytesttubebaby.com/QR2JvfE3Sv

iconskw.com/cqdPtAbZ

ebookchuyennganh.com/v9PMvQDxHK8W

alsader.net/BHdQaiQ9rt

avyanshglobal.com/6pYjPlqf

primahills-online.com/ypCiZn7tMx

antoniocastroycia.com.co/WHe08obY

apexbiotech.net/VQgunQ4t5Ue

vscm.in/V3tYKxDz

sinaloworx.co.za/3GilA8Eo3r

dancongnghe.xyz/yRByhX6J3REI

trajesuniformes.com.br/qQofZMaJm

fiorenzapaes.com.br/PGYpETW7

astetinternational.com/arW5e44Y7vzO

razisystem.ir/MqvvkX0cWvn

krishnaiti.org.in/rWA02HQY4

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

squirrelwaffle 1 IoCs

Squirrelwaffle Payload

resource	yara_rule
behavioral2/memory/740-116-0x0000000010000000-0x0000000014030000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	740	rundll32.exe
8	740	rundll32.exe
13	740	rundll32.exe
16	740	rundll32.exe
17	740	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 740	1832	rundll32.exe	68
PID 1832 wrote to memory of 740	1832	rundll32.exe	68
PID 1832 wrote to memory of 740	1832	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-115-0x0000000004320000-0x000000000833A000-memory.dmp

Filesize
64.1MB

Download
memory/740-116-0x0000000010000000-0x0000000014030000-memory.dmp

Filesize
64.2MB

Download