squirrelwaffle | ce110445b2aa78f9c14ceaea9c37ddd46b6df35d35bc4b8f840c00db72ff31c9

Resubmissions

10-11-2021 20:49

211110-zmgybsacc9 10

06-10-2021 12:48

211006-p1649sbdcp 10

Analysis

max time kernel
141s
max time network
57s
platform
windows7_x64
resource
win7v20210408
submitted
06-10-2021 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test1.test.dll
Size

481KB
MD5

24ffea9dc53b9ee9b1a6b20d1a23ef4c
SHA1

25a5af3a4a40d40efbc73a4214e9bb6145141110
SHA256

ce110445b2aa78f9c14ceaea9c37ddd46b6df35d35bc4b8f840c00db72ff31c9
SHA512

447b6d1c72c39ddb03392094655d6d50192f85cb21f88a863e2f35237309ffd8e8c1b5a758ecfc07b1aba10aa2f18e69a6f6a202ebe5682c82f5ddc2612831ef

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://vodvarkasprings.com/Fbjb82DVZMzM

http://jm-fitness.com/O9ZYqWiWR

http://mayurinternationalindia.com/89dQbvkH

http://chanakyacoaching.com/LNuPHv4w

http://fundacionpesa.com/Am2dFkv4Xf6

http://swayamhandcraft.in/bizUBo8Ncl4

http://7xwelfare.com/u1jliJYBwgsK

http://jaihanumanenterprises.com/E6itIXiE

http://deekayagencies.com/m9y7jtFxH

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1916-64-0x00000000002C0000-0x00000000002D1000-memory.dmp	squirrelwaffle
behavioral1/memory/1916-65-0x00000000002F0000-0x0000000000300000-memory.dmp	squirrelwaffle

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1916	1892	rundll32.exe	25
PID 1892 wrote to memory of 1916	1892	rundll32.exe	25
PID 1892 wrote to memory of 1916	1892	rundll32.exe	25
PID 1892 wrote to memory of 1916	1892	rundll32.exe	25
PID 1892 wrote to memory of 1916	1892	rundll32.exe	25
PID 1892 wrote to memory of 1916	1892	rundll32.exe	25
PID 1892 wrote to memory of 1916	1892	rundll32.exe	25

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
  2⤵
  PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1916-61-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1916-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1916-64-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/1916-65-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download