squirrelwaffle | ce110445b2aa78f9c14ceaea9c37ddd46b6df35d35bc4b8f840c00db72ff31c9

Resubmissions

10-11-2021 20:49

06-10-2021 12:48

Target

test1.test.dll
Size

481KB
MD5

24ffea9dc53b9ee9b1a6b20d1a23ef4c
SHA1

25a5af3a4a40d40efbc73a4214e9bb6145141110
SHA256

ce110445b2aa78f9c14ceaea9c37ddd46b6df35d35bc4b8f840c00db72ff31c9
SHA512

447b6d1c72c39ddb03392094655d6d50192f85cb21f88a863e2f35237309ffd8e8c1b5a758ecfc07b1aba10aa2f18e69a6f6a202ebe5682c82f5ddc2612831ef

Score

10^/10

Family

squirrelwaffle

http://vodvarkasprings.com/Fbjb82DVZMzM

http://jm-fitness.com/O9ZYqWiWR

http://mayurinternationalindia.com/89dQbvkH

http://chanakyacoaching.com/LNuPHv4w

http://fundacionpesa.com/Am2dFkv4Xf6

http://swayamhandcraft.in/bizUBo8Ncl4

http://7xwelfare.com/u1jliJYBwgsK

http://jaihanumanenterprises.com/E6itIXiE

http://deekayagencies.com/m9y7jtFxH

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3564-117-0x0000000000F00000-0x0000000000F11000-memory.dmp	squirrelwaffle
behavioral2/memory/3564-118-0x0000000001100000-0x0000000001110000-memory.dmp	squirrelwaffle

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4196	3564	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3564	3592	rundll32.exe	70
PID 3592 wrote to memory of 3564	3592	rundll32.exe	70
PID 3592 wrote to memory of 3564	3592	rundll32.exe	70

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 688
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4196

memory/3564-116-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3564-117-0x0000000000F00000-0x0000000000F11000-memory.dmp

Filesize
68KB

Download
memory/3564-118-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download