squirrelwaffle | a6f5ef4aca1db5477e051899e3992e3298b4bacd2877aa9f71dc2168f322b22f

Analysis

max time kernel
148s
max time network
148s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-10-2021 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sou.html.3.dll
Size

358KB
MD5

d59f026dcad1221e477378af85dc625a
SHA1

2885bff21d432290b96ec81de0589275bf3756b0
SHA256

a6f5ef4aca1db5477e051899e3992e3298b4bacd2877aa9f71dc2168f322b22f
SHA512

e96ecf1d0e98d01ddff701bcfb78891c1ee7d84f1f4a088d0940675d895a697200abe4b4d6f80b20055b0d654c605f86eba663dc9062c8ede9e884d893e20571

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://alcorbogaindonesia.com/9poRAbODT

http://mediacionmelipilla.cl/4ugcVLVzG

http://escenachile.cl/qflR3r5quK

http://tuskmelon.com/1i4FIOfE

http://omni-safe.mx/VxkvGWrsNk

http://hitehousepropertydevelopers.com/P5qmwoxY

http://nvamirada.cl/SLilOXk1M

http://promjene.org/40crEYMiWiD

http://anastasiayyc.com/oR7uF1h3VkOv

http://jungla-lat.cl/gvwPyfsAIrt

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4088-117-0x0000000073C60000-0x0000000073C70000-memory.dmp	squirrelwaffle
behavioral2/memory/4088-118-0x0000000073C60000-0x0000000073CD2000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 5 IoCs

flow	pid	Process
23	4088	rundll32.exe
27	4088	rundll32.exe
28	4088	rundll32.exe
29	4088	rundll32.exe
30	4088	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 4088	2132	rundll32.exe	69
PID 2132 wrote to memory of 4088	2132	rundll32.exe	69
PID 2132 wrote to memory of 4088	2132	rundll32.exe	69

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sou.html.3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sou.html.3.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:4088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4088-116-0x0000000073C60000-0x0000000073CD2000-memory.dmp

Filesize
456KB

Download
memory/4088-117-0x0000000073C60000-0x0000000073C70000-memory.dmp

Filesize
64KB

Download
memory/4088-118-0x0000000073C60000-0x0000000073CD2000-memory.dmp

Filesize
456KB

Download
memory/4088-119-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download