squirrelwaffle | d41b920d8d5190fd8cefc8406e6a7ca169170fe4b75efddd88c39da2689cc350

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
21-01-2022 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d41b920d8d5190fd8cefc8406e6a7ca169170fe4b75efddd88c39da2689cc350.dll
Size

300KB
MD5

662b8f8a684918958dfa112dc1e351be
SHA1

a3fae1c3deeb3071b5e446d0a3546243d261e97c
SHA256

d41b920d8d5190fd8cefc8406e6a7ca169170fe4b75efddd88c39da2689cc350
SHA512

207ac0d2fdf90c84bd265fd9216110c48199663834242b2ea1091784d4b7d85df07c3ca8474f14b0a27039161452c3c108157c0d8bbddacae4dd406d2ac137bb

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://atertreat.in/5iPPVRKPPX9

http://incentivaconsultores.com.co/55jHpKCc9DWy

http://cdelean.org/0qvbbmu9g

http://bazy.ps/M6SjrMSYC

http://sukmabali.com/ZXxcLYs3rzRQ

http://bugwilliam.tk/cbB56YrugdbW

http://bestbeatsgh.com/42D7OwuPen

http://krumaila.com/UZ4NdDoDh4Tu

http://razehub.com/NN70nExbtLO

http://arcb.ro/aHUUNxE3Me5

http://cfmi.tg/m40YS6gDO0

http://sweetlittle.mx/ZCXP0dT2h

http://alkimia-prod.com/nT0imyzmo

http://almexperts.co.za/fEoJ3pdWZbF

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1068-56-0x0000000010000000-0x000000001004D000-memory.dmp	squirrelwaffle

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1068	960	rundll32.exe	27
PID 960 wrote to memory of 1068	960	rundll32.exe	27
PID 960 wrote to memory of 1068	960	rundll32.exe	27
PID 960 wrote to memory of 1068	960	rundll32.exe	27
PID 960 wrote to memory of 1068	960	rundll32.exe	27
PID 960 wrote to memory of 1068	960	rundll32.exe	27
PID 960 wrote to memory of 1068	960	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d41b920d8d5190fd8cefc8406e6a7ca169170fe4b75efddd88c39da2689cc350.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d41b920d8d5190fd8cefc8406e6a7ca169170fe4b75efddd88c39da2689cc350.dll,#1
  2⤵
  PID:1068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

Filesize
8KB

Download
memory/1068-55-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/1068-56-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download