squirrelwaffle | ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940

Analysis

max time kernel
118s
max time network
148s
platform
windows7_x64
resource
win7-en-20211208
submitted
21/01/2022, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940.dll
Size

199KB
MD5

fbe46a3e555a2fbfbdb3186ec9321c78
SHA1

bab9fc71655a4b8ca329b1147adbe3e42ec3677e
SHA256

ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940
SHA512

8e1da6113a061e9a10a32a4ad019799865c61e7026d9be7ee8802288a9c3e9ec6b01dc06e16f94a71a5f8f8cd42bca939a4e2cc66dada15ff5e1056e0e23f54b

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://pop.vicamtaynam.com/VtyiHAft

http://snsvidyapeeth.in/aXmo2Dr3

http://trinitytesttubebaby.com/QR2JvfE3Sv

http://iconskw.com/cqdPtAbZ

http://ebookchuyennganh.com/v9PMvQDxHK8W

http://alsader.net/BHdQaiQ9rt

http://avyanshglobal.com/6pYjPlqf

http://primahills-online.com/ypCiZn7tMx

http://antoniocastroycia.com.co/WHe08obY

http://apexbiotech.net/VQgunQ4t5Ue

http://vscm.in/V3tYKxDz

http://sinaloworx.co.za/3GilA8Eo3r

http://dancongnghe.xyz/yRByhX6J3REI

http://trajesuniformes.com.br/qQofZMaJm

http://fiorenzapaes.com.br/PGYpETW7

http://astetinternational.com/arW5e44Y7vzO

http://razisystem.ir/MqvvkX0cWvn

http://krishnaiti.org.in/rWA02HQY4

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1908-57-0x0000000010000000-0x0000000014030000-memory.dmp	squirrelwaffle

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1908	1144	rundll32.exe	27
PID 1144 wrote to memory of 1908	1144	rundll32.exe	27
PID 1144 wrote to memory of 1908	1144	rundll32.exe	27
PID 1144 wrote to memory of 1908	1144	rundll32.exe	27
PID 1144 wrote to memory of 1908	1144	rundll32.exe	27
PID 1144 wrote to memory of 1908	1144	rundll32.exe	27
PID 1144 wrote to memory of 1908	1144	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940.dll,#1
  2⤵
  PID:1908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-55-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download
memory/1908-56-0x0000000001F70000-0x0000000005F8A000-memory.dmp

Filesize
64.1MB

Download
memory/1908-57-0x0000000010000000-0x0000000014030000-memory.dmp

Filesize
64.2MB

Download