squirrelwaffle | ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940

Analysis

max time kernel
163s
max time network
195s
platform
windows10_x64
resource
win10-en-20211208
submitted
21-01-2022 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940.dll
Size

199KB
MD5

fbe46a3e555a2fbfbdb3186ec9321c78
SHA1

bab9fc71655a4b8ca329b1147adbe3e42ec3677e
SHA256

ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940
SHA512

8e1da6113a061e9a10a32a4ad019799865c61e7026d9be7ee8802288a9c3e9ec6b01dc06e16f94a71a5f8f8cd42bca939a4e2cc66dada15ff5e1056e0e23f54b

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://pop.vicamtaynam.com/VtyiHAft

http://snsvidyapeeth.in/aXmo2Dr3

http://trinitytesttubebaby.com/QR2JvfE3Sv

http://iconskw.com/cqdPtAbZ

http://ebookchuyennganh.com/v9PMvQDxHK8W

http://alsader.net/BHdQaiQ9rt

http://avyanshglobal.com/6pYjPlqf

http://primahills-online.com/ypCiZn7tMx

http://antoniocastroycia.com.co/WHe08obY

http://apexbiotech.net/VQgunQ4t5Ue

http://vscm.in/V3tYKxDz

http://sinaloworx.co.za/3GilA8Eo3r

http://dancongnghe.xyz/yRByhX6J3REI

http://trajesuniformes.com.br/qQofZMaJm

http://fiorenzapaes.com.br/PGYpETW7

http://astetinternational.com/arW5e44Y7vzO

http://razisystem.ir/MqvvkX0cWvn

http://krishnaiti.org.in/rWA02HQY4

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 1 IoCs

resource	yara_rule
behavioral2/memory/352-116-0x0000000010000000-0x0000000014030000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	352	rundll32.exe
16	352	rundll32.exe
24	352	rundll32.exe
26	352	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 352	2760	rundll32.exe	68
PID 2760 wrote to memory of 352	2760	rundll32.exe	68
PID 2760 wrote to memory of 352	2760	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca8b17eb7317544f922f7e63b8b158c85ce0937841a83ccdd70ffd8e36acf940.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/352-115-0x0000000004B80000-0x0000000008B9A000-memory.dmp

Filesize
64.1MB

Download
memory/352-116-0x0000000010000000-0x0000000014030000-memory.dmp

Filesize
64.2MB

Download