squirrelwaffle | be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-en-20211208
submitted
21-01-2022 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1.dll
Size

212KB
MD5

fe03881510cbbaecd5c165ca7eade2ab
SHA1

3b5049f82f1770f88aab7ee7e6c7d7239f84446a
SHA256

be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1
SHA512

8969afc1b85ccd016ad306ada1f5ad6450f362485a1c130f185503e687dc97568cc059576b6fdd75ce8d76a77e4837dc932f5e833a0a5f608df4776057235d07

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://pop.vicamtaynam.com/VtyiHAft

http://snsvidyapeeth.in/aXmo2Dr3

http://trinitytesttubebaby.com/QR2JvfE3Sv

http://iconskw.com/cqdPtAbZ

http://ebookchuyennganh.com/v9PMvQDxHK8W

http://alsader.net/BHdQaiQ9rt

http://avyanshglobal.com/6pYjPlqf

http://primahills-online.com/ypCiZn7tMx

http://antoniocastroycia.com.co/WHe08obY

http://apexbiotech.net/VQgunQ4t5Ue

http://vscm.in/V3tYKxDz

http://sinaloworx.co.za/3GilA8Eo3r

http://dancongnghe.xyz/yRByhX6J3REI

http://trajesuniformes.com.br/qQofZMaJm

http://fiorenzapaes.com.br/PGYpETW7

http://astetinternational.com/arW5e44Y7vzO

http://razisystem.ir/MqvvkX0cWvn

http://krishnaiti.org.in/rWA02HQY4

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1576-56-0x0000000010000000-0x0000000014030000-memory.dmp	squirrelwaffle

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1576	1552	rundll32.exe	27
PID 1552 wrote to memory of 1576	1552	rundll32.exe	27
PID 1552 wrote to memory of 1576	1552	rundll32.exe	27
PID 1552 wrote to memory of 1576	1552	rundll32.exe	27
PID 1552 wrote to memory of 1576	1552	rundll32.exe	27
PID 1552 wrote to memory of 1576	1552	rundll32.exe	27
PID 1552 wrote to memory of 1576	1552	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1.dll,#1
  2⤵
  PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1576-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1576-55-0x00000000021F0000-0x000000000620A000-memory.dmp

Filesize
64.1MB

Download
memory/1576-56-0x0000000010000000-0x0000000014030000-memory.dmp

Filesize
64.2MB

Download