squirrelwaffle | be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1

Analysis

max time kernel
132s
max time network
131s
platform
windows10_x64
resource
win10-en-20211208
submitted
21-01-2022 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1.dll
Size

212KB
MD5

fe03881510cbbaecd5c165ca7eade2ab
SHA1

3b5049f82f1770f88aab7ee7e6c7d7239f84446a
SHA256

be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1
SHA512

8969afc1b85ccd016ad306ada1f5ad6450f362485a1c130f185503e687dc97568cc059576b6fdd75ce8d76a77e4837dc932f5e833a0a5f608df4776057235d07

Score

10^/10

squirrelwaffle downloader suricata

Malware Config

Extracted

Family

squirrelwaffle

http://pop.vicamtaynam.com/VtyiHAft

http://snsvidyapeeth.in/aXmo2Dr3

http://trinitytesttubebaby.com/QR2JvfE3Sv

http://iconskw.com/cqdPtAbZ

http://ebookchuyennganh.com/v9PMvQDxHK8W

http://alsader.net/BHdQaiQ9rt

http://avyanshglobal.com/6pYjPlqf

http://primahills-online.com/ypCiZn7tMx

http://antoniocastroycia.com.co/WHe08obY

http://apexbiotech.net/VQgunQ4t5Ue

http://vscm.in/V3tYKxDz

http://sinaloworx.co.za/3GilA8Eo3r

http://dancongnghe.xyz/yRByhX6J3REI

http://trajesuniformes.com.br/qQofZMaJm

http://fiorenzapaes.com.br/PGYpETW7

http://astetinternational.com/arW5e44Y7vzO

http://razisystem.ir/MqvvkX0cWvn

http://krishnaiti.org.in/rWA02HQY4

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata

Squirrelwaffle Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3468-119-0x0000000010000000-0x0000000014030000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 5 IoCs

flow	pid	Process
23	3468	rundll32.exe
29	3468	rundll32.exe
32	3468	rundll32.exe
34	3468	rundll32.exe
36	3468	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3468	2828	rundll32.exe	69
PID 2828 wrote to memory of 3468	2828	rundll32.exe	69
PID 2828 wrote to memory of 3468	2828	rundll32.exe	69

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\be16fd74a81487bd298aa033e6174ed33b12358adf31f6860df246403e75dee1.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3468-118-0x0000000004C00000-0x0000000008C1A000-memory.dmp

Filesize
64.1MB

Download
memory/3468-119-0x0000000010000000-0x0000000014030000-memory.dmp

Filesize
64.2MB

Download