squirrelwaffle | ff4755aa5c8100176813198c04bf849677507f52c2613dca7ebb4f73c1b4041f

Analysis

max time kernel
143s
max time network
143s
platform
windows10_x64
resource
win10-en-20211208
submitted
21/01/2022, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff4755aa5c8100176813198c04bf849677507f52c2613dca7ebb4f73c1b4041f.dll
Size

208KB
MD5

585ffca5794b35db2e8163f929acaff5
SHA1

3cb9a657743bac40d6eda0f36e06df34a69dfc8e
SHA256

ff4755aa5c8100176813198c04bf849677507f52c2613dca7ebb4f73c1b4041f
SHA512

e97502dfb7886fdd4ef8b41c913c916fc569ba60b8dc95664bd17dc864a524fce312af600851e7cb75d26915044af44a1a165708fe5b6414c0d62697a034f332

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://pop.vicamtaynam.com/VtyiHAft

http://snsvidyapeeth.in/aXmo2Dr3

http://trinitytesttubebaby.com/QR2JvfE3Sv

http://iconskw.com/cqdPtAbZ

http://ebookchuyennganh.com/v9PMvQDxHK8W

http://alsader.net/BHdQaiQ9rt

http://avyanshglobal.com/6pYjPlqf

http://primahills-online.com/ypCiZn7tMx

http://antoniocastroycia.com.co/WHe08obY

http://apexbiotech.net/VQgunQ4t5Ue

http://vscm.in/V3tYKxDz

http://sinaloworx.co.za/3GilA8Eo3r

http://dancongnghe.xyz/yRByhX6J3REI

http://trajesuniformes.com.br/qQofZMaJm

http://fiorenzapaes.com.br/PGYpETW7

http://astetinternational.com/arW5e44Y7vzO

http://razisystem.ir/MqvvkX0cWvn

http://krishnaiti.org.in/rWA02HQY4

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2692-119-0x0000000010000000-0x0000000014030000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 5 IoCs

flow	pid	Process
22	2692	rundll32.exe
26	2692	rundll32.exe
30	2692	rundll32.exe
32	2692	rundll32.exe
34	2692	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2692	2504	rundll32.exe	69
PID 2504 wrote to memory of 2692	2504	rundll32.exe	69
PID 2504 wrote to memory of 2692	2504	rundll32.exe	69

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff4755aa5c8100176813198c04bf849677507f52c2613dca7ebb4f73c1b4041f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff4755aa5c8100176813198c04bf849677507f52c2613dca7ebb4f73c1b4041f.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2692-118-0x0000000004A50000-0x0000000008A6A000-memory.dmp

Filesize
64.1MB

Download
memory/2692-119-0x0000000010000000-0x0000000014030000-memory.dmp

Filesize
64.2MB

Download