squirrelwaffle | 63054b9c730d031aefd49182d416d38f47a5f9db3000b9ccc34e7854c891474c

Analysis

max time kernel
135s
max time network
142s
platform
windows10_x64
resource
win10-en-20211208
submitted
21-01-2022 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63054b9c730d031aefd49182d416d38f47a5f9db3000b9ccc34e7854c891474c.dll
Size

318KB
MD5

1f8dd46698c69892c39f849307afbabd
SHA1

5aa71223f673518052b3a6fb57c6ccdc277dc342
SHA256

63054b9c730d031aefd49182d416d38f47a5f9db3000b9ccc34e7854c891474c
SHA512

2058919dfbfec9750a08d0f33061d42de1b2eb4f746fb374e283d4c56d118c3385a05a026df211b8955c6eac37c9950a4d34c4170ae8dfed2d1c3de45e6acde7

Score

10^/10

squirrelwaffle downloader suricata

Malware Config

Extracted

Family

squirrelwaffle

http://atertreat.in/5iPPVRKPPX9

http://incentivaconsultores.com.co/55jHpKCc9DWy

http://cdelean.org/0qvbbmu9g

http://bazy.ps/M6SjrMSYC

http://sukmabali.com/ZXxcLYs3rzRQ

http://bugwilliam.tk/cbB56YrugdbW

http://bestbeatsgh.com/42D7OwuPen

http://krumaila.com/UZ4NdDoDh4Tu

http://razehub.com/NN70nExbtLO

http://arcb.ro/aHUUNxE3Me5

http://cfmi.tg/m40YS6gDO0

http://sweetlittle.mx/ZCXP0dT2h

http://alkimia-prod.com/nT0imyzmo

http://almexperts.co.za/fEoJ3pdWZbF

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata

Squirrelwaffle Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3460-116-0x0000000010000000-0x000000001004D000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 5 IoCs

flow	pid	Process
24	3460	rundll32.exe
26	3460	rundll32.exe
30	3460	rundll32.exe
32	3460	rundll32.exe
34	3460	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 3460	4092	rundll32.exe	69
PID 4092 wrote to memory of 3460	4092	rundll32.exe	69
PID 4092 wrote to memory of 3460	4092	rundll32.exe	69

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\63054b9c730d031aefd49182d416d38f47a5f9db3000b9ccc34e7854c891474c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\63054b9c730d031aefd49182d416d38f47a5f9db3000b9ccc34e7854c891474c.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3460-115-0x0000000002C90000-0x0000000002DDA000-memory.dmp

Filesize
1.3MB

Download
memory/3460-116-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download