squirrelwaffle | 2ca7fbaffd862d1aaa34661e04bae1dc6d5031da13f437d6bedddf5576aa494a

Analysis

max time kernel
156s
max time network
167s
platform
windows10_x64
resource
win10-en-20211208
submitted
30-01-2022 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ca7fbaffd862d1aaa34661e04bae1dc6d5031da13f437d6bedddf5576aa494a.dll
Size

289KB
MD5

da391abad7ba38f509a9d5f36683889b
SHA1

24190997edfb171acf805c27ef76eec837125e49
SHA256

2ca7fbaffd862d1aaa34661e04bae1dc6d5031da13f437d6bedddf5576aa494a
SHA512

21b51fb2f0332b68bc92dcda77a745c780b7cc0eb34d169247724fcfb15c22b8ca2ced0f78e800f54f609bcf335b533dd9bdc81343c38b87a6b75c3d4e881350

Score

10^/10

squirrelwaffle downloader suricata

Malware Config

Extracted

Family

squirrelwaffle

http://hutraders.com/0eeUtmJf8O

http://goodartishard.com/0JXDM9kMwx

http://now.byteinsure.com/tnjUrmlhN

http://asceaub.com/Xl8UCLSU

http://colchonesmanzur.com/GjVgBnKaNIC

http://sistemasati.com/0SzGNkx6P

http://maldivehost.net/zLIisQRWZI9

http://lrdgon.org/l7r96tjAJ

http://binnawaz.com.pk/jhSZGWS76C

http://fhstorse.com/vJlgdjJnpIop

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata

Squirrelwaffle Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3012-117-0x00000000740F0000-0x0000000074100000-memory.dmp	squirrelwaffle
behavioral2/memory/3012-118-0x00000000740F0000-0x00000000741CF000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 5 IoCs

flow	pid	Process
17	3012	rundll32.exe
21	3012	rundll32.exe
29	3012	rundll32.exe
31	3012	rundll32.exe
33	3012	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3012	2772	rundll32.exe	68
PID 2772 wrote to memory of 3012	2772	rundll32.exe	68
PID 2772 wrote to memory of 3012	2772	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ca7fbaffd862d1aaa34661e04bae1dc6d5031da13f437d6bedddf5576aa494a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ca7fbaffd862d1aaa34661e04bae1dc6d5031da13f437d6bedddf5576aa494a.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3012-115-0x00000000740F0000-0x00000000741CF000-memory.dmp

Filesize
892KB

Download
memory/3012-116-0x0000000002CF0000-0x0000000002E3A000-memory.dmp

Filesize
1.3MB

Download
memory/3012-117-0x00000000740F0000-0x0000000074100000-memory.dmp

Filesize
64KB

Download
memory/3012-118-0x00000000740F0000-0x00000000741CF000-memory.dmp

Filesize
892KB

Download