squirrelwaffle | 080605882c52fa3d534906acb724a5fc2fdb2ef7d9174331988eccc30b269ec7

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-en-20211208
submitted
30-01-2022 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

080605882c52fa3d534906acb724a5fc2fdb2ef7d9174331988eccc30b269ec7.dll
Size

223KB
MD5

6f8a6c096e3531d7af23a91ec2be61d6
SHA1

7a591595101e05f78aa1057b14379888ad7c57cf
SHA256

080605882c52fa3d534906acb724a5fc2fdb2ef7d9174331988eccc30b269ec7
SHA512

5057c45b742b3d5c568e843bf4240fb58292339177dce95e79c3194b07e02ac94e8884346f0e9d33261adc61bfb9d7f1edd26629e1cc4d4787d355f17942ce8e

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://pop.vicamtaynam.com/VtyiHAft

http://snsvidyapeeth.in/aXmo2Dr3

http://trinitytesttubebaby.com/QR2JvfE3Sv

http://iconskw.com/cqdPtAbZ

http://ebookchuyennganh.com/v9PMvQDxHK8W

http://alsader.net/BHdQaiQ9rt

http://avyanshglobal.com/6pYjPlqf

http://primahills-online.com/ypCiZn7tMx

http://antoniocastroycia.com.co/WHe08obY

http://apexbiotech.net/VQgunQ4t5Ue

http://vscm.in/V3tYKxDz

http://sinaloworx.co.za/3GilA8Eo3r

http://dancongnghe.xyz/yRByhX6J3REI

http://trajesuniformes.com.br/qQofZMaJm

http://fiorenzapaes.com.br/PGYpETW7

http://astetinternational.com/arW5e44Y7vzO

http://razisystem.ir/MqvvkX0cWvn

http://krishnaiti.org.in/rWA02HQY4

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1740-57-0x0000000010000000-0x0000000014030000-memory.dmp	squirrelwaffle

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1740	828	rundll32.exe	27
PID 828 wrote to memory of 1740	828	rundll32.exe	27
PID 828 wrote to memory of 1740	828	rundll32.exe	27
PID 828 wrote to memory of 1740	828	rundll32.exe	27
PID 828 wrote to memory of 1740	828	rundll32.exe	27
PID 828 wrote to memory of 1740	828	rundll32.exe	27
PID 828 wrote to memory of 1740	828	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\080605882c52fa3d534906acb724a5fc2fdb2ef7d9174331988eccc30b269ec7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\080605882c52fa3d534906acb724a5fc2fdb2ef7d9174331988eccc30b269ec7.dll,#1
  2⤵
  PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1740-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1740-56-0x0000000002490000-0x00000000064AA000-memory.dmp

Filesize
64.1MB

Download
memory/1740-57-0x0000000010000000-0x0000000014030000-memory.dmp

Filesize
64.2MB

Download