squirrelwaffle | 1f8466463d1cf3611b4d9438bb727fcb4d314563f124da38f886f2adbde63135

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
30/01/2022, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f8466463d1cf3611b4d9438bb727fcb4d314563f124da38f886f2adbde63135.dll
Size

299KB
MD5

4b91c90c692b17b1a9e1ecaff66e2abd
SHA1

8c42d6161e6506d06e9d0f11ea814fa087f2b2d7
SHA256

1f8466463d1cf3611b4d9438bb727fcb4d314563f124da38f886f2adbde63135
SHA512

7648e0968d83cd2853f5043ddd05648130ab032c732ccc75e09382e6d622572d3dd3e53cdadbe0b90e2d156b581a1b11716d39c983d5e9dd6d590372988bfd4e

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://hutraders.com/0eeUtmJf8O

http://goodartishard.com/0JXDM9kMwx

http://now.byteinsure.com/tnjUrmlhN

http://asceaub.com/Xl8UCLSU

http://colchonesmanzur.com/GjVgBnKaNIC

http://sistemasati.com/0SzGNkx6P

http://maldivehost.net/zLIisQRWZI9

http://lrdgon.org/l7r96tjAJ

http://binnawaz.com.pk/jhSZGWS76C

http://fhstorse.com/vJlgdjJnpIop

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1536-59-0x00000000748B0000-0x000000007498F000-memory.dmp	squirrelwaffle
behavioral1/memory/1536-58-0x00000000748B0000-0x00000000748C0000-memory.dmp	squirrelwaffle

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1536	1520	rundll32.exe	27
PID 1520 wrote to memory of 1536	1520	rundll32.exe	27
PID 1520 wrote to memory of 1536	1520	rundll32.exe	27
PID 1520 wrote to memory of 1536	1520	rundll32.exe	27
PID 1520 wrote to memory of 1536	1520	rundll32.exe	27
PID 1520 wrote to memory of 1536	1520	rundll32.exe	27
PID 1520 wrote to memory of 1536	1520	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f8466463d1cf3611b4d9438bb727fcb4d314563f124da38f886f2adbde63135.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f8466463d1cf3611b4d9438bb727fcb4d314563f124da38f886f2adbde63135.dll,#1
  2⤵
  PID:1536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-55-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download
memory/1536-56-0x00000000748B0000-0x000000007498F000-memory.dmp

Filesize
892KB

Download
memory/1536-57-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1536-59-0x00000000748B0000-0x000000007498F000-memory.dmp

Filesize
892KB

Download
memory/1536-58-0x00000000748B0000-0x00000000748C0000-memory.dmp

Filesize
64KB

Download