squirrelwaffle | 10ce13aee1e7d1b721cd603d4fb1b982536320b0fe3d653a63ace64be07bef70

Analysis

max time kernel
119s
max time network
135s
platform
windows7_x64
resource
win7-en-20211208
submitted
30-01-2022 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10ce13aee1e7d1b721cd603d4fb1b982536320b0fe3d653a63ace64be07bef70.dll
Size

222KB
MD5

7eb4034270fbb83f85e90841f3d2a871
SHA1

a7a97668136813a5d153865155e53554f288a0dd
SHA256

10ce13aee1e7d1b721cd603d4fb1b982536320b0fe3d653a63ace64be07bef70
SHA512

14999c497f6d7b9413e28061a1117d3f8d4dc0d3d12f8c0717298d26611f22b0fb5b83f503e46dd5a603e01535e59e7cc6d7297230b5a8032b3959b877ac36e8

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

http://pop.vicamtaynam.com/VtyiHAft

http://snsvidyapeeth.in/aXmo2Dr3

http://trinitytesttubebaby.com/QR2JvfE3Sv

http://iconskw.com/cqdPtAbZ

http://ebookchuyennganh.com/v9PMvQDxHK8W

http://alsader.net/BHdQaiQ9rt

http://avyanshglobal.com/6pYjPlqf

http://primahills-online.com/ypCiZn7tMx

http://antoniocastroycia.com.co/WHe08obY

http://apexbiotech.net/VQgunQ4t5Ue

http://vscm.in/V3tYKxDz

http://sinaloworx.co.za/3GilA8Eo3r

http://dancongnghe.xyz/yRByhX6J3REI

http://trajesuniformes.com.br/qQofZMaJm

http://fiorenzapaes.com.br/PGYpETW7

http://astetinternational.com/arW5e44Y7vzO

http://razisystem.ir/MqvvkX0cWvn

http://krishnaiti.org.in/rWA02HQY4

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1680-56-0x0000000010000000-0x0000000014030000-memory.dmp	squirrelwaffle

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1680	1212	rundll32.exe	27
PID 1212 wrote to memory of 1680	1212	rundll32.exe	27
PID 1212 wrote to memory of 1680	1212	rundll32.exe	27
PID 1212 wrote to memory of 1680	1212	rundll32.exe	27
PID 1212 wrote to memory of 1680	1212	rundll32.exe	27
PID 1212 wrote to memory of 1680	1212	rundll32.exe	27
PID 1212 wrote to memory of 1680	1212	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10ce13aee1e7d1b721cd603d4fb1b982536320b0fe3d653a63ace64be07bef70.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\10ce13aee1e7d1b721cd603d4fb1b982536320b0fe3d653a63ace64be07bef70.dll,#1
  2⤵
  PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1680-55-0x0000000001E10000-0x0000000005E2A000-memory.dmp

Filesize
64.1MB

Download
memory/1680-56-0x0000000010000000-0x0000000014030000-memory.dmp

Filesize
64.2MB

Download