squirrelwaffle | 167c4cd037260192c03ef9ae848c419b9d3286c268816d694ffc91f7ce380641

General

Target

167c4cd037260192c03ef9ae848c419b9d3286c268816d694ffc91f7ce380641.dll
Size

532KB
MD5

6a067040084936093fdecb5fcf0bdac3
SHA1

9eea4dde7c830e95cb17c3d7009263cbb71d6b88
SHA256

167c4cd037260192c03ef9ae848c419b9d3286c268816d694ffc91f7ce380641
SHA512

0d9d01b2e9571508877ab744e11f5b7f820d9bdae7fb131b03a22cd47d4b1224c16da89594e1c6eaba56f6d6a90610fa7a56cae529c80b0c5b58ca67459ff7db
SSDEEP

12288:0RrUk9Wnwhj27lkhYzFcxgqgZbFzmNhdBjmCc:0R4YWnwhj27l+YpcWzLzmHddjc

Score

10^/10

squirrelwaffle downloader

Malware Config

Extracted

Family

squirrelwaffle

C2

http://agora.360cyberlink.com/wpuDolwbH9c9

http://panel.betfredtakeaway.com/awJPDGElQ

http://believeinus.net/S6y8WsHm

http://onlinecourses.mirrainternationaluniversity.com/VnCSkt13PkuT

http://reward.tyrehamperpromotion.co.uk/GWJ3gHMtUdk

http://panels.betfredtakeaway.com/0PKIQI4OFxD

http://ambassade-mauritanie-rabat.net/hovwkJJaIt8

http://bitcoinup.bafflepoetry.org/uTyCcQUDkCX3

http://pwcgov-x.gq/doMZFSHYs

http://business-a.ml/lDyw7Vs3x

http://unifarma.com.br/6GREencD

http://digitalmaster.online/rgzce1W5g

http://patatec.com/OTfcXmew

http://megasoftsol.com/R26csFnDY

http://authentification.scanandrace.com/m1xwraBcBFN

http://new.actsgeneration.org/1vXSPxRR3bR

http://lagochapala.com.mx/DplUgNSqWfc

Attributes

blocklist
94.46.179.80

206.189.205.251

88.242.66.45

85.75.110.214

87.104.3.136

207.244.91.171

49.230.88.160

91.149.252.75

91.149.252.88

92.211.109.152

178.0.250.168

88.69.16.230

95.223.77.160

99.234.62.23

2.206.105.223

84.222.8.201

89.183.239.142

5.146.132.101

77.7.60.154

45.41.106.122

45.74.72.13

74.58.152.123

88.87.68.197

109.70.100.25

185.67.82.114

207.102.138.19

204.101.161.14

193.128.108.251

111.7.100.17

111.7.100.16

74.125.210.62

74.125.210.36

104.244.74.57

185.220.101.145

185.220.101.144

185.220.101.18

185.220.100.246

185.220.101.228

185.220.100.243

185.220.101.229

185.220.101.147

185.220.102.250

185.220.100.241

199.195.251.84

213.164.204.94

74.125.213.7

74.125.213.9

185.220.100.249

37.71.173.58

93.2.220.100

188.10.191.109

81.36.17.247

70.28.47.118

45.133.172.222

108.41.227.196

37.235.53.46

162.216.47.22

154.3.42.51

45.86.200.60

212.230.181.152

185.192.70.11

37.142.65.69

87.166.51.31

178.198.76.175

128.90.172.136

172.58.227.224

201.77.112.133

64.124.12.162

87.166.51.28

104.244.72.115

109.70.100.23

192.145.127.220

194.186.142.122

185.207.249.217

52.250.42.144

45.86.201.156

195.245.199.125

213.33.190.70

154.61.71.13

154.13.1.22

191.96.185.151

40.94.25.22

40.94.25.39

40.94.25.5

40.94.25.79

40.94.25.69

40.94.25.71

40.94.25.60

40.94.25.64

40.94.25.29

40.94.25.23

40.94.25.89

40.94.26.165

40.94.26.210

40.94.26.208

40.94.26.166

40.94.26.216

40.94.26.173

40.94.26.182

40.94.35.75

40.94.35.97

40.94.35.27

40.94.35.38

40.94.35.46

40.94.35.76

40.94.35.70

40.94.35.80

40.94.35.98

40.94.35.40

45.86.200.23

198.167.212.98

40.94.31.87

40.94.31.85

40.94.31.29

40.94.31.97

40.94.31.88

40.94.31.80

40.94.31.65

198.167.195.112

40.94.31.58

40.94.31.48

40.94.31.64

40.94.31.26

40.94.31.66

40.94.31.90

40.94.31.46

40.94.31.47

212.119.227.184

72.12.194.93

72.12.194.94

72.12.194.92

134.209.213.55

35.198.84.59

89.208.29.2

40.94.30.159

40.94.30.139

40.94.30.152

40.94.30.167

40.94.30.164

40.94.30.166

40.94.30.174

40.94.30.151

154.61.71.53

40.94.30.157

40.94.30.136

40.94.30.149

52.154.162.74

213.33.190.161

83.84.25.214

162.251.62.154

188.241.177.152

92.211.110.221

185.183.107.236

72.12.194.90

40.94.25.36

40.94.29.4

40.94.25.50

40.94.29.31

40.94.25.31

40.94.29.41

40.94.31.5

40.94.25.80

40.94.29.82

40.94.31.81

40.94.25.96

40.94.29.59

40.94.31.3

40.94.25.58

40.94.31.61

40.94.31.49

40.94.31.54

40.94.31.62

40.94.31.70

40.94.30.211

40.94.30.148

40.94.30.218

40.94.30.147

40.94.30.129

40.94.31.15

40.94.30.169

40.94.31.36

40.94.30.223

40.94.30.203

95.211.36.179

64.233.172.102

153.246.206.71

198.167.193.35

90.187.12.209

37.49.116.179

52.167.22.240

160.177.96.15

185.123.143.220

167.99.172.253

40.94.36.81

86.107.21.203

24.37.31.38

71.19.154.84

192.160.102.170

216.251.130.74

49.44.76.43

109.147.65.157

86.217.130.91

178.174.15.54

86.242.244.97

92.46.70.105

81.201.234.26

78.94.217.60

141.226.236.91

95.26.228.102

89.208.29.3

213.33.190.205

213.33.190.121

5.154.174.45

23.154.177.3

195.65.152.138

93.231.174.227

185.220.101.132

54.36.101.21

72.12.194.91

46.14.116.174

141.19.232.57

185.220.101.149

45.74.46.69

157.230.210.133

82.199.130.36

104.237.193.28

187.46.138.56

195.164.49.162

156.146.49.135

195.164.49.191

79.104.209.54

35.245.134.90

20.52.139.186

189.139.144.151

94.31.102.187

39.43.45.71

107.189.10.143

39.43.123.57

106.75.76.179

194.186.142.131

210.22.129.194

45.130.83.77

154.6.16.175

162.247.73.192

107.189.1.160

185.107.47.215

46.166.139.111

185.56.80.65

185.220.100.245

209.141.59.180

77.247.181.163

185.220.101.137

185.220.100.242

104.244.76.13

185.83.214.69

185.220.100.252

185.112.146.73

185.57.82.28

89.187.171.116

66.220.242.222

39.43.72.17

5.171.90.80

185.152.32.77

23.129.64.157

92.151.9.187

106.75.31.237

122.167.79.251

109.70.100.33

199.249.230.154

64.233.172.108

64.233.172.106

64.233.172.104

77.247.181.165

107.189.12.240

79.142.76.203

193.128.114.34

185.92.26.59

185.65.210.119

70.39.159.79

70.39.159.29

151.48.26.15

151.48.26.15

2.228.159.178

188.174.248.154

188.174.248.154

95.90.198.182

95.90.198.182

193.0.200.36

193.0.200.36

151.127.13.232

89.97.249.158

212.115.152.225

185.217.117.179

199.249.230.164

80.233.134.134

109.74.154.92

65.39.88.250

90.84.192.187

37.70.202.24

85.203.45.30

109.190.93.219

151.8.114.194

176.235.38.106

149.56.99.85

138.128.136.169

213.82.23.224

192.42.123.107

128.90.151.188

162.245.206.249

85.203.45.40

95.211.95.242

185.220.102.251

66.203.112.160

193.128.108.246

193.128.108.242

31.204.150.74

34.141.245.25

122.167.85.191

212.6.86.133

171.25.193.25

149.3.170.147

162.247.74.217

109.70.100.34

89.208.29.5

79.104.209.91

79.104.209.157

194.186.142.205

198.167.217.20

198.167.193.112

204.101.161.31

198.167.219.82

195.74.76.222

87.118.110.27

185.247.225.43

193.128.108.250

188.212.135.7

106.75.75.245

86.142.177.106

185.192.69.77

198.167.209.37

59.144.163.235

193.128.108.243

31.204.152.150

87.166.49.39

82.127.202.176

58.40.175.6

92.222.212.17

88.123.105.51

45.114.130.4

216.251.130.75

187.22.129.46

187.22.129.46

45.153.160.129

80.155.50.158

80.155.50.158

212.234.209.161

213.9.159.210

88.149.207.35

88.149.207.35

88.149.207.35

37.159.148.162

151.8.6.86

91.62.233.251

109.3.219.42

109.3.219.42

109.3.219.42

196.23.168.132

192.87.28.103

207.244.70.35

79.104.209.172

89.208.29.6

195.239.51.18

79.104.209.52

194.154.78.73

185.220.102.240

109.70.100.27

208.68.5.17

185.191.124.143

45.153.160.130

163.172.213.212

193.128.108.245

51.83.131.42

109.62.69.3

109.62.69.3

147.135.68.11

209.58.188.133

193.128.108.253

94.242.243.171

185.183.106.148

185.220.102.248

109.70.100.20

37.58.58.249

69.167.10.41

109.62.69.2

45.141.56.7

104.244.74.55

193.128.108.247

185.31.175.243

45.61.185.125

185.57.82.27

122.182.203.3

82.221.105.78

37.187.196.70

45.153.160.138

89.163.252.12

193.128.108.252

198.167.199.100

198.167.199.106

70.39.116.252

193.128.108.248

188.43.68.132

79.104.209.46

213.33.190.122

95.25.38.53

80.255.7.72

212.119.227.132

212.119.227.169

194.186.142.52

38.132.118.67

37.120.143.139

193.128.108.249

66.249.88.48

66.249.88.50

66.249.88.46

104.244.74.28

198.96.155.3

205.185.124.200

109.70.100.36

193.189.100.202

185.31.175.215

84.147.60.16

45.242.1.134

5.22.190.138

84.147.62.235

89.208.29.7

194.154.78.130

106.75.66.75

185.217.1.11

103.254.153.204

198.167.201.23

185.31.175.231

23.184.48.9

18.27.197.252

107.189.11.153

128.199.56.132

104.248.166.43

192.145.127.221

185.100.87.202

94.46.179.80

206.189.205.251

178.255.172.194

84.221.205.40

155.138.242.103

178.212.98.156

85.65.32.191

31.167.184.201

88.242.66.45

36.65.102.42

203.213.127.79

85.75.110.214

93.78.214.187

204.152.81.185

183.171.72.218

168.194.101.130

87.104.3.136

92.211.196.33

197.92.140.125

207.244.91.171

49.230.88.160

196.74.16.153

91.149.252.75

91.149.252.88

92.206.15.202

82.21.114.63

92.211.109.152

178.0.250.168

178.203.145.135

85.210.36.4

199.83.207.72

86.132.134.203

88.69.16.230

99.247.129.88

37.201.195.12

87.140.192.0

88.152.185.188

87.156.177.91

99.229.57.160

95.223.77.160

88.130.54.214

99.234.62.23

2.206.105.223

94.134.179.130

84.221.255.199

84.222.8.201

89.183.239.142

87.158.21.26

93.206.148.216

5.146.132.101

77.7.60.154

95.223.75.85

162.254.173.187

50.99.254.163

45.41.106.122

99.237.13.3

45.74.72.13

108.171.64.202

74.58.152.123

216.209.253.121

88.87.68.197

211.107.25.121

109.70.100.25

185.67.82.114

207.102.138.19

204.101.161.14

193.128.108.251

111.7.100.17

111.7.100.16

74.125.210.62

74.125.210.36

104.244.74.57

185.220.101.145

185.220.101.144

185.220.101.18

185.220.100.246

185.220.101.228

185.220.100.243

185.220.101.229

185.220.101.147

185.220.102.250

185.220.100.241

199.195.251.84

213.164.204.94

74.125.213.7

74.125.213.9

177.38.183.13

185.220.100.249

85.55.1.73

85.55.1.73

37.71.173.58

82.65.34.224

93.2.220.100

188.10.191.109

24.100.23.115

81.36.17.247

90.161.75.4

213.194.157.212

117.211.140.154

Signatures

SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
downloader squirrelwaffle

Squirrelwaffle payload 1 IoCs

resource	yara_rule
behavioral1/memory/1032-57-0x0000000074C10000-0x0000000074C9A000-memory.dmp	squirrelwaffle

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1032	rundll32.exe
5	1032	rundll32.exe
7	1032	rundll32.exe
9	1032	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1032	1972	rundll32.exe	28
PID 1972 wrote to memory of 1032	1972	rundll32.exe	28
PID 1972 wrote to memory of 1032	1972	rundll32.exe	28
PID 1972 wrote to memory of 1032	1972	rundll32.exe	28
PID 1972 wrote to memory of 1032	1972	rundll32.exe	28
PID 1972 wrote to memory of 1032	1972	rundll32.exe	28
PID 1972 wrote to memory of 1032	1972	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\167c4cd037260192c03ef9ae848c419b9d3286c268816d694ffc91f7ce380641.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\167c4cd037260192c03ef9ae848c419b9d3286c268816d694ffc91f7ce380641.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:1032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-55-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1032-56-0x00000000021E0000-0x00000000021EE000-memory.dmp

Filesize
56KB

Download
memory/1032-57-0x0000000074C10000-0x0000000074C9A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing