Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...39.dll

windows7-x64

10

JaffaCakes...39.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2025, 23:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_412fdeeaa926ada702cd351049516139.dll

  • Size

    528KB

  • MD5

    412fdeeaa926ada702cd351049516139

  • SHA1

    717815a409b374922e7d140d97e796d5eac4732f

  • SHA256

    ab0a3f2c0b0bace7e066433d4c3e8ad1dc253bb4b394ce504e50f15f43499ac8

  • SHA512

    4503abfac1e018860f98a4e0b45d1d2d1e0650d1532bc24603c0555e2b4533fd98d2c79c0905db7d76f4bca8eadd4f3476bc696a684f62c7178e03c71d005869

  • SSDEEP

    12288:snygddonnhXo7TDSfLLeSlDH7g+BppSH9K1XB7LenS1LrumKV/8:0onhb1lDE+Bg9K99e+umKV/

Score
10/10
squirrelwafflediscoverydownloader

Malware Config

Extracted

Family

squirrelwaffle

C2

http://bostoncarservice.us/ttv8fU9U19

http://payparq-cloud-3513-01.com/bON7gU8BpvAU

http://luckysoxs.com/3FbCi7ej09p

http://payparq-cloud-8799-02.com/0yXFxtYs0Z

http://rjmholding.com/JKu3ByhTE

http://centroparquekrahmer.cl/iXIdCvMk5TD7

http://capaxion.cl/xigRVxm0X

http://bimcrea.cl/CRUKqDjn

http://payparq-cloud-8899-00.com/yeoXYV97

http://18pixels.org/mDZYHjiJi

http://e2eprocess.cl/EUsDZTqM

http://payparq.com/1DT7hrizVB

http://sammlerstore.pe/KKFuUiXVI5

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

    downloadersquirrelwaffle
  • Squirrelwaffle family
    squirrelwaffle
  • Squirrelwaffle payload 7 IoCs
  • Blocklisted process makes network request 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_412fdeeaa926ada702cd351049516139.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_412fdeeaa926ada702cd351049516139.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:3388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3388-2-0x00000000749C0000-0x0000000075350000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3388-1-0x0000000074A42000-0x0000000074A48000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3388-3-0x00000000749C0000-0x0000000075350000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3388-0-0x00000000749C0000-0x0000000075350000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3388-4-0x00000000749C0000-0x0000000075350000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3388-7-0x00000000749C0000-0x0000000075350000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3388-9-0x00000000749C0000-0x0000000075350000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3388-12-0x00000000749C0000-0x0000000075350000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3388-15-0x00000000749C0000-0x0000000075350000-memory.dmp

    Filesize

    9.6MB

    Download