SYMBOLCOMMON_NAMEaka. SYNONYMS
win.squirrelwaffle (Back to overview)

Squirrelwaffle


There is no description at this point.

References
2021-10-080ffset BlogChuong Dong
@online{dong:20211008:squirrelwaffle:4549cd1, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing The Main Loader}}, date = {2021-10-08}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/}, language = {English}, urldate = {2021-10-14} } SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle
2021-10-07NetskopeGustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211007:squirrelwaffle:3506816, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}}, date = {2021-10-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot}, language = {English}, urldate = {2021-10-11} } SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-10-03Github (0xjxd)Joel Dönne
@techreport{dnne:20211003:squirrelwaffle:3a35566, author = {Joel Dönne}, title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}}, date = {2021-10-03}, institution = {Github (0xjxd)}, url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf}, language = {English}, urldate = {2021-10-07} } SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-10-010ffset BlogChuong Dong
@online{dong:20211001:squirrelwaffle:24c9b06, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}}, date = {2021-10-01}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/}, language = {English}, urldate = {2021-10-14} } SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle
2021-09-28Twitter (@Max_Mal_)Max Malyutin
@online{malyutin:20210928:how:139921e, author = {Max Malyutin}, title = {{Tweet on how to debug SquirrelWaffle}}, date = {2021-09-28}, organization = {Twitter (@Max_Mal_)}, url = {https://twitter.com/Max_Mal_/status/1442496131410190339}, language = {English}, urldate = {2021-09-28} } Tweet on how to debug SquirrelWaffle
Squirrelwaffle
2021-09-28ZscalerAvinash Kumar, Brett Stone-Gross
@online{kumar:20210928:squirrelwaffle:9b1cffc, author = {Avinash Kumar and Brett Stone-Gross}, title = {{Squirrelwaffle: New Loader Delivering Cobalt Strike}}, date = {2021-09-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike}, language = {English}, urldate = {2021-10-11} } Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-27CynetMax Malyutin
@online{malyutin:20210927:virtual:cd72501, author = {Max Malyutin}, title = {{A Virtual Baffle to Battle Squirrelwaffle}}, date = {2021-09-27}, organization = {Cynet}, url = {https://www.cynet.com/understanding-squirrelwaffle/}, language = {English}, urldate = {2021-09-28} } A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle
2021-09-27Youtube (OALabs)Sergei Frankoff
@online{frankoff:20210927:live:83ccb1f, author = {Sergei Frankoff}, title = {{Live Coding A Squirrelwaffle Malware Config Extractor}}, date = {2021-09-27}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=9X2P7aFKSw0}, language = {English}, urldate = {2021-10-05} } Live Coding A Squirrelwaffle Malware Config Extractor
Squirrelwaffle
2021-09-21Medium elis531989Eli Salem
@online{salem:20210921:squirrel:1254a9d, author = {Eli Salem}, title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}}, date = {2021-09-21}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9}, language = {English}, urldate = {2021-09-22} } The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle
2021-09-18Security Soup BlogRyan Campbell
@online{campbell:20210918:squirrelwaffle:5790d40, author = {Ryan Campbell}, title = {{“Squirrelwaffle” Maldoc Analysis}}, date = {2021-09-18}, organization = {Security Soup Blog}, url = {https://security-soup.net/squirrelwaffle-maldoc-analysis/}, language = {English}, urldate = {2021-09-20} } “Squirrelwaffle” Maldoc Analysis
Squirrelwaffle
2021-09-17Malware Traffic AnalysisBrad Duncan
@online{duncan:20210917:20210917:b995435, author = {Brad Duncan}, title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}}, date = {2021-09-17}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html}, language = {English}, urldate = {2021-09-20} } 2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle
Yara Rules
[TLP:WHITE] win_squirrelwaffle_auto (20211008 | Detects win.squirrelwaffle.)
rule win_squirrelwaffle_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.squirrelwaffle."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc2 898568f7ffff 85c0 75d1 8d45ed }
            // n = 5, score = 400
            //   8bc2                 | mov                 eax, edx
            //   898568f7ffff         | mov                 dword ptr [ebp - 0x898], eax
            //   85c0                 | test                eax, eax
            //   75d1                 | jne                 0xffffffd3
            //   8d45ed               | lea                 eax, dword ptr [ebp - 0x13]

        $sequence_1 = { 8bce 894640 a1???????? 894644 8d45dc }
            // n = 5, score = 400
            //   8bce                 | mov                 ecx, esi
            //   894640               | mov                 dword ptr [esi + 0x40], eax
            //   a1????????           |                     
            //   894644               | mov                 dword ptr [esi + 0x44], eax
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]

        $sequence_2 = { 83c40c c6460400 8d85c8f6ffff eb1a }
            // n = 4, score = 400
            //   83c40c               | add                 esp, 0xc
            //   c6460400             | mov                 byte ptr [esi + 4], 0
            //   8d85c8f6ffff         | lea                 eax, dword ptr [ebp - 0x938]
            //   eb1a                 | jmp                 0x1c

        $sequence_3 = { 888d80f7ffff 8d8d38f9ffff ffb580f7ffff e8???????? }
            // n = 4, score = 400
            //   888d80f7ffff         | mov                 byte ptr [ebp - 0x880], cl
            //   8d8d38f9ffff         | lea                 ecx, dword ptr [ebp - 0x6c8]
            //   ffb580f7ffff         | push                dword ptr [ebp - 0x880]
            //   e8????????           |                     

        $sequence_4 = { 83f81f 777f 51 56 e8???????? 83c408 }
            // n = 6, score = 400
            //   83f81f               | cmp                 eax, 0x1f
            //   777f                 | ja                  0x81
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_5 = { e8???????? 68???????? 68???????? 6a14 6a18 8d8518faffff c645fc06 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   68????????           |                     
            //   68????????           |                     
            //   6a14                 | push                0x14
            //   6a18                 | push                0x18
            //   8d8518faffff         | lea                 eax, dword ptr [ebp - 0x5e8]
            //   c645fc06             | mov                 byte ptr [ebp - 4], 6

        $sequence_6 = { c7431000000000 c743140f000000 68???????? c60300 }
            // n = 4, score = 400
            //   c7431000000000       | mov                 dword ptr [ebx + 0x10], 0
            //   c743140f000000       | mov                 dword ptr [ebx + 0x14], 0xf
            //   68????????           |                     
            //   c60300               | mov                 byte ptr [ebx], 0

        $sequence_7 = { 3bc1 0f46c2 50 e8???????? 83c404 85c0 0f848c000000 }
            // n = 7, score = 400
            //   3bc1                 | cmp                 eax, ecx
            //   0f46c2               | cmovbe              eax, edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   0f848c000000         | je                  0x92

        $sequence_8 = { eb0a 2bc7 8945fc eb03 894dfc 8d4201 50 }
            // n = 7, score = 400
            //   eb0a                 | jmp                 0xc
            //   2bc7                 | sub                 eax, edi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   eb03                 | jmp                 5
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8d4201               | lea                 eax, dword ptr [edx + 1]
            //   50                   | push                eax

        $sequence_9 = { 83c802 50 51 ff15???????? 8bd8 83c40c 85db }
            // n = 7, score = 400
            //   83c802               | or                  eax, 2
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c40c               | add                 esp, 0xc
            //   85db                 | test                ebx, ebx

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules