The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”

Just Squirrel with waffle

The dropper

Dropper PEStudio
Dropper export functions

Unpacking mechanism

  1. Call to ebx+2113E4 - which is the call to VirtualAlloc
  2. rep movsb -which will write shellcode to the newly allocated memory
  3. jmp eax - execute the shellcode instructions
Dropper shellcode execution
  1. Click “execute til return” + “step over”
  2. Go to the EAX register and click “follow in dump”
  3. Set a write hardware breakpoint on the first bytes of the newly allocated memory buffer.
Unpacking the dropper
Unpacking the dropper
Dropper unpacking
APLIB indication
  1. Remove the write hardware breakpoint from the buffer
  2. Set a new Access hardware breakpoint on the first bytes of the APLIB header.
  3. Click Run
Unpacking the dropper
  1. It will get bytes from the beginning of the APLIB content, manipulate them, and will store them in the ESI register.
  2. It will copy the decoded content at offset 7040, the offset where the content will be written will be stored in the EDI register.
Unpacking the dropper
Unpacking the dropper
Dropper crypter unpacking


SquirrelWaffle in PEStudio
SquirrelWaffle export and DLL name
Core function begins with getting environment variables

First way

Executing the DLL using Rundll32

Second way

  1. we’ll first go to the DllEntryPoint
  2. We already know from the first glance of static investigation that the ldr function should start with getenv() function that searched the APPDATA and TEMP environment variables.
  3. Because the APPDATA and TEMP strings are hardcoded in the malware we’ll search for their location.
  4. we’ll direct our malware execution flow to go directly to the location of the function that the APPDATA and TEMP are found.

Getting the location of the APPDATA & TEMP function

  1. Right click
  2. Search for
  3. Current region
  4. String references
Getting the string references
Hardcoded strings
Begining of core function

Changing the malware execution flow

  1. Right click on the first function line of code
  2. Copy
  3. Address
Getting the address of the core function
  1. Right-click on the EIP register
  2. Modify value
  3. In the Expression box, paste the address you copied.
  4. Click OK
Changing the EIP
Execution flow now at the start of the core function

Core function

Observable functions

Getting environment variables
Getting the machine name
Getting the user name
Getting info on workstation’s configuration

Maintenance functions

  1. gets the pointer of environment variable stored in v0
  2. gets the environment variable length
  3. copy the data into v180
sub_10006A20 Copy from v0 to v180
  1. The first two iterations will copy the environment variables as mentioned.
  2. The third iteration will copy a large chunk of code “unk_100A5D8” which be later discovered as the malware’s config.
  3. The fourth iteration will copy a hardcoded string which will take part in the config decryption part.
sub_10006A20 usages
sub_100019B0 deals with config decryption

Observing the config decryption

memcpy writing the IP adress
Before executing 724D7840
After executing 724D7840
  1. Right-click on the pointer
  2. Follow DWORD in Dump
  3. Select your preferable dump
Following in the pointer dump
IP addresses array
Breaking after the config decryption loop ends
After sub_100019B0 ends, the EAX register holds the config

Network function

Network function
  1. sub_10006A20 receive embedded hardcoded content and copy it to he memory.
  2. Another sub_10006A20 function recieve long hardcoded string.
  3. sub_100058F0 take the copied content and assign it
  4. sub_100019B0 take the pointer of the obfuscated content, and the hardcoded string as an arguments.
sub_100019B0 in the Network Function
Returned list of C2 domains
SquirrelWaffle communication functions

Final payload

Indication of .txt extension


  1. SquirrelWaffle dropper and how to unpack it
  2. SquirrelWaffle core function
  3. SquirrelWaffle network capabilities as a downloader
  4. How to observe the SquirrelWaffle list of C2 domains and IP addresses

Conclusion and thoughts





Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store