ffdroider | 94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474

General

Target

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Size

1.9MB
MD5

beb93a48eefd9be5e5664754e9c6f175
SHA1

d007e52aa93034a54b2f8167e3bcdcff8a65a63d
SHA256

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474
SHA512

7b7ca6a538eed77f8a10aa9628466a2d41d3133510663d065594ee83dfec5e432d8a0bd206b7383e014f8bad282c736662d22c9b9e5705436ec235e8c384cb2a

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2348-118-0x00000000012E0000-0x000000000177A000-memory.dmp	family_ffdroider
behavioral2/memory/2348-119-0x00000000012E0000-0x000000000177A000-memory.dmp	family_ffdroider
behavioral2/memory/2348-120-0x00000000012E0000-0x000000000177A000-memory.dmp	family_ffdroider
behavioral2/memory/2348-1010-0x00000000012E0000-0x000000000177A000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe

description	pid	process
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	2348	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe

C:\Users\Admin\AppData\Local\Temp\94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
"C:\Users\Admin\AppData\Local\Temp\94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2348-118-0x00000000012E0000-0x000000000177A000-memory.dmp

Filesize
4.6MB

Download
memory/2348-119-0x00000000012E0000-0x000000000177A000-memory.dmp

Filesize
4.6MB

Download
memory/2348-120-0x00000000012E0000-0x000000000177A000-memory.dmp

Filesize
4.6MB

Download
memory/2348-121-0x0000000003E10000-0x0000000003E20000-memory.dmp

Filesize
64KB

Download
memory/2348-127-0x0000000003FB0000-0x0000000003FC0000-memory.dmp

Filesize
64KB

Download
memory/2348-133-0x0000000005150000-0x0000000005158000-memory.dmp

Filesize
32KB

Download
memory/2348-134-0x0000000005490000-0x0000000005498000-memory.dmp

Filesize
32KB

Download
memory/2348-135-0x0000000006CD0000-0x0000000006CD8000-memory.dmp

Filesize
32KB

Download
memory/2348-136-0x00000000053F0000-0x00000000053F8000-memory.dmp

Filesize
32KB

Download
memory/2348-137-0x0000000006CD0000-0x0000000006CD8000-memory.dmp

Filesize
32KB

Download
memory/2348-138-0x00000000053F0000-0x00000000053F8000-memory.dmp

Filesize
32KB

Download
memory/2348-139-0x0000000006CD0000-0x0000000006CD8000-memory.dmp

Filesize
32KB

Download
memory/2348-1010-0x00000000012E0000-0x000000000177A000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads