ffdroider | 94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474

General

Target

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Size

1.9MB
MD5

beb93a48eefd9be5e5664754e9c6f175
SHA1

d007e52aa93034a54b2f8167e3bcdcff8a65a63d
SHA256

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474
SHA512

7b7ca6a538eed77f8a10aa9628466a2d41d3133510663d065594ee83dfec5e432d8a0bd206b7383e014f8bad282c736662d22c9b9e5705436ec235e8c384cb2a

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 4 IoCs

Processes:

resource	yara_rule
behavioral3/memory/804-131-0x0000000000BF0000-0x000000000108A000-memory.dmp	family_ffdroider
behavioral3/memory/804-130-0x0000000000BF0000-0x000000000108A000-memory.dmp	family_ffdroider
behavioral3/memory/804-132-0x0000000000BF0000-0x000000000108A000-memory.dmp	family_ffdroider
behavioral3/memory/804-959-0x0000000000BF0000-0x000000000108A000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe

description	pid	process
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
Token: SeManageVolumePrivilege	804	94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe

C:\Users\Admin\AppData\Local\Temp\94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe
"C:\Users\Admin\AppData\Local\Temp\94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-131-0x0000000000BF0000-0x000000000108A000-memory.dmp

Filesize
4.6MB

Download
memory/804-130-0x0000000000BF0000-0x000000000108A000-memory.dmp

Filesize
4.6MB

Download
memory/804-132-0x0000000000BF0000-0x000000000108A000-memory.dmp

Filesize
4.6MB

Download
memory/804-133-0x0000000003B90000-0x0000000003BA0000-memory.dmp

Filesize
64KB

Download
memory/804-139-0x0000000003D30000-0x0000000003D40000-memory.dmp

Filesize
64KB

Download
memory/804-145-0x0000000004800000-0x0000000004808000-memory.dmp

Filesize
32KB

Download
memory/804-146-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/804-147-0x00000000048C0000-0x00000000048C8000-memory.dmp

Filesize
32KB

Download
memory/804-148-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/804-149-0x0000000004B60000-0x0000000004B68000-memory.dmp

Filesize
32KB

Download
memory/804-150-0x0000000004E10000-0x0000000004E18000-memory.dmp

Filesize
32KB

Download
memory/804-151-0x0000000004D10000-0x0000000004D18000-memory.dmp

Filesize
32KB

Download
memory/804-152-0x0000000004B70000-0x0000000004B78000-memory.dmp

Filesize
32KB

Download
memory/804-153-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/804-154-0x0000000004B70000-0x0000000004B78000-memory.dmp

Filesize
32KB

Download
memory/804-155-0x0000000004CA0000-0x0000000004CA8000-memory.dmp

Filesize
32KB

Download
memory/804-156-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/804-157-0x0000000004CA0000-0x0000000004CA8000-memory.dmp

Filesize
32KB

Download
memory/804-158-0x0000000004B70000-0x0000000004B78000-memory.dmp

Filesize
32KB

Download
memory/804-183-0x00000000046E0000-0x00000000046E8000-memory.dmp

Filesize
32KB

Download
memory/804-184-0x0000000004700000-0x0000000004708000-memory.dmp

Filesize
32KB

Download
memory/804-185-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/804-186-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/804-187-0x0000000004920000-0x0000000004928000-memory.dmp

Filesize
32KB

Download
memory/804-188-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/804-189-0x00000000049E0000-0x00000000049E8000-memory.dmp

Filesize
32KB

Download
memory/804-190-0x0000000004940000-0x0000000004948000-memory.dmp

Filesize
32KB

Download
memory/804-191-0x0000000004700000-0x0000000004708000-memory.dmp

Filesize
32KB

Download
memory/804-192-0x0000000004940000-0x0000000004948000-memory.dmp

Filesize
32KB

Download
memory/804-193-0x0000000004700000-0x0000000004708000-memory.dmp

Filesize
32KB

Download
memory/804-959-0x0000000000BF0000-0x000000000108A000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads