ffdroider | f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

Analysis

max time kernel
38s
max time network
41s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
18-07-2022 18:36

Target

md9_1sjm.exe
Size

2.1MB
MD5

3b3d48102a0d45a941f98d8aabe2dc43
SHA1

0dae4fd9d74f24452b2544e0f166bf7db2365240
SHA256

f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0
SHA512

65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Score

10^/10

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1480-55-0x00000000011E0000-0x000000000178C000-memory.dmp	family_ffdroider
behavioral1/memory/1480-69-0x00000000011E0000-0x000000000178C000-memory.dmp	family_ffdroider

suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

md9_1sjm.exe

description pid process

Token: SeManageVolumePrivilege 1480 md9_1sjm.exe

description	pid	process
Token: SeManageVolumePrivilege	1480	md9_1sjm.exe

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/1480-54-0x0000000076311000-0x0000000076313000-memory.dmp

Filesize
8KB

Download
memory/1480-55-0x00000000011E0000-0x000000000178C000-memory.dmp

Filesize
5.7MB

Download
memory/1480-56-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1480-57-0x0000000001030000-0x0000000001040000-memory.dmp

Filesize
64KB

Download
memory/1480-63-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/1480-69-0x00000000011E0000-0x000000000178C000-memory.dmp

Filesize
5.7MB

Download