Analysis
-
max time kernel
71s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2022 18:36
Static task
static1
Behavioral task
behavioral1
Sample
md9_1sjm.exe
Resource
win7-20220715-en
windows7-x64
5 signatures
150 seconds
General
-
Target
md9_1sjm.exe
-
Size
2.1MB
-
MD5
3b3d48102a0d45a941f98d8aabe2dc43
-
SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240
-
SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0
-
SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8
Malware Config
Signatures
-
FFDroider payload 2 IoCs
resource yara_rule behavioral2/memory/4492-130-0x0000000000520000-0x0000000000ACC000-memory.dmp family_ffdroider behavioral2/memory/4492-276-0x0000000000520000-0x0000000000ACC000-memory.dmp family_ffdroider -
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeManageVolumePrivilege 4492 md9_1sjm.exe Token: SeManageVolumePrivilege 4492 md9_1sjm.exe Token: SeManageVolumePrivilege 4492 md9_1sjm.exe Token: SeManageVolumePrivilege 4492 md9_1sjm.exe Token: SeManageVolumePrivilege 4492 md9_1sjm.exe