ffdroider | 560d1fe318e00059a8b9b0c71f7b728e750af8e375c9de6e4239bc7f5066180f

General

Target

560d1fe318e00059a8b9b0c71f7b728e750af8e375c9de6e4239bc7f5066180f.exe
Size

488KB
MD5

e5770e11e313cb8802bbf0e001f49ee9
SHA1

94f88a6d416036a4d2cb155774ec0c1f70473a02
SHA256

560d1fe318e00059a8b9b0c71f7b728e750af8e375c9de6e4239bc7f5066180f
SHA512

a766e7863c09a145259c17e7d9c6f3065567ba96e9c527ffb9fb23bd7b216f6c537b81a678cc14877ccfee6279fd4055adce1f9fe8ff9e7207ac4dd05bd75cd1
SSDEEP

12288:Ivp+HbZN4SZaOdRrtr/5C4THvWDzVlJCSk6w:6puZPZaOdRrpCD5mSvw

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

C2

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	560d1fe318e00059a8b9b0c71f7b728e750af8e375c9de6e4239bc7f5066180f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3340	560d1fe318e00059a8b9b0c71f7b728e750af8e375c9de6e4239bc7f5066180f.exe
Token: SeManageVolumePrivilege	3340	560d1fe318e00059a8b9b0c71f7b728e750af8e375c9de6e4239bc7f5066180f.exe
Token: SeManageVolumePrivilege	3340	560d1fe318e00059a8b9b0c71f7b728e750af8e375c9de6e4239bc7f5066180f.exe

C:\Users\Admin\AppData\Local\Temp\560d1fe318e00059a8b9b0c71f7b728e750af8e375c9de6e4239bc7f5066180f.exe
"C:\Users\Admin\AppData\Local\Temp\560d1fe318e00059a8b9b0c71f7b728e750af8e375c9de6e4239bc7f5066180f.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3340-130-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3340-131-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3340-132-0x00000000036A0000-0x00000000036B0000-memory.dmp

Filesize
64KB

Download
memory/3340-138-0x0000000003800000-0x0000000003810000-memory.dmp

Filesize
64KB

Download
memory/3340-144-0x00000000042D0000-0x00000000042D8000-memory.dmp

Filesize
32KB

Download
memory/3340-145-0x00000000042F0000-0x00000000042F8000-memory.dmp

Filesize
32KB

Download
memory/3340-146-0x0000000004390000-0x0000000004398000-memory.dmp

Filesize
32KB

Download
memory/3340-147-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/3340-148-0x0000000004500000-0x0000000004508000-memory.dmp

Filesize
32KB

Download
memory/3340-149-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/3340-150-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/3340-151-0x0000000004610000-0x0000000004618000-memory.dmp

Filesize
32KB

Download
memory/3340-152-0x00000000042F0000-0x00000000042F8000-memory.dmp

Filesize
32KB

Download
memory/3340-153-0x0000000004610000-0x0000000004618000-memory.dmp

Filesize
32KB

Download
memory/3340-154-0x0000000004740000-0x0000000004748000-memory.dmp

Filesize
32KB

Download
memory/3340-155-0x00000000042F0000-0x00000000042F8000-memory.dmp

Filesize
32KB

Download
memory/3340-156-0x0000000004740000-0x0000000004748000-memory.dmp

Filesize
32KB

Download
memory/3340-157-0x0000000004610000-0x0000000004618000-memory.dmp

Filesize
32KB

Download
memory/3340-184-0x00000000044A0000-0x00000000044A8000-memory.dmp

Filesize
32KB

Download
memory/3340-185-0x00000000044B0000-0x00000000044B8000-memory.dmp

Filesize
32KB

Download
memory/3340-187-0x0000000004430000-0x0000000004438000-memory.dmp

Filesize
32KB

Download
memory/3340-218-0x0000000004280000-0x0000000004288000-memory.dmp

Filesize
32KB

Download
memory/3340-219-0x00000000043B0000-0x00000000043B8000-memory.dmp

Filesize
32KB

Download
memory/3340-239-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing