ffdroider | d1260997bc5cd00b88b61cb7adddae0768a3af22fa53e365a78bd528537f2b74

General

Target

file.exe
Size

3.8MB
MD5

31602ebe5470cf625f5d0888fbd9918c
SHA1

361e0bc1d515b4d5edf17339cd4e866e004b6a98
SHA256

d1260997bc5cd00b88b61cb7adddae0768a3af22fa53e365a78bd528537f2b74
SHA512

4c6a99d8413577e0705a9919bb51780f4395c025e20e97d7d7e92201825c2356d3e4d34840090eb052670b973eaa6c37d0a3294d339023d4e08ac3b86ccfca17
SSDEEP

98304:oD9UShZa98B/bLlcHv3s/H9dAtdiplNRH6u7EKuJtbdOCdLewkb2a13QSH:oGShjNlw30fG2N55v

Score

10^/10

ffdroider persistence spyware stealer

Malware Config

Extracted

Family

ffdroider

C2

http://103.136.42.153

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1292-55-0x0000000000400000-0x00000000009F6000-memory.dmp	family_ffdroider
behavioral1/memory/1292-56-0x0000000000400000-0x00000000009F6000-memory.dmp	family_ffdroider
behavioral1/memory/1292-57-0x0000000000400000-0x00000000009F6000-memory.dmp	family_ffdroider
behavioral1/memory/1292-58-0x0000000000400000-0x00000000009F6000-memory.dmp	family_ffdroider
behavioral1/memory/1292-60-0x0000000000400000-0x00000000009F6000-memory.dmp	family_ffdroider
behavioral1/memory/1292-61-0x0000000000400000-0x00000000009F6000-memory.dmp	family_ffdroider
behavioral1/memory/1292-74-0x0000000000400000-0x00000000009F6000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyStart = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	file.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

file.exe

pid process

1292 file.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeManageVolumePrivilege 1292 file.exe

pid	process
1292	file.exe

description	pid	process
Token: SeManageVolumePrivilege	1292	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1292-55-0x0000000000400000-0x00000000009F6000-memory.dmp

Filesize
6.0MB

Download
memory/1292-56-0x0000000000400000-0x00000000009F6000-memory.dmp

Filesize
6.0MB

Download
memory/1292-57-0x0000000000400000-0x00000000009F6000-memory.dmp

Filesize
6.0MB

Download
memory/1292-58-0x0000000000400000-0x00000000009F6000-memory.dmp

Filesize
6.0MB

Download
memory/1292-60-0x0000000000400000-0x00000000009F6000-memory.dmp

Filesize
6.0MB

Download
memory/1292-61-0x0000000000400000-0x00000000009F6000-memory.dmp

Filesize
6.0MB

Download
memory/1292-62-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/1292-68-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/1292-74-0x0000000000400000-0x00000000009F6000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing