Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
submitted
09-09-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
windows7-x64
6 signatures
150 seconds
General
-
Target
file.exe
-
Size
3.8MB
-
MD5
31602ebe5470cf625f5d0888fbd9918c
-
SHA1
361e0bc1d515b4d5edf17339cd4e866e004b6a98
-
SHA256
d1260997bc5cd00b88b61cb7adddae0768a3af22fa53e365a78bd528537f2b74
-
SHA512
4c6a99d8413577e0705a9919bb51780f4395c025e20e97d7d7e92201825c2356d3e4d34840090eb052670b973eaa6c37d0a3294d339023d4e08ac3b86ccfca17
-
SSDEEP
98304:oD9UShZa98B/bLlcHv3s/H9dAtdiplNRH6u7EKuJtbdOCdLewkb2a13QSH:oGShjNlw30fG2N55v
Score
10/10
Malware Config
Extracted
Family
ffdroider
C2
http://103.136.42.153
Signatures
-
FFDroider payload 7 IoCs
resource yara_rule behavioral1/memory/1292-55-0x0000000000400000-0x00000000009F6000-memory.dmp family_ffdroider behavioral1/memory/1292-56-0x0000000000400000-0x00000000009F6000-memory.dmp family_ffdroider behavioral1/memory/1292-57-0x0000000000400000-0x00000000009F6000-memory.dmp family_ffdroider behavioral1/memory/1292-58-0x0000000000400000-0x00000000009F6000-memory.dmp family_ffdroider behavioral1/memory/1292-60-0x0000000000400000-0x00000000009F6000-memory.dmp family_ffdroider behavioral1/memory/1292-61-0x0000000000400000-0x00000000009F6000-memory.dmp family_ffdroider behavioral1/memory/1292-74-0x0000000000400000-0x00000000009F6000-memory.dmp family_ffdroider -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyStart = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe" file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1292 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 1292 file.exe