ffdroider | fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507

General

Target

fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507.exe
Size

789KB
MD5

b41472d8b0e9c50205e96d39e427de9e
SHA1

c16a3a63fd20c22fc8da89ab2896d76ca0e724db
SHA256

fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507
SHA512

8161e820896be2d6b63291cc4ef74879d2b5cdf87c3a202664eecfd851f279efbe4b624461470672589d082809f00864c029a0a78f2c053ca83c6d1c5e0d3d95
SSDEEP

24576:HH5+AShmB2TZ5jD382ae227uU2JNysPdV2PNa:n59amB2TXjz82aeTuDi

Score

10^/10

ffdroider evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

C2

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2796-132-0x0000000000400000-0x0000000000644000-memory.dmp	vmprotect
behavioral2/memory/2796-133-0x0000000000400000-0x0000000000644000-memory.dmp	vmprotect
behavioral2/memory/2796-135-0x0000000000400000-0x0000000000644000-memory.dmp	vmprotect
behavioral2/memory/2796-283-0x0000000000400000-0x0000000000644000-memory.dmp	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2796	fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507.exe
Token: SeManageVolumePrivilege	2796	fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507.exe
Token: SeManageVolumePrivilege	2796	fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507.exe
Token: SeManageVolumePrivilege	2796	fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507.exe
Token: SeManageVolumePrivilege	2796	fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507.exe

C:\Users\Admin\AppData\Local\Temp\fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507.exe
"C:\Users\Admin\AppData\Local\Temp\fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-132-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2796-133-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2796-135-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2796-136-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/2796-142-0x0000000003950000-0x0000000003960000-memory.dmp

Filesize
64KB

Download
memory/2796-148-0x0000000004400000-0x0000000004408000-memory.dmp

Filesize
32KB

Download
memory/2796-149-0x0000000004420000-0x0000000004428000-memory.dmp

Filesize
32KB

Download
memory/2796-150-0x00000000044C0000-0x00000000044C8000-memory.dmp

Filesize
32KB

Download
memory/2796-151-0x0000000004610000-0x0000000004618000-memory.dmp

Filesize
32KB

Download
memory/2796-152-0x0000000004630000-0x0000000004638000-memory.dmp

Filesize
32KB

Download
memory/2796-153-0x0000000004C50000-0x0000000004C58000-memory.dmp

Filesize
32KB

Download
memory/2796-154-0x0000000004B50000-0x0000000004B58000-memory.dmp

Filesize
32KB

Download
memory/2796-155-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/2796-156-0x0000000004420000-0x0000000004428000-memory.dmp

Filesize
32KB

Download
memory/2796-157-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/2796-158-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/2796-159-0x0000000004420000-0x0000000004428000-memory.dmp

Filesize
32KB

Download
memory/2796-160-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/2796-161-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/2796-186-0x00000000042E0000-0x00000000042E8000-memory.dmp

Filesize
32KB

Download
memory/2796-187-0x0000000004300000-0x0000000004308000-memory.dmp

Filesize
32KB

Download
memory/2796-188-0x00000000043A0000-0x00000000043A8000-memory.dmp

Filesize
32KB

Download
memory/2796-189-0x00000000043B0000-0x00000000043B8000-memory.dmp

Filesize
32KB

Download
memory/2796-190-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/2796-191-0x00000000045E0000-0x00000000045E8000-memory.dmp

Filesize
32KB

Download
memory/2796-192-0x0000000004300000-0x0000000004308000-memory.dmp

Filesize
32KB

Download
memory/2796-193-0x0000000004300000-0x0000000004308000-memory.dmp

Filesize
32KB

Download
memory/2796-218-0x0000000004100000-0x0000000004108000-memory.dmp

Filesize
32KB

Download
memory/2796-219-0x0000000004100000-0x0000000004108000-memory.dmp

Filesize
32KB

Download
memory/2796-268-0x0000000004320000-0x0000000004328000-memory.dmp

Filesize
32KB

Download
memory/2796-269-0x0000000004100000-0x0000000004108000-memory.dmp

Filesize
32KB

Download
memory/2796-283-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing