ffdroider | 72073e22e81da454b5ec4028c5ed91e31dd1874b1479d105582a08b1f3b1ee69

Analysis

max time kernel
473s
max time network
478s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

md9_1sjm.exe
Size

2.1MB
MD5

3b3d48102a0d45a941f98d8aabe2dc43
SHA1

0dae4fd9d74f24452b2544e0f166bf7db2365240
SHA256

f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0
SHA512

65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8
SSDEEP

49152:wjs8vwLUm1R8Bjiu3bzz23YrpujbsTSB6/6Pp372TMZY:wo8vW1R8Bh3bu3GaBg6ZRY

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 1 IoCs

resource	yara_rule
behavioral9/memory/552-638-0x0000000000C10000-0x00000000011BC000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	552	md9_1sjm.exe
Token: SeManageVolumePrivilege	552	md9_1sjm.exe
Token: SeManageVolumePrivilege	552	md9_1sjm.exe
Token: SeManageVolumePrivilege	552	md9_1sjm.exe
Token: SeManageVolumePrivilege	552	md9_1sjm.exe

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
d646f19428d3892f225c443962fc2b27

SHA1
35ee0951861fc9e691c7ca8a3e222ea619c41f35

SHA256
538bb25341d6fd59b63c7954e5fc94220ca6ae12c4ec534af3e8f8a8ce92a618

SHA512
5f076dbc886232392a469ce094a65881498fd887525612538bae959586041e2fd3790dd8b349d65482d35e878f9939f0118ba6b6dba6d4cfc75cf524b2a3a749

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
56KB

MD5
a8ad20a7dcc7f63650c588d22b52242e

SHA1
b022ad4a46cd2390ea58f83c1f4d063b4563a178

SHA256
cf189df3469e89e6bc8c7ac206cbe93575ec27a9fc01d547879c6574c26cb7a8

SHA512
3bb51a8767a63981f04b8ffa58b6397e44cb40ba4aec5869cc79cf4400f3d155184e578db2fe78eb9899daf7d80d9e0d526a0dab3aae2030196c3e4a92199475

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6d7aece69304290f2dfbd41964e797fc

SHA1
3d0ec6407a26b6e625d7bdfc53236a43af45ceb7

SHA256
3c76da12d1655dfe8b39e27e02bcf1ace1aec95440b3625b5e7643291f556af3

SHA512
3a5278e112b788b7b4c666f5198b7b96d5b7db098ae1ec63ea4bdd77ea97170e57a776f6795cc67c9b5ec1a1fabf0b30cca2c4b04190b11fd3253776d2b42ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d174e44bef6903b1d6e7b954161bb652

SHA1
4cd247c29e3cffe7fef877085f3d0869cd962421

SHA256
0c41330e1674e1c94d466cef7b00886a54d670da841042387780c75851437fbf

SHA512
5992e4443f7eabc5f0b7378b4355a3e1e50507bfc159f8e2afa34e6a644de0235d9594927f1f14e7d27ffc404c05d24c3f8dd64c0ded0b00532dceb1dc1e5e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3c0aa60122cf18e047e26e311b810f0a

SHA1
3fb47192cbb291d2999a43fd0428817faa6fee5a

SHA256
699f5cb480fdab6cc4d793ee2ef4c14a0e1d29a70b249673b9c0a5a8bff3e864

SHA512
53ca269062d48fe60b45d949d442bb07d168508538086955dfcfd78ddf2a31a010f30d234b3690c14f8fd76edc186bcdc42ef59ccbeef3c57c45c277c81fe990

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b61ab92201bb3055998bb309727a79c7

SHA1
99329f8f89e16e6159902564b12dc8f636e52bb8

SHA256
58953a590131fd73f74e072d95e0ea1fec1f1897ab348fbd19327957a2a09dab

SHA512
abd6f8556ccdebfbb348329656a6234952129a4231b571e0c086f77af69b0c2f6534f5e3a6401555a145a2aa5cf290eab37ef8e06c85644e40b60f3a4ef0224b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3ee85af74b1b4f4b56c94425423ef2b8

SHA1
f491504e26bbc7d9cb718eb450608a74266bc70f

SHA256
5e309d30f623705fe0fc9e791b4d43826f993ac3c1037c038cefb9c76133fd9a

SHA512
067015aebb9a54f6e27d7ec46db9a719746d818d4131e783184c0dfe341b7216115d3e2ffee500484fc0457854d5575d00e587ee32fed540644641a2cf0de2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c3bd9f04fd3c0183ebd5a6c199636689

SHA1
869bf4c85d4d5ac676e42982b5773012fa4196c9

SHA256
1b94a74699bd1444feceb8a295056377433a4e9d4140859afc3a75b7b46115b4

SHA512
3370131e07a4a07f95ec9040233a913dc048254b7762c99c7b433272246c4421334a996df26a1cb07e9f44addd6b61a5aad45e2d98191b52fbe5a619768d12d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4c02766ac9bb70eeb130d1c43bb8a0d6

SHA1
fe81a60c9bb82c5b3d550e46c167bd37bae5f097

SHA256
fb010bf4b8bed291d8a59dabe17ed02fff2f37ee4648ffe2ecc25d6fae5bc285

SHA512
649213dd92d2de108b1e44ccc03425d7ea49dbce0d8494ab2c98fd8029c5bedc003133f45720bcf699712f96ec240fccca5fa149fbb99f6ab20bc141a77cfc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ce2d9a6a4332de65143a91e883b1ff83

SHA1
f933b5b35c68899bb6c4d325a88017ecead9aef0

SHA256
b18c71df5cff6e669a5808156c10eec684172f3e5531c22d861bfecff9a37742

SHA512
b543e699a01aa382ba5e4347edbb4aa47c7f310fdf9be217d1ca0760a14ec3bc2793dfadc4448aa6ac88b37d699d1e498d97f292afff91860662d752f20a8455

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
994615df032a20b1e2a7b618ae915909

SHA1
ce0d69725df9abe5711346804d9d772f0bc59b04

SHA256
1b15f2d6a1d98b94da095f8573397b282974509164fddefb17a885ecb16adbd4

SHA512
b61b74e3d870ea692d2497e002eb5bdd1484ddd331bc6bc916b246060a571ed8c09fcd8ea6aca9391f3cfec8f891a2f7fde0e975523fd2bd9a165f01aa63cce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e5d7f4e99f739627a34a77337b639251

SHA1
f58b93dd544d243da459b7b5b0e1523c8f934e29

SHA256
16c27a4b0a6594780226052d280e4a6a2cdfc14778319d5e8082399e9ca9d71d

SHA512
e948b84f66346228365dc626cbf28bc71a80e0dfb4ccd04a75246e663270721791a0a0f1573f1626a68ccf1195bb0a85b1f0254fdd96617c134083991355aaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d23202c4b249ccadf6453081025a17fd

SHA1
2ac598bc97448244c1cb0c3c73e04bfb785fc1ca

SHA256
970511af4c2a3c40f4abca2c4730fd345f9569f8ca037625f8a0a6e0d08f439f

SHA512
43b4ad27bcd983b4f956e3139a2312a2b620ca63788241a2a195fb9b4e416e1dacd4bd4c6f4b74546321333f48d56802b83b8f2c636465c27e2a6b9f05b4763f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
732aea4afc47e687a1b941f3ac15a1b2

SHA1
1c4fa8cabb0badbfb7e7c3f89a952c78f7eb385a

SHA256
f23af8ea42e44cd3d6c17112aa4792a31794f2f366423d60be2c858062559afe

SHA512
479fea3c12eee2dc3a31fe692cd2e6fdd7bf00cc80c0421902f849b988837895a232df8b4e9064f40b57b73f9579399cf43de038b8a1792539acf08a9e28843c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
91acd9ace1c38700ceadd29119362a50

SHA1
51992686318c4c18528ea38060bf743d241ee5a8

SHA256
e26d0309535e4248fe5c05207d9f09d26346eacfc9a5b1f3942927a7ad85edb2

SHA512
f452a0fca9b88d3fdf617416278d8d5b901942a8cd5306c17617e25981bce8d19c4c837697c8f86c2f56ead4e5ec4089090172479c62ff1f0ccbc88a38d88354

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4bef2888ce5a6a7bcf251865d49b908a

SHA1
e392a6f1005c64abef395abb68a1e7420ad84988

SHA256
2f016709a863aa05a40edec4f7ca99eabfb7a3cd48983a1a7eb4bda575159d86

SHA512
ab17928ef597b34001c6867be60304a2ad21a625b51499b7813e310628f416c59fcfb39772b8a29c88e78b2b97104380e9dfccbe60b3a533e76ca48ef92816be

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7554df89b452d6bc6164d50c28600d0b

SHA1
4d8837f4ae1b76f3a46c8906942272a912937a98

SHA256
4c320f80bc283d39de05b0feff698e31a44a48f09dcdb31b71a77ad232f2c20d

SHA512
40a4d5d2b1721e96d99ce80a50a31ca5e6ab6603ac543cab9b15b8317e849e4ec21fb1adb7b4ea9a4772e992ba3a4755e350863eecfbf4cc13e1c433f1fda7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6760672bfd048cb32b2e0e21576284d3

SHA1
7452678a5dc14e43446625c53292fbf2a965081a

SHA256
d4ed4579b38db84a9419d67d2dd0fd1ddd063baefa07a86bd5aad8f8de165923

SHA512
8b1e068ce6f21b84e56e7d549183528d0c82118069f2658168aedc9756fc33aec10ca5f70114bc4b3a2a7a091e369a0fb5212216292ade9bfb45f63cdb05d782

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2ed3a34757efd7658eaf641215a1c3d6

SHA1
d50c9d9c16a06db24ea0eae24dadac13a42eb519

SHA256
00db6bb530da76f923d53043d95a1f439b41392aa75c26350d761b0651a83ebd

SHA512
cd42337bd45dd7095c2fcf60a406137a2126a85a0bb56d20d9c124cb1f5ac118caddebef1ef40fa867c2418d32a55fbaa194d61fb08a9308019e70fae1697f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f429313efaa2179d4d3defc90671f5d4

SHA1
4a27b5db533104684099edb9f988c34cd24e7806

SHA256
d291eaa41521c19b3fe18310020a4ad3ed9db44388990fb466ecee88e7759374

SHA512
bcc73e84110183085990b6fff7c2f98f791f7857c4b881e303fb99a815e9899a3158495be2fe58c4d361af1ffa4de7cc6f780d712399d6407e68bc969c4b342b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c28cc38c74ee38fff36da610b4c4d0ac

SHA1
81e09bce88280b5e4f69b0ed043f8ee7251eb688

SHA256
3bb41c6d16007a6c82d5987bf32ef8ea4f02dce03ca954a5b95c5359e84478ee

SHA512
d17890fdc9bc2c609eef36dc1bd2baf6b4283077e4f97d232d9d91e8b75e72db01c7a2cf29d78419ade4145691c3d5761db4bc28223620e34e3887654fefc17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a72b596a8674070e377e3d42861ec700

SHA1
c5937f7c577384f59170c993105e839729492996

SHA256
42a85c9598e3428736e95e7c3b4c5b67a6bdb48faa893ae390142de05739fa7c

SHA512
94b289781481e634d257a3e47e9375a7c0b5d2e8478979747db7eace54cde34ab77a1651d14d9f749ebb645e66c63e97bbebd6a4c7c07cb72c9d8571b5c7ea3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4eb145d809cab64e84afd4703d79c53a

SHA1
43d10c7b0480e2d1bed92c10452f2e00155e8357

SHA256
041c629df451e97618c757de798d9f9c87e417f0e98d392ecde6aa939abdc0f1

SHA512
d6f1e4c6dfc53f0a8737eff4082d532f24f1233c63369fed6e0fcafd13c833ca0f9b52f376b1fd25c1cb07ae224b4ee1983d3b88eefba477204e6b23eac65e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dc682b1bf872a2c15faa998aa1d8ea1a

SHA1
ba528353f9c399354a805f79bfc032cdcb8a16ea

SHA256
13ac5fc78cf8a6f6f6ba2dca812264937aa9aa3e2612e0b48cbe96c776b32b86

SHA512
5aa92b0e893e2fbb59488dace8077c1710fc8153dabbb631dd5dc38a4d5b2ede30b59b84aa52375220aeb2b8384c1e50040067460b0ae139aa29fb0bd7ec6013

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
eec0b9957d63faea88dc4d73b6f94cbb

SHA1
956fa14d0e65095f517e153b0b9aa14511b371ac

SHA256
f5588c4a239fc437319621b841fe7355b7309729a92a7ff8a70f80a470a619f1

SHA512
c2d1391409decdea100c788cebc4c7a8597a03631bd3d3dfe9ae1eb93c3783a294a5f5d8b7cdf110d62e3cd399015c68bd952e245c9b6f306d7ead21ec0f3893

Download Submit
memory/552-183-0x0000000005C20000-0x0000000005C28000-memory.dmp

Filesize
32KB

Download
memory/552-198-0x0000000005A10000-0x0000000005A18000-memory.dmp

Filesize
32KB

Download
memory/552-260-0x0000000005F20000-0x0000000005F28000-memory.dmp

Filesize
32KB

Download
memory/552-261-0x00000000061C0000-0x00000000061C8000-memory.dmp

Filesize
32KB

Download
memory/552-262-0x00000000060C0000-0x00000000060C8000-memory.dmp

Filesize
32KB

Download
memory/552-263-0x0000000005F30000-0x0000000005F38000-memory.dmp

Filesize
32KB

Download
memory/552-256-0x0000000005990000-0x0000000005998000-memory.dmp

Filesize
32KB

Download
memory/552-276-0x00000000058F0000-0x00000000058F8000-memory.dmp

Filesize
32KB

Download
memory/552-248-0x00000000058F0000-0x00000000058F8000-memory.dmp

Filesize
32KB

Download
memory/552-284-0x0000000005F30000-0x0000000005F38000-memory.dmp

Filesize
32KB

Download
memory/552-286-0x0000000006060000-0x0000000006068000-memory.dmp

Filesize
32KB

Download
memory/552-247-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/552-299-0x00000000058F0000-0x00000000058F8000-memory.dmp

Filesize
32KB

Download
memory/552-208-0x0000000005C20000-0x0000000005C28000-memory.dmp

Filesize
32KB

Download
memory/552-307-0x0000000006060000-0x0000000006068000-memory.dmp

Filesize
32KB

Download
memory/552-309-0x0000000005F30000-0x0000000005F38000-memory.dmp

Filesize
32KB

Download
memory/552-206-0x0000000005D50000-0x0000000005D58000-memory.dmp

Filesize
32KB

Download
memory/552-259-0x00000000059A0000-0x00000000059A8000-memory.dmp

Filesize
32KB

Download
memory/552-185-0x0000000005D50000-0x0000000005D58000-memory.dmp

Filesize
32KB

Download
memory/552-133-0x0000000000C10000-0x00000000011BC000-memory.dmp

Filesize
5.7MB

Download
memory/552-175-0x0000000005A10000-0x0000000005A18000-memory.dmp

Filesize
32KB

Download
memory/552-162-0x0000000005C20000-0x0000000005C28000-memory.dmp

Filesize
32KB

Download
memory/552-161-0x0000000005DC0000-0x0000000005DC8000-memory.dmp

Filesize
32KB

Download
memory/552-160-0x0000000005EC0000-0x0000000005EC8000-memory.dmp

Filesize
32KB

Download
memory/552-159-0x0000000005C10000-0x0000000005C18000-memory.dmp

Filesize
32KB

Download
memory/552-158-0x0000000005BF0000-0x0000000005BF8000-memory.dmp

Filesize
32KB

Download
memory/552-155-0x0000000005AB0000-0x0000000005AB8000-memory.dmp

Filesize
32KB

Download
memory/552-153-0x0000000005A10000-0x0000000005A18000-memory.dmp

Filesize
32KB

Download
memory/552-152-0x00000000059F0000-0x00000000059F8000-memory.dmp

Filesize
32KB

Download
memory/552-145-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/552-139-0x00000000044F0000-0x0000000004500000-memory.dmp

Filesize
64KB

Download
memory/552-134-0x0000000001650000-0x0000000001653000-memory.dmp

Filesize
12KB

Download
memory/552-638-0x0000000000C10000-0x00000000011BC000-memory.dmp

Filesize
5.7MB

Download