ffdroider | 3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9

Analysis

max time kernel
122s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9.exe
Size

924KB
MD5

89117af172cb15304e2bd54cdb8192dd
SHA1

062b73253338e67d88abb61a3dfc6d397c4460f6
SHA256

3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9
SHA512

db8bddb0a9e9416955cbee9db9bc4f11390d5b18f3fce6bb4632edc335a89b6240d60eb5f4f0592bc87a94021b97dcdeda6710a1e7c25880683dd77f91eab8b2
SSDEEP

24576:pP7A681d48vGlldFtqFbDNaYaPCQFXVDXE4IfmDWQx:pzF8I8vGbdFtabDNUPCQFXVDXvdDWQx

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 1 IoCs

resource	yara_rule
behavioral2/memory/4676-505-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4676	3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9.exe
Token: SeManageVolumePrivilege	4676	3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9.exe
Token: SeManageVolumePrivilege	4676	3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9.exe
Token: SeManageVolumePrivilege	4676	3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9.exe
Token: SeManageVolumePrivilege	4676	3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9.exe

C:\Users\Admin\AppData\Local\Temp\3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9.exe
"C:\Users\Admin\AppData\Local\Temp\3e597b87ad12c56de3b3d98fd2e1c7c1c4671c343d3ed133abe256c1253633c9.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
c02c712bcc7b152db091d4f89fc0e148

SHA1
4deb660eb40ee5b73d4f7d6d444c63ba48a74c9c

SHA256
370f84dc1692a5b87de0b7a3e88ca43f947fc06af1ca7bd98b492273e044e116

SHA512
3cf99a541fd019c73e2313726f072c0a696e67e87a1ae2b0db5c23f6940d9e4de38f686a40a8f466511a7109e4c12a19d2cdc8c360e24b039a07a9f4cff5f654

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
67KB

MD5
c94542957dad83b94286f6596bfcad29

SHA1
65f086a5fffc2e86f311f80a532fd2fd22feb0cd

SHA256
68a68251e31f7e77a6b493b81cb9747a9fef2455323f4f222e9d234ec587b161

SHA512
c0ec948287f683994caf07694371d290f0cfdafb159e713c0da5f023e11e345b8d4c4b3f65bf521ed2930be7927e2357a636c683c27a169e0fbb2399acb1ee39

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
019ad530592db7ab03ebf683a1181803

SHA1
58b16875c5f91944c7a3bc859101fc70e0bc5b07

SHA256
6bdbfa0e740b745825ab8f21f52678fc264006c1d8a0f7ae979eab413c368389

SHA512
4a1022aeba9a0ca0eac6b1781718d28da58f0e19bf568a85be59a0d2afd10821f66359dbba0c380f945d71796ad6ee958bbf6cd178459edfd752bc32a976cd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2ff887622f970d8835ecebfc3af44497

SHA1
b248c43d13b86ab430f221762f76fc2c928918af

SHA256
4159e2de168a99f61b12e4e2f7bfbb28cf4e243d911000cf30ce9006d5fc0e80

SHA512
bbb251cc550db16a8aac3cb3b84d6b799931892cb543527fb5027cece609ac5c4f4b628c2c9813655c9f35c683ee3650cc2949ac368b86e533d38c3132d44d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
022add3853d06227fdc4ee8a6c58e00f

SHA1
f3485ec2a992e0b8b48da0a489f15ed37321f251

SHA256
91c82449e29e38eeaf3038dd650d241d9296f17f541f41e94fc6fcc53aa5a7ac

SHA512
fe8b9570d88255436455a4d06c2e15333818b0a266f72ff99a42a2e484bf256b5b71fa165adf85cc6c5581a5fa20ec3f298736770cba89e02fae0a4095f446e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1fd847afd1dd4078f39d7a2e5cc63c9c

SHA1
f929e17c2ff9ce209fa095d8b41b2d110521b5f4

SHA256
7063e5b90514095d9b841deab7a2fa9f1e5b3ebe9544e381254c92d3e134a490

SHA512
6e82625e0314743e6f2f99f757295960242364b24be3e053cbc21630ba05b15be707f66f113e3f90f19df9d8c1811f332c4c95bf6ce2383918d44c68b2371f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d8a69dada0e8923bd47e080000533670

SHA1
87a65c4e8ffa440a294c2c90da36b0fedfc1063f

SHA256
40fb2c48809864fe2734fb2d7b95635ecc9698b1df4acfeeefc8c92d59c2dd23

SHA512
6fe51e2b1cffe89a00faaca7e0ce0a4b500868535fc5c39b80bf93c4894a83f00f6e43a633dc9f1d21dfa8b7b6f424a2a08be5cb44fb3a5370058d2d6c5f5d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
bfedbb3a2f3ea3b75694765abccf3fc0

SHA1
de2c9e83beba26fa6a520e7f58a17763570bcd5b

SHA256
b98a59bb9f2cf55959ee3cb8eae0585c9957fdad0270f6973dc2008bec4ac8d7

SHA512
b65a614d3b79276f022e3c0791ff8bc03728c12a14993b5f64eacda6256bc8cc804f22781a3f1a8e406c86532da121b24a17cb83e1a6095cc35c04c06d3c5ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d9adf3c56ae66b6cbc8078480fcf127d

SHA1
2760dd4ce1089f49fa9553a30505e8d72df9b6a2

SHA256
9d3055dc620aa9ecfa83fcc4645661274bce8e890afea0f7c0ebe95c22a5e872

SHA512
84ba4804b335e02345a03ef3fab5d80c0450ce126a43415f82b584013d8a79f4213dbf970afb9b77bc594e7c3cfc7fb43f28fe2d406b51eac292355f9f6de261

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5a26647e916ec1dafb764336d333b688

SHA1
42b04934f7ca6139781189816d88c87b6cc1ae68

SHA256
8ee58febe2e9cf8cb7b212982d1f87d7847b3c8fc2cfefa413ec3c947e04b0ae

SHA512
e17fbc82e4a4700bc147981049a6a5b8851c077a05a727291b849d22bb58654693cb2377a6375217a97fa6eb6428a865a495f1b71ab27ad30ee6a16fab3121d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5f2c9952eaefcf9283d894d19915d653

SHA1
89aa505404ebd60b57125b0572e8de84ad38de1c

SHA256
e6077b6ac8aad16262d538b06141f152bc5436f7a7fa838168586090bc3098cf

SHA512
ff7ae691aaed7bb408fd71a035fdc4c0bb8779d3c6cdb4c47cff9775bb886fcbed9426615ab04ae6f56bde9c9af54f17790d116175bfa3edebe4721740323906

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
535ddbe81c4fb3ee33b03c6a0a9c5fbf

SHA1
8c300e8ee91e143da403319c584f8d5c041a4c54

SHA256
4891a65637fb1398495086c93d9ae4d7e0cef260d287b9a0f42a6491ad8b52f9

SHA512
8d255450b75e3c49167b921bee4668ecd9f43a03cd9ef5229d2ee918eecaf6ce7bf538a26596ed906773c3cc5f55686e36a016a0cdfa95e79c07c71b755b5a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
31025d419ff761c9732aa68453b1a294

SHA1
acb15281e72ec7c9871c50326b4135fb92a67a5c

SHA256
1de01331910f1113e307e070c19fccbe320af89226539483c020abec0b81b855

SHA512
63471a8e293a7c0213cebf9398112816adefccaf02e9b4ab7525e30d4f750c2613763607dcd9d40eb1f759ff18eca04a342e0b1aed4db9345f0c53afd71dc63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
23aeea0a3211a4890bfca90e64e9effd

SHA1
eadf82572ff1592f365469d1caae716d576a9a9d

SHA256
69240c914acf71a68a2efabe80e16277247f72eb9a7b30e5449b3c15a6efcf1c

SHA512
9200f8d892f1edd73cdc61c924d15ce9321fe9ceb47b83241b24f935af1b80b1d491bc464d733ce0520fa6d8b3b5a63e659cf02c3164435053cc5cf4e19468fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4353be28776e39ad3b6be4a2e4bebafa

SHA1
630430d03a216f979ac7e17c3ea466dd96257681

SHA256
2c26c309d456d6f6b879fd367fdb941024ca68e73094bb067a574a04a5fa2ad9

SHA512
67e24c506f1c1ccc1bb5884cbd7b33c2ed6d51df86788fd8ce122768d018d8b5ccff4d752727c2fd4722152baa1d36fe80ea9369b5fe8c2f85e3f683a26aff9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
90218f977de9d0bcf194339a1ec81c55

SHA1
24fe70096706cda54e02a9f35f125e716d6da1a4

SHA256
911c76bd5fd9d1d9b7815274db0a94523910a6384b6431b5cad34fd5cbdddb8f

SHA512
57cdfc6be0c983cf75e045f4be04c31d471f082774291d2da296502d2b1f35e6a149c59e912def507657902c745ffe63d7b056daa75ee12fd7cec61c299d60bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dc56156f2f9208c33a5b4393977a939b

SHA1
33019779d46aeb3c3a94aeaad0e51d7ee86334cb

SHA256
51bcb1419faea6b84d99f058ab738241286a42db84555a6cbaf8e707f4fa7fad

SHA512
dc00060ed6ff3d7d86e8c9d4d69ea4671a6c73abbdf2a0f856213dda77312af91ad1b64d05a2557fab87c983fa5eaf8df69fce03ac2aa18dc23d3a7c3f3d6da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a3a8b6a005d2342470ac4da3de2b6e30

SHA1
540c5ba89d1f67c80d4bf5c6b1d40296e34a97bb

SHA256
337a474dcdd3b8646c4a9db318dd5ad3f9498b97280b28a87035f2e0b96515f0

SHA512
89507735143599a1c9ab9e5a5f32fe564558056036d26fcd19f50627b5e7d958d0e2e90d62d802112ad90c53f2f7e18dcfa08d09aba31a2e5a89d9bfc39f496a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
797016e3ae1318699c186b5dd6fb5418

SHA1
d1ae26f415a58a68c5b9fc6cb2b9c16d156a1d21

SHA256
bc72cc20a63ec2193de442ab7e22d7fc33c2d37cdb9826986c186c9b75198136

SHA512
b9e7e932c4d5d2b1dc33d1f7be9e1ac674ad54862d2f9703ca1887f876951200943876f3aeb56e814568260e7e1c2297f700dcd5f2d6e28e4abda1fee608256b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5deb4bb73afd18f340687ac2a74479fa

SHA1
8bb5511e98878bf7b4d209fb9d6278b625f4388b

SHA256
a91becbbe4f72d81b6afbff4502c3af0b2ac33a369561b5d1b3fdd6856ea7272

SHA512
e2f5e88ba424bdaf671d185b4b86006c4f909537b4783ddd06f06df3c413c881d85b48c792c73fa4bb7d92099c11303c67cebe6c011e0bfe834d741834ecce41

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c86d75a97abb906a43a10ae6b58e6db4

SHA1
756a767175d71d6961346abd1d650f70c061f255

SHA256
51a8cad303f29a20bdea2d19450b549420e08a3de262a0fc4596d6418aa934fe

SHA512
dcca443026cb38ec8ca6bb9d1ceffef89da093963d952e961aa2a85046055f9f0ec93536e6046f7c69aa8875a1b522d8713da4bc26a7d340378b1e642e12593f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
65eeae7f484157e74535ae3cd87e368b

SHA1
59a8b5103bae60e9dbc23085a1ab2b4fbcb4563c

SHA256
5092bf3d2c085ce97caa62e15547a86e498a348bbc4cd78cbd5fb4ffc2741826

SHA512
c67e737f741da37aeab7b17617ac898476c0df968ef68788ba61f293e86c8eff473bef5240be84f8420882cd19b935b5a2f62d2b8088b12895b153631752c611

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5c0b59af26b5be0c09b9772844d2929f

SHA1
98c60b26214d0a7e8b4c1994d21fde4b6936cf11

SHA256
a663c14dc06038290717285174d4c4787ea9088ae9d3e4203d50962eea84f7d2

SHA512
695adc9408310393d289fa249428ced43f0b300d1d4d62634533a5456cc24154e2b77d24251746e94774da532abb25bf4427fa52a0cf4b1f96f3de6839605a08

Download Submit
memory/4676-40-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/4676-63-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/4676-121-0x00000000044D0000-0x00000000044D8000-memory.dmp

Filesize
32KB

Download
memory/4676-124-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/4676-125-0x0000000004A60000-0x0000000004A68000-memory.dmp

Filesize
32KB

Download
memory/4676-126-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/4676-127-0x0000000004D50000-0x0000000004D58000-memory.dmp

Filesize
32KB

Download
memory/4676-128-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/4676-112-0x0000000004410000-0x0000000004418000-memory.dmp

Filesize
32KB

Download
memory/4676-141-0x0000000004430000-0x0000000004438000-memory.dmp

Filesize
32KB

Download
memory/4676-149-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/4676-151-0x0000000004AA0000-0x0000000004AA8000-memory.dmp

Filesize
32KB

Download
memory/4676-73-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/4676-164-0x0000000004430000-0x0000000004438000-memory.dmp

Filesize
32KB

Download
memory/4676-71-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/4676-172-0x0000000004AA0000-0x0000000004AA8000-memory.dmp

Filesize
32KB

Download
memory/4676-174-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/4676-113-0x0000000004430000-0x0000000004438000-memory.dmp

Filesize
32KB

Download
memory/4676-50-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/4676-48-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/4676-0-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/4676-301-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4676-27-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/4676-26-0x0000000004900000-0x0000000004908000-memory.dmp

Filesize
32KB

Download
memory/4676-25-0x0000000004A00000-0x0000000004A08000-memory.dmp

Filesize
32KB

Download
memory/4676-24-0x0000000004750000-0x0000000004758000-memory.dmp

Filesize
32KB

Download
memory/4676-23-0x0000000004730000-0x0000000004738000-memory.dmp

Filesize
32KB

Download
memory/4676-20-0x00000000045F0000-0x00000000045F8000-memory.dmp

Filesize
32KB

Download
memory/4676-18-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/4676-17-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/4676-10-0x0000000003A80000-0x0000000003A90000-memory.dmp

Filesize
64KB

Download
memory/4676-4-0x00000000038E0000-0x00000000038F0000-memory.dmp

Filesize
64KB

Download
memory/4676-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4676-505-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download