ffdroider | 8e3d48148237679d6cdce75b7956121029723aefd3474dea2dd85185fe46ade5

General

Target

8e3d48148237679d6cdce75b7956121029723aefd3474dea2dd85185fe46ade5.exe
Size

1.7MB
MD5

7e2ccd4dc2823dd85c12a5f85724f2cd
SHA1

c0be781d4f6b537ba955395bf2240d90ef9759a1
SHA256

8e3d48148237679d6cdce75b7956121029723aefd3474dea2dd85185fe46ade5
SHA512

92ad3e178c3eef1772c5dc92a65908f6db2aaa602080153c0e5272391a5ebfbbe4608374c5196fa674fe1b60c287f2217a8907e9a23aa2629b26fc9963093851
SSDEEP

24576:dYianUR2jR97bUyvK3H1S0vfs2tPwHtnKCKKITko7kGuap0D93MwjBiUNDI4rL:XaXR97bEVSsfsfHtnKCKJz7vRkXjBv

Score

10^/10

ffdroider evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

C2

http://45.43.62.216

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/4392-3-0x0000000000400000-0x000000000086D000-memory.dmp	family_ffdroider
behavioral2/memory/4392-101-0x0000000000400000-0x000000000086D000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStart = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8e3d48148237679d6cdce75b7956121029723aefd3474dea2dd85185fe46ade5.exe"	8e3d48148237679d6cdce75b7956121029723aefd3474dea2dd85185fe46ade5.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8e3d48148237679d6cdce75b7956121029723aefd3474dea2dd85185fe46ade5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4392	8e3d48148237679d6cdce75b7956121029723aefd3474dea2dd85185fe46ade5.exe

C:\Users\Admin\AppData\Local\Temp\8e3d48148237679d6cdce75b7956121029723aefd3474dea2dd85185fe46ade5.exe
"C:\Users\Admin\AppData\Local\Temp\8e3d48148237679d6cdce75b7956121029723aefd3474dea2dd85185fe46ade5.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e6334c4b2f8728ccf1a3893ca69f4180

SHA1
a4f46c69dd3ee60280ce7cd451be992e71006e4f

SHA256
60d6b5afbc3f9d1c578ba7e0ac19be0765b3abcdd52b35e4837a9804c52a2374

SHA512
c7d17776dffbe436befba3ebd368b84e3822cfc776bb154df1ea86623b84e2f2e0dcff17477cfac63e1087cd35f71e7f5407dd65b4665100abce6bdcba272e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
28fdfc7a744faec2403bab04364b5b42

SHA1
d05b03d04857c5bd280f7b3994733663c156e248

SHA256
f02e1429849189348c66b209464f364c95546f499bff2683c2320bad35fa4665

SHA512
ef5c5a9146c9aa16781c81bf56e65c9def2f50fe2913c49ae60c611d2c0ded890def512813c314f3284230880d40ff77decf591d58cc9201e0c8471b56f0a8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b72ac30f152819d145e31b8c11c864a3

SHA1
ccdb1c4c3ed26c90df51345ad2c8d0053c5bd62e

SHA256
9617d7b943de38a5f87f678c9668750a113dd53d08e7183a6009e52684f382b5

SHA512
5b928a7102a15dc9adc4b861c7774d676b58b0f8988200273d1b3e08719170ac8b5cb3753fd66188265dae1ac39dd4887d94738bd8cd3b546603b027f1e2d7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
349681ad66684bdf89db945bb6b72cd4

SHA1
538ce6f259c770e1ea030d1187a8b3375d1c52b4

SHA256
64b1271ce6587af2108f0e04d37b1da5cb39fce476632c09389d024ec103ff6b

SHA512
35a048811e70a66aa3fb1da6865b47fc6b2c54834f687e23ef31a4e2cb2ac8987db6e1963122b626a4e7875a168301398f3b36a8686bbc0853733988fb59479a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
151e088ea1b2f1af6ff4e171e01107dc

SHA1
0beea9ca7cff10c5b0fe236ce1d36187f23c392c

SHA256
0c2ed965b7e68c88ecf1960b97990beb043b30633a49ead0409d2986e1585b6f

SHA512
fb3fd6d6fa101dd6c689d9f8021d0eab3f5a34a1abad5f06a071a3361cec0d81376b224b2ef018b33e22f4ede7471ba42c64d346018b05dcb8fbafb8f40d27a8

Download Submit
memory/4392-22-0x0000000004960000-0x0000000004968000-memory.dmp

Filesize
32KB

Download
memory/4392-44-0x0000000004960000-0x0000000004968000-memory.dmp

Filesize
32KB

Download
memory/4392-24-0x0000000004A00000-0x0000000004A08000-memory.dmp

Filesize
32KB

Download
memory/4392-27-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/4392-28-0x0000000004B60000-0x0000000004B68000-memory.dmp

Filesize
32KB

Download
memory/4392-29-0x0000000004E00000-0x0000000004E08000-memory.dmp

Filesize
32KB

Download
memory/4392-30-0x0000000004D00000-0x0000000004D08000-memory.dmp

Filesize
32KB

Download
memory/4392-31-0x0000000004B70000-0x0000000004B78000-memory.dmp

Filesize
32KB

Download
memory/4392-21-0x0000000004940000-0x0000000004948000-memory.dmp

Filesize
32KB

Download
memory/4392-0-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/4392-14-0x0000000003E80000-0x0000000003E90000-memory.dmp

Filesize
64KB

Download
memory/4392-52-0x0000000004B70000-0x0000000004B78000-memory.dmp

Filesize
32KB

Download
memory/4392-54-0x0000000004CA0000-0x0000000004CA8000-memory.dmp

Filesize
32KB

Download
memory/4392-8-0x0000000003CE0000-0x0000000003CF0000-memory.dmp

Filesize
64KB

Download
memory/4392-67-0x0000000004960000-0x0000000004968000-memory.dmp

Filesize
32KB

Download
memory/4392-3-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/4392-75-0x0000000004CA0000-0x0000000004CA8000-memory.dmp

Filesize
32KB

Download
memory/4392-77-0x0000000004B70000-0x0000000004B78000-memory.dmp

Filesize
32KB

Download
memory/4392-1-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/4392-101-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads