ffdroider | f3d37397b2e2a9f7b4099be69b393fa099fcf7dbb6adc4922bc86795a6b83664

General

Target

18223614090e71027f3c60a6a4b491ec.exe
Size

953KB
MD5

18223614090e71027f3c60a6a4b491ec
SHA1

643270b3f8ab8299410f0c504caa5fa830d0a862
SHA256

f3d37397b2e2a9f7b4099be69b393fa099fcf7dbb6adc4922bc86795a6b83664
SHA512

34de120da1e760a62fbe8298dc71c5ef6552fbeb0179caa0da6d3c75d229841e5212be5a0e05fe66ca22e4f6cbd9f57d607ecb1e8ad01de836050967634f2eb9
SSDEEP

12288:j9lBnqfZiMym1/4jGiO0J0wCzDvcBqKJZHDBCyMAFokoczTwphpa7coWQ12kfTwC:5lBapymaawC/xKHHdCDVkoIwxylvUC

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

C2

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/3680-3-0x0000000000400000-0x0000000000692000-memory.dmp	family_ffdroider
behavioral2/memory/3680-30-0x0000000000400000-0x0000000000692000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	18223614090e71027f3c60a6a4b491ec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3680	18223614090e71027f3c60a6a4b491ec.exe
Token: SeManageVolumePrivilege	3680	18223614090e71027f3c60a6a4b491ec.exe

C:\Users\Admin\AppData\Local\Temp\18223614090e71027f3c60a6a4b491ec.exe
"C:\Users\Admin\AppData\Local\Temp\18223614090e71027f3c60a6a4b491ec.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
1.6MB

MD5
114451535c330bfa396e7bb79d829ee0

SHA1
f04a120e1be33f0432a26d0f52472146b9b8a42b

SHA256
63af2e1e267f3ee4d085bc6b8e1608ad75309dcb9752a94aaae99d6a86ebd60a

SHA512
6f35c9f449ddbdcca8b639e1dd03da623fba9cc947b08da4355199e93b922206ca77705a66b29472106715e08b7f787f3277a465eb4ae6d152c630e67a61cdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
57cb387b6e4683f2a2ab22cfa789a99a

SHA1
4e24890fbbae460232454c601bf7013cd3269e49

SHA256
8a14c707bf171b7a3e452621a6c1fb73523ee19d4654e35cd7e7c957a654c534

SHA512
b49f09f0a0d3ffed729652831ba262888c08b4e94d4da0e6f688a896a06061a4a3721c92ac2d8b795ae7da224a76b4f646180e52cc60ca9479133f1a5c6034af

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e644f05d7042ebd731dee1d76de94ff3

SHA1
00c2e843c0f1d8b401482b704de6656d98cf4b09

SHA256
524a313eff644773dcc703f5e5c76f40ece4a2458301092547fe3ed58d1c784c

SHA512
eaf6847be2a37df85e4c3b40a9907af1495e951494d90836d4a1e1c31a99c33d8685b4ab005a7cc7918a1f207f922f3bb4df3cddd71717e027767ee0e9fb1d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fe59bfdbe656156e78f6c0fa6f408a97

SHA1
8fc6ded18623080535b52e2f8335abafe9c47b75

SHA256
8a2be5f88de7395deff2406fa8872ef3bdb3cf2d8412dbf286080638374f516c

SHA512
999f230f521911525d15542901e48cecf1a9026f2a71bca750380535e2c31c5b95bc91ab2bda4fac5380990a3693c1296ab65d5dcb78db24cdaf4f2bd815daae

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
696733635f2f9cf7cbbac498a86821c0

SHA1
06cc946fef2d2831c8ead7ee8a50b223b737fd14

SHA256
02053919ccf2b9da4ca9e43b38453d11389200698f0415f580b440c8c08eb783

SHA512
64c9b5be65fe080f0cd4fb3d4e8aa49cf748a48bdb99b1b15556268b6fa1b2bfc1e36181dec5ffc6375cfe45052bb637a356bea3ad5028690b766059976aa93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6845f89052262d8fc72f022c73431419

SHA1
49dc60fe73e0e34f982f41d58ab809490c340ea8

SHA256
9303c9d3317c7379533f39d57a89fb023383db64aa47952655e9178f61991e84

SHA512
c3d6db8b973d44bda819079de4accfb4d16eaaf6ee9c76f0f492e91855b0c2d8f4727f807a7a7e596463d2c86d767c9b757d419427885acbf55251900e159b72

Download Submit
memory/3680-30-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/3680-56-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/3680-26-0x0000000004A20000-0x0000000004A28000-memory.dmp

Filesize
32KB

Download
memory/3680-27-0x0000000004A50000-0x0000000004A58000-memory.dmp

Filesize
32KB

Download
memory/3680-28-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/3680-29-0x0000000004BF0000-0x0000000004BF8000-memory.dmp

Filesize
32KB

Download
memory/3680-0-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/3680-31-0x0000000004A60000-0x0000000004A68000-memory.dmp

Filesize
32KB

Download
memory/3680-21-0x0000000004700000-0x0000000004708000-memory.dmp

Filesize
32KB

Download
memory/3680-46-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/3680-20-0x00000000046E0000-0x00000000046E8000-memory.dmp

Filesize
32KB

Download
memory/3680-23-0x0000000004A20000-0x0000000004A28000-memory.dmp

Filesize
32KB

Download
memory/3680-59-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/3680-13-0x0000000003C30000-0x0000000003C40000-memory.dmp

Filesize
64KB

Download
memory/3680-73-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/3680-7-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download
memory/3680-82-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/3680-85-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/3680-3-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/3680-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3680-125-0x0000000004340000-0x0000000004348000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing