ffdroider | 2a0106cf867f44e349bdde8116342dbc8fe6c53c75a92328a36d79de5a08aa42

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a69cfd4ebd3e783943be08d7ffe8e05a.exe
Size

1.4MB
MD5

a69cfd4ebd3e783943be08d7ffe8e05a
SHA1

cd5eff3cc79f6d3e3739acf4586e787865e3c855
SHA256

2a0106cf867f44e349bdde8116342dbc8fe6c53c75a92328a36d79de5a08aa42
SHA512

0daa916629a66df6ea2ea1422cedf80718b1f207495fc51f91b71266511dd80bc7f6f23695805965d8115627ed472304a6df8d3a0d32e374987a1a8350722ebc
SSDEEP

24576:H8ARmK9XHkry2dvt1JpgPS8VrI+AMXqcjGEDZmGXivQ7TP4pMRR020SVFpFs4:3kK9XHkry2dV1sfJJAEVj17TwpQV0cFL

Score

10^/10

ffdroider spyware stealer

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1440	a69cfd4ebd3e783943be08d7ffe8e05a.exe

C:\Users\Admin\AppData\Local\Temp\a69cfd4ebd3e783943be08d7ffe8e05a.exe
"C:\Users\Admin\AppData\Local\Temp\a69cfd4ebd3e783943be08d7ffe8e05a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1440-3-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1440-9-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1440-19-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download