ffdroider | 2a0106cf867f44e349bdde8116342dbc8fe6c53c75a92328a36d79de5a08aa42

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a69cfd4ebd3e783943be08d7ffe8e05a.exe
Size

1.4MB
MD5

a69cfd4ebd3e783943be08d7ffe8e05a
SHA1

cd5eff3cc79f6d3e3739acf4586e787865e3c855
SHA256

2a0106cf867f44e349bdde8116342dbc8fe6c53c75a92328a36d79de5a08aa42
SHA512

0daa916629a66df6ea2ea1422cedf80718b1f207495fc51f91b71266511dd80bc7f6f23695805965d8115627ed472304a6df8d3a0d32e374987a1a8350722ebc
SSDEEP

24576:H8ARmK9XHkry2dvt1JpgPS8VrI+AMXqcjGEDZmGXivQ7TP4pMRR020SVFpFs4:3kK9XHkry2dV1sfJJAEVj17TwpQV0cFL

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a69cfd4ebd3e783943be08d7ffe8e05a.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4740	a69cfd4ebd3e783943be08d7ffe8e05a.exe
Token: SeManageVolumePrivilege	4740	a69cfd4ebd3e783943be08d7ffe8e05a.exe
Token: SeManageVolumePrivilege	4740	a69cfd4ebd3e783943be08d7ffe8e05a.exe
Token: SeManageVolumePrivilege	4740	a69cfd4ebd3e783943be08d7ffe8e05a.exe
Token: SeManageVolumePrivilege	4740	a69cfd4ebd3e783943be08d7ffe8e05a.exe

C:\Users\Admin\AppData\Local\Temp\a69cfd4ebd3e783943be08d7ffe8e05a.exe
"C:\Users\Admin\AppData\Local\Temp\a69cfd4ebd3e783943be08d7ffe8e05a.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
222KB

MD5
d6acedcdc05258380fb9ceafbd69710f

SHA1
7c4b64df9169ec17c9d1cb070a6d1ddd97eb7e04

SHA256
412c73839bfdfab5b39b8148a16528bcf42beb18daa924af0eca48ea0b22afd7

SHA512
c9ca3259a9e38fbeb4c0d0ba26005310f72d0a3a17abf51ace59776296c87c5c82578071a31ee0cc6356a69ef34eb42fe096a462aa52d1cd5a6d174c1811bc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
73KB

MD5
e3776d1ec13f9b6a3d44397814ae5645

SHA1
ecc101c4867d3601b55a90dd62f0a8d1ef6fb11e

SHA256
4daa7b92f8aab0def0a372297dae3e7f690f73f151869067f8c26861b0aa1694

SHA512
aa4372aedeb6c297a58ed20e71a65203e57dcbf0d0d4bd1b224368728381d7032af6e345133ccd37a79dc1ea4bc0dba8816089f3149b11ef70ee230b296154a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ba8b404d9088a3ed227753bce76b076c

SHA1
ce2684deda5da3180ae825800cf8b092f8b14ee5

SHA256
e0b14ccef291a0c922f5b9baa8a0314fbdb7aeff8517756a9e22b710f14b11a2

SHA512
95e373bc3717730aebd49cd10d5a2eca3591699e054d2530250a0f9dade4f45e9bb8fa4bfab329edbb16d9cbf4ad1931387be5022d815de20b5146028d490161

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8cc605117825eb75a7be6d01fc2b5671

SHA1
bcf48b3871b8a77b5b01353ad32190eb00a85cef

SHA256
754413b046a761b3867f098229678a69ffe5b71685ecf76d3fc8aa710ff615be

SHA512
5f1bc73da38d0c50d5f0d2ba9408ccc3fd2f6014b03b0846152fa0f0323d8e228553771d0f347afc3c7b5f2b7b7afc64ea5ddd895b1bc400c95d72bbbf2c5ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7feeaccdf86ee0bc0c231503bb438acf

SHA1
d6d64a85e2f7114b262e15d4f3dc2702d2b52d71

SHA256
5793d2c7b30377831064e8f00c3fda2a5b8347d90c9f81f268851e346971ec0d

SHA512
bc7c1f46eb51962be01b627bdaf04992349c2a7a46285889d5652d3653faed91190a90dd7b6cbc4136e3ce8a9876763dec6a2d9c3ac411f7e68aa1ff2051a997

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
32d827de7b830418615e643a0aa8d53a

SHA1
9b16ac50b2cb0ec0c64cf8ae06e2b64806f476a0

SHA256
71f30f9b2c233dfb3bed3d45d15e788a3bb260388c406dd40133f0181e40c713

SHA512
57bc818633c5a04c7419a3d456251cf92c7d5b3227ec31d6e40fa506902fe4663e09da001a5670679e610bd10bd353dd3e476fd3a8c4f0875a1ee543802897fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8fa12d3e87e4265ce7f96b331d6eb0f7

SHA1
b82485061dd9ae68e9ad9499c0af68748d4fc8a9

SHA256
8dae583dafd606361689874f3cd1ebf39435d1ae7c12ce66279bc0272d2c4af9

SHA512
e0b08a65228a604337689065b41ee72452fff6823e25f409a7c92444c44b8b8cd8694f3d04ed3ce358c94e918f8faf2bd4da5d3482a6699f08ac5da95aaf340c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0907a19655a1f8b3c6e7abc2dea72c3d

SHA1
da10a4df78a96e411338906c33746080e5976d37

SHA256
ebb6b33abcd4fd41ac5770723138a9eb70ff9483ca28f10538ce423e8de7ce4f

SHA512
002ca38d634aa5c940ae880fdea584d6e91237efcad5a0f298b1857b595348ed40a87497485c81ab3d22216b1fca3ac97f02d41deb27371a6be2e7fff32c52ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1b54fae633de6ee5a3c3d4e3a5fd8482

SHA1
1430d16ad89723553d7b4778dd59dad261a9a6e3

SHA256
171673ce8aa910e63c143633712e192fb4d7f4760d3cedd111b6706b14b1bb3e

SHA512
de5df4adbd22fb821e56e22dcd8c7065e5e7c90c6df5f487f4ed92a650f1dec128a408bd36730322e07fa073e27dbab57c1784b90353d327877bf7f14fa753b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a8d2169ce7c39b6846c5be2f00b06801

SHA1
8cbefa91babe3fcb5e22e5f6497e89a22db6ba56

SHA256
da5fa5d1df8a96e9632177ea40e27759c374d6c90bd55f9406a0cb83d3ef774e

SHA512
b7ff338770150e91f6091fd9bf18963de193bd80911f8ee0c2ddcb54193247686fd189ed3a4475b6affe290b88408911f6e9a7fa29c6df3db3332aa4532954b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ba42a53ab1d931951db360cb73261328

SHA1
b98d00a734615d639d38cf8636a70b825c6010e2

SHA256
1db5ab131f1db3f9b8dc26e477730303912f0dcaae606b01968a8731e6a0765d

SHA512
db4d70baec2037908bf4f291966c790f1a1a510f018f75b76bd13f204661c24e4639e85719326eb4447426b5b4acd8274d3d1b805ed83b18132db65504acbf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a4e698c27f4e1e520b3776134edc389c

SHA1
18b111c81a828cbf25f09c9e0f357959199d659f

SHA256
848b7cb8269f3a28781e72ac798f074a31bcbaa6c7e7ff6ca089e93a813a4990

SHA512
a09bb04770d05dc856f0c4cdff54b1aa6e39f9b13ebe554c6217675f57a4c02c60a72ed463a6bb5b7840cf6165490ed16c3728571ac1bc8649718a7ea63966b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
55d9749588d795eef4f40ba876b40424

SHA1
4f2e3c7bab82fa8b3d18d28daa5af18555a4e376

SHA256
0b847c3cc5492b779fed41d1427974bc7dc360bf121f3b6588914ae37a90ed80

SHA512
22cfa41adbaf0aa557ac6caf4f3c40d5958d86b404f34e9ba7e4402bbe4fff50b2d9ac7e453c0ffc38239e3751b0442ce5ee7dd434b6ee04f9d8d09d3811dca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6ae021522cbcc1a05a73006525ea15da

SHA1
3214dab8850868402ea6169ba94fd46dcc097d43

SHA256
666ddec3f87ed1572f90969d9c23aae9a4b5d8c7af17107db835b96883b57e2e

SHA512
4628f6d165d9b43c79702cea7f3f04383990d255b602f80263d42ff8b86af2571a35129fbc95eb2c23a39d4da2b892134b530a29cd2efd0620c616fd6e836e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0d5b46b10e391924616bbff752ef4b63

SHA1
427a695d31cf32c557fc643d804a13c3f9110801

SHA256
8ece1f114a990982e833e20f8d7786069fb1704c981927ffb32141cf47e3d7e1

SHA512
60b8961c9eda0ab6180d6960c1ec57f90f92cb4cef538ff9f6601e631d873a0dd2508498a286dcb026e0c91ef7b6e9b981564fe8a5051c2e72f84bc9414e153a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
78ccf9ea04ebfa7f28c1c1b42d36db54

SHA1
0394f86044e380078b03499e91ed3034b9c75baf

SHA256
61b83f9b954ba469afec3b77d5ca263947ee2fb227f9f34c47f581d257e370db

SHA512
8f26c311dfa87daafc3756cfd650b3e22428e5b615e18294fb7bc775a1aba2bb636b98a037d76045c199d6a12f9012f8aa60b3af511c0a7af5118bcce1a59993

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dd495d1a474aa10a4653ad3010e736bd

SHA1
878e60bb2d3fe767ae588a89258d7115a34eb948

SHA256
add8e8c36fadb7bde4d3a7856ec9b2c06e8baf6937750f927a6d71e0fc92094d

SHA512
e48a6adec6b76c0319dba02812d924ad3ac1f24ebc8b1eb2c5831e741acde1c8cf478225ceea87f570d6fc78dbbf3e84221a3b656fa7a2729b5ac0fbc10df653

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9f6e2cb6dedfb3efd6b82a4c36a06021

SHA1
5bab99def12b5556b7848f8d688ee641f3cbc55a

SHA256
4127334a297badfdd5a9d3204fc54b2fdb78ae42ba7d469803bcddb9da263fa7

SHA512
a94f72c49195d240d3e67005e946c60b5a44e5fe7dddafb28cd53578ef5a177bad06c12381ce266b7ba3936731dd1de77487369666fc98570893080e507972cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7c7b5d956dc5fcb59742858ff53964bb

SHA1
38d4f1280c478193a39bfeb9b43f3df576365a70

SHA256
8d40f6342c33daa41dc36ef7075ccd9c3260fcbf7c121e0444b7ae71665d1d15

SHA512
f68391a2e11560ebbf0ae1aacd4f405059394615fec0fef901cab352d855a60113550bfdc11bd7de09d9e6f6a73866cc1ea44048f3352f57448b81ecdefd1663

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
969673cd83e450e930db017c99ac954f

SHA1
f09a5227cae65722de05dcbfbb33a1c9c03eff38

SHA256
881f9895764700f06d7810f5bc2a31040788b5eb231d5be7eb7b309382beb033

SHA512
7dd8f9e165fdc2dfee504afa71d5a999bffc2e38d3684b00c2ea13471d2ee1b331f04ffc6c601e920c722925ea7db6110da891ac4c098d27388ed44cf0560955

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ea5967351544e62e9ff437caa7f2533a

SHA1
0405759113613116a1295259800c7ba19db04a94

SHA256
6597339a957c14a5eb85e7434df0e06f6461606f919e15a92dd02d4baf353420

SHA512
ff60ae68254696ea327f44b6db95ed57b4846340fa874077106bd2116095841e12894e0d2afa6e4adb22626e3ac05b5b5bc770789ff6ca388685001464392dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4b60225e37e8d9910833c1805bdd9f3a

SHA1
6ad6bf487a2f4b01c277c243550968f110342978

SHA256
230e665a451dd97a2bb1cf83791f3724a705377b11a699eba8f4edb74e52e071

SHA512
bbf20beb7dd0ec06bd6b88f8e292707f8e619e5cf80fd3110ecf6a80b648e2dcb855c9ac3e2fbbd60c6758489866c3d2e2b34fc4b371a104ab95f28af7a213b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
cb70b55d0ada5eed9955044dedf2978b

SHA1
d3109dcd2c37f236f19219a3e9aab479704ee52d

SHA256
8f2f45e35676f7ef2df80279645c3dd4ebcf0cf7279a01a4e377b190f89462e7

SHA512
38bb0fd651055ffb97909ca7b6bcc1058177fe7fc969e18540d17f0351032e17daab5e5364cee19d818b3f2ac887c1ee8a1f0d7d690a508781ad8b8beb00d293

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e8861b6756350a52c78e5d5b8d6cf808

SHA1
44e88d49d6d07788b25014488a0cd6270f02384c

SHA256
26f93f5843c93c6c7acbffc604576ae8a2c399fec350a54392ea7a4a6d95dacd

SHA512
2c8cb0b3044578db2bb21d2a12e31d2a924eed74ca5fedd5ccfe621e927225541a2283f51717a4028dcb11a8c5cd457021923afc1203c287c9be32e66f7b11c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
cd67a1979e4efac8fb96aaa2e6047bfb

SHA1
e341ce477545e743abc47ce5dfa453f1f611d4e8

SHA256
2fb219552b570cadf300be02b988379aafd950a89a13e50abb68c3ca5b7c97b7

SHA512
2fb7d67bf4d8926a51b03f923014d81f7d4a763f168d3719ca4d4bdfd004c3dc77f20058150d7a8c013d7fc1a1e867d8ca10287d07ad116035ef46d0e5e5fa4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e99d3b9682da074d200398c441c3082a

SHA1
bf593ba2c18968223bbbac691a2882b47dd167d7

SHA256
83e073f10e5f6d7e3ae1eaf1949573c43c04ac88d32fbdbca973520fdf35573d

SHA512
1581a65affcc62f9b563532daa06a97191ee24ab65cc5a966f878a36cc185aefac186b960fca08ed1aca6b3c9025df3a0c0599c74c25087c8433268122229285

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
834924a0404b17797198d29797dcb431

SHA1
4276a9795225f8531cb294e543126365c7754a2d

SHA256
5683a1500309aa9661094730d4e69c0d25845229ffd4a5b522321cb7a82d74f0

SHA512
54af75f5a05adb66dde0f27deddcc1e3e61995bcbd7efa2ff172b3fff8facbac34c71750fa3a9bb443b36266fe5d4159fcfcf52d456403ea1209e3e92b5967dc

Download Submit
memory/4740-48-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/4740-63-0x0000000004380000-0x0000000004388000-memory.dmp

Filesize
32KB

Download
memory/4740-127-0x0000000004540000-0x0000000004548000-memory.dmp

Filesize
32KB

Download
memory/4740-126-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/4740-125-0x0000000004200000-0x0000000004208000-memory.dmp

Filesize
32KB

Download
memory/4740-141-0x0000000004120000-0x0000000004128000-memory.dmp

Filesize
32KB

Download
memory/4740-128-0x00000000044A0000-0x00000000044A8000-memory.dmp

Filesize
32KB

Download
memory/4740-149-0x00000000044A0000-0x00000000044A8000-memory.dmp

Filesize
32KB

Download
memory/4740-121-0x00000000041C0000-0x00000000041C8000-memory.dmp

Filesize
32KB

Download
memory/4740-113-0x0000000004120000-0x0000000004128000-memory.dmp

Filesize
32KB

Download
memory/4740-151-0x00000000044D0000-0x00000000044D8000-memory.dmp

Filesize
32KB

Download
memory/4740-112-0x0000000004100000-0x0000000004108000-memory.dmp

Filesize
32KB

Download
memory/4740-172-0x00000000044D0000-0x00000000044D8000-memory.dmp

Filesize
32KB

Download
memory/4740-164-0x0000000004120000-0x0000000004128000-memory.dmp

Filesize
32KB

Download
memory/4740-174-0x00000000044A0000-0x00000000044A8000-memory.dmp

Filesize
32KB

Download
memory/4740-73-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/4740-71-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/4740-124-0x00000000041C0000-0x00000000041C8000-memory.dmp

Filesize
32KB

Download
memory/4740-50-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/4740-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4740-40-0x0000000004380000-0x0000000004388000-memory.dmp

Filesize
32KB

Download
memory/4740-27-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/4740-26-0x0000000004830000-0x0000000004838000-memory.dmp

Filesize
32KB

Download
memory/4740-25-0x0000000004930000-0x0000000004938000-memory.dmp

Filesize
32KB

Download
memory/4740-24-0x0000000004580000-0x0000000004588000-memory.dmp

Filesize
32KB

Download
memory/4740-23-0x0000000004560000-0x0000000004568000-memory.dmp

Filesize
32KB

Download
memory/4740-20-0x0000000004420000-0x0000000004428000-memory.dmp

Filesize
32KB

Download
memory/4740-18-0x0000000004380000-0x0000000004388000-memory.dmp

Filesize
32KB

Download
memory/4740-17-0x0000000004360000-0x0000000004368000-memory.dmp

Filesize
32KB

Download
memory/4740-15-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4740-9-0x0000000003770000-0x0000000003780000-memory.dmp

Filesize
64KB

Download
memory/4740-3-0x00000000035D0000-0x00000000035E0000-memory.dmp

Filesize
64KB

Download
memory/4740-502-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download