ffdroider | 0e531029c9914e235afd9f2312bfeb6e78303c5afb5e3c5cc753a7825c132944

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3476deb75801446ac3a3df7326dcac73.exe
Size

920KB
MD5

3476deb75801446ac3a3df7326dcac73
SHA1

863b9c8518e6542d69b8b413766158c0f1a2b1a0
SHA256

0e531029c9914e235afd9f2312bfeb6e78303c5afb5e3c5cc753a7825c132944
SHA512

69cf604c777ea7c41353378523686b8e2b5e6912b35f82c0d8ec34aa569975d53f15e085424f8c899b9e12ddf3532c9e7e07a41cd19016120ee4de0a9213ce1b
SSDEEP

12288:mJ63CEYPtxrkzDxQnvfQBao68kZHRfEBUDOumP2f4sWAoBfg7HI1ShDebZB:mJzKDGnVeARf4P2wjBfEo1M0Z

Score

10^/10

ffdroider evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://128.1.32.84

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3944-1-0x0000000000400000-0x000000000065C000-memory.dmp	family_ffdroider
behavioral2/memory/3944-4-0x0000000000400000-0x000000000065C000-memory.dmp	family_ffdroider
behavioral2/memory/3944-505-0x0000000000400000-0x000000000065C000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3944-0-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect
behavioral2/memory/3944-1-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect
behavioral2/memory/3944-4-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect
behavioral2/memory/3944-505-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3476deb75801446ac3a3df7326dcac73.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3476deb75801446ac3a3df7326dcac73.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

3476deb75801446ac3a3df7326dcac73.exe

description	pid	process
Token: SeManageVolumePrivilege	3944	3476deb75801446ac3a3df7326dcac73.exe
Token: SeManageVolumePrivilege	3944	3476deb75801446ac3a3df7326dcac73.exe
Token: SeManageVolumePrivilege	3944	3476deb75801446ac3a3df7326dcac73.exe
Token: SeManageVolumePrivilege	3944	3476deb75801446ac3a3df7326dcac73.exe
Token: SeManageVolumePrivilege	3944	3476deb75801446ac3a3df7326dcac73.exe

C:\Users\Admin\AppData\Local\Temp\3476deb75801446ac3a3df7326dcac73.exe
"C:\Users\Admin\AppData\Local\Temp\3476deb75801446ac3a3df7326dcac73.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
12.1MB

MD5
00aa893b34500fa89a4b91c29904ecad

SHA1
f39a8bbca2b428ee9d097e4b48300a075268bfd2

SHA256
1cf2a7bafd113c72672697fcc6d6a48225280a5f78acf97658ff87da922c802a

SHA512
2d408fc55b249fc823c9ba1c10467734392f29f4bd6ddaf8324e6b180db512a1d203bd82cb78331c0307077901b29938182193e0266299b535dbbcbb644e1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
73KB

MD5
4b281b347e023e75d24aa2bb1b5cc28f

SHA1
9dd178ba268ff295a641ce80ac730ae2fedcb5c7

SHA256
fcfe211457171c4d3041e5615ce6b177c4936658f430700b993bb5760b202765

SHA512
efde7a848fe1cc37dbf9594f3f308bdc2fc5b17c8589ed227cfbc08ff88d6137c110ddd995a6f1c301fe9d13009cbdcf17a2aa1365990e5a023b5d2e87edc523

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
24669a0457aa0f29b39f17ba48ad6b9c

SHA1
33c2633b21fbaaec26d8a35d96af3dd80504260c

SHA256
1d23d40fc46d7c713726197a0722501cc92033185096c73b0cd13ca62213a7ae

SHA512
6958a6fd0c37e8875f1374ca7569f6a618f72c9e62faf037a3c553da1a9aaaa4c7abc5a83f4a27f32c76dab17d4f8da6dea18c74055be54aec1ea07162f11750

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d063b5406525aa8b24ae49841f6cde51

SHA1
54a986da51623620056b1f2f5ed8bd42c25b3889

SHA256
df52b7bd138a342e7b39d0d8f7de801313fbac4eeb2a3caa4dedcd8da2e8bef8

SHA512
dbdfd3d001422c3770631baa08aaea5128602610a3a3e10037a2b96d1b168b1d37ee22c637490861b5c924709202998c22904a45c3d67f54514ca7cab912eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
71b44a1bf3ffed6729ad884230f153d4

SHA1
ee262cb707ccb491944c398c975752889dac6ec7

SHA256
0e8444d48359c15997fef82e1c6847319995e4a6bddb90cf8afc6ee5afcd9408

SHA512
f38915d67d600f3d559f017255649e64584c09172a3ffbf36d187722d0eaa06a2b08aa6a9e6d84df43f2be5f8a7bda99eecc7620dc5bc2f3641911d22d4c3c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4200770647adbe679ae0c61a7554ce0e

SHA1
ed2b5cfcb3558ac6fa34c35646ae90b72a0806b5

SHA256
4a5dff4939ab73b89c41dbd28e881aa1612f0530446912242433c4ac1191aafb

SHA512
39ff68b35235a312ace807c2cfc17799b4b1791a73197fa50b5f4a29de52b21ea9c3700e98648fb032f503099157ea7eaecded5ad1388be57b7c14ad1602d64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e559355a50bde41cdedaa08e968741bf

SHA1
b7281a749f22aa00b184ff7f3a18a6d9db6cc2c7

SHA256
388c0299f42fbb54a63875d86127e11ea6bcd3329a382bd8546f1a6f06a6e9c8

SHA512
8caf0bc34cc02ebf31302302b3d1c0e8e14fc584dc7872da71eb9f622d1ed39d8c9d96a1510f663ffb0d765c29a06cd93a9d1c9c2916e7a686e5b26e3b5bf01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e4aab2bdb0360498f81f43327eebd349

SHA1
69bbce465c5d810835fb8ca3244f283711919529

SHA256
b22a96361420596ae31cd39686d0e7496252f0c09a5b583a3b8e644c552cf9ea

SHA512
d00275536a6e28fac545574601af7a8d6c91aaa341e29bebe94eafe1767b417973b91c4e901d07069d077b2bc38e766368972cd0f90f8a6d85f889a55a5fb164

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
60c216974fd67c62b43f19cb1ebd029b

SHA1
0cbe3d4c6b1d481fd91b09f06ae8311bc3c5f3a5

SHA256
5ac82381f0df40ab43f148b9f586f39b2c6d8c50a8bc123b350b68ca5b6cfd67

SHA512
5a66a8e1a03548721bc6fa349d6acd52e105cd29bf97df62a44b436205248850cc17ede087b8498ccdbb809f82a02cd984a3bd1b61ea87a65e39b091acb91303

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d86e4d86cc160dedad18bae15481b04f

SHA1
e3e0a1f3b217a264e10d525a0db89372fdd3f334

SHA256
486215b94cf1fede2a6ac5f5daf213d940696383f2120c40f3036e6828caf524

SHA512
f8ce3609da1d7d22817747a3484c3686b54145bbce00becbee95e49f17236f67fe1ca69845d7c8ca29ee1c0479f1ae5204f2f0b228fd22ea23a4b8b83decdd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b7585b636d8d73fda8aa1c2bfc302e28

SHA1
6fcf765a2177314afe59ea734a2e0b8435471654

SHA256
342f27418dda4b784cd608e926d9ca31f3fab79902c81f1e2b2c6292bcd7cb8a

SHA512
1a9fd70e6605981000837a2d9820b873600a1ad2fb43fe8f5dc36d57575eb864502d66fa1939270eef9ef06945233875d36d3557bdcc2609f40a66a20b4c2969

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2895fef569180d76c0d332a22771b12d

SHA1
470540e23be471136720ddf04041888f0e2b2eca

SHA256
9b6b46ab9b5424dfe1719d24dd61bd4368920f1ff009cec9c00969db66765dc0

SHA512
9c7d35c1fef24f6f0aee5f8ffbf7176ecff89f4f6200d64d80e75b2a94541350cd4d9ad69305ade86d80abbc7befcc6c1c44869c56b8920cefc935ef5161c422

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f993677121142abf42440c272d831145

SHA1
d661f35eca70f6a99e57bfec9ec086a22c312934

SHA256
627bc0b1cb4a01713a7d675aaefc25691772028ed9a33005f557983fd1f0fbae

SHA512
d2574f1bca86266bcf6f98bccaf5bbdcde2b1e813d1e6aa659c442b7b94e896d7d83c6667760cfb4cfe1b3153edb5a5f68eadb80b4cc5e2dd6fdec26f2465b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
251cf20bb3920b9e62b9645da17a233d

SHA1
66cbb150e5a3cc1d199aee3232ff473469922bdd

SHA256
11de5b4572b22eb95980f7715015aabbfe98cd270537cdb3a3497ccc4c0b49c0

SHA512
2dab9ae2a4e98f08598727ccc865366469f267d2dca2dcbc8e447d7f3fab5beca9164111e3bb8c6ff3ac8785ec3470672784d669802138fd6e073aad97cbbedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f7f09fba3c2f6e61e29337c620545ed3

SHA1
220ea371c0ad510f8f1a2c81e36733b2dc986534

SHA256
685a4d0f46627d468049eb4862574d75bae009cafff83a24a4949a67e7c82fb0

SHA512
98d4bbfe1c006f29b6cb7125282929e715ae78570c363d80336bccb47be2f440033ae14adc17b5d457da5200497fdcacd2997b03f4acf05a00d66be9b1f1d824

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c0e0ff494a45df69d220d9bd5c30d10c

SHA1
ad8cd6ebbdc1f093bd713bd0c432b5e99e2744cd

SHA256
33f2ea951d15a98a93a6137268fb3eb84c0cf3b2147bfe6f8d26567b106fbcf5

SHA512
15f8d9b7c1eb7b5e450f2cda4dc2d91be17296e780dc0df1a400739556ef41e8a3f1588e9262e43cbf2f02c271a88ef5f1e2b8eb098b1bcb5b5aae9b48b51c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e1773270276df64e3f8df3fa2bfd3cc8

SHA1
2f628725ffe6112bd411bc7945246fdcc2757725

SHA256
c1e38c7c61cdc4f2ffd48d953b095e6844b00c23f803486f4376f6c43c3fdad0

SHA512
2e11f028026417fe3d074d7fba00084ec543288f55fb2f22f6b5cde7afcdcb5a41d9350cfd34e1357de1a54b99f30c896494bdc1b714cf03a340796d05890f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a042e7287118792d953e53d84849bca0

SHA1
94e4b7d3c3cd844dcad15cdbe119ba028aa12169

SHA256
4eb47d627d50c52494e0b381b52c0c4635cd84201ae5a8472270b9d81600a9b7

SHA512
1a947395f533b37fad25dc6f9cf44ce941259b76a05ed6b160472e9fc2959de25fb6487d7277674b4627a3a9a1ea4d9fa6a02321f79698ef806a2c4ff2dc92e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b29d272c2db3e01e6b2964172b785ba9

SHA1
8de320898c7e8d0851a3685717cd92110a2fda8b

SHA256
eda100bd5be818f864aebd02705c120c5370326d16879e0c2dfd4f3f162cb863

SHA512
5be104f067050644b7d6483e643c07b4527c678bda36d0015ef3c8069abcd7f89a30878dbb5ed9ffba654d060f30488c3ed5dda8b77132f56eea675bf444b7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
640c3a522477e64f701e8b5da896b111

SHA1
7e2ab0d723fdfafbffcb3b63e4c5306db3649e23

SHA256
e502157e833d71cdd9f374e6563d6123c2b1888d2053b5cea4a32972ff5343ac

SHA512
c1a7051f568827873b73b3538b3633ab449ca838f92005ed735befccde125c6a87870618b48c77454cc9d42a6baaa4405c897dd912200dd73b505fcf15e78123

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
50e84d4256439b54c1cc6b8edac702c1

SHA1
ef5429994d5d71742423ae81f13cfe726b17a9b5

SHA256
cc5b01487750c4de7063fc5049fcdedde76fb2ae2ac4ffb2c9a0acfebf8727b9

SHA512
b9662fc236523b632ad2295c6cfa819eee94a2141be61cd7af4f895232be0a14a005c732e8fe12eb1d3b4baf74c47b16c8ec71d8a6e01ab13aa668e77d23b0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6f57b4da41d9ee43aa6d840db40fd1db

SHA1
2a075704379f41076336a942bea2be93cccf3d6d

SHA256
0c0ccc842f46569c5244e9e9b1d28d2e623fcca89c394eddbcccd9b248f2b34e

SHA512
10ba1c88dad0849ef46db0472aeaedb38feb05191dae168ed0fa10c3c0faff4a984bcb9b8af45a84a4441b06e2345c258c4d022954d9d2aa12afa6a021ca6f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8e67c19dac096d05c00209ec2dbb5dba

SHA1
2433c8e3030b95a261c74256e33a17e8e1539012

SHA256
9003770c258ef606a4e0783f19ebb685f61b6914f6ab061f0e6ca6626cdc0d64

SHA512
6589d874f3a7ff5585a6fa3e8ab676d0de7a8f07f9f1780c374b84ed048b84ffb1e4426487527dd7abe2f701241ca31b6abc842297634f39e78fdcff763f4c3d

Download Submit
memory/3944-29-0x0000000004B90000-0x0000000004B98000-memory.dmp

Filesize
32KB

Download
memory/3944-53-0x0000000004A00000-0x0000000004A08000-memory.dmp

Filesize
32KB

Download
memory/3944-115-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/3944-116-0x0000000004350000-0x0000000004358000-memory.dmp

Filesize
32KB

Download
memory/3944-124-0x00000000043F0000-0x00000000043F8000-memory.dmp

Filesize
32KB

Download
memory/3944-127-0x00000000043F0000-0x00000000043F8000-memory.dmp

Filesize
32KB

Download
memory/3944-128-0x0000000004570000-0x0000000004578000-memory.dmp

Filesize
32KB

Download
memory/3944-129-0x0000000004620000-0x0000000004628000-memory.dmp

Filesize
32KB

Download
memory/3944-130-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/3944-131-0x0000000004580000-0x0000000004588000-memory.dmp

Filesize
32KB

Download
memory/3944-74-0x0000000004A00000-0x0000000004A08000-memory.dmp

Filesize
32KB

Download
memory/3944-144-0x0000000004350000-0x0000000004358000-memory.dmp

Filesize
32KB

Download
memory/3944-152-0x0000000004580000-0x0000000004588000-memory.dmp

Filesize
32KB

Download
memory/3944-154-0x00000000045B0000-0x00000000045B8000-memory.dmp

Filesize
32KB

Download
memory/3944-66-0x0000000004470000-0x0000000004478000-memory.dmp

Filesize
32KB

Download
memory/3944-76-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/3944-51-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/3944-43-0x0000000004470000-0x0000000004478000-memory.dmp

Filesize
32KB

Download
memory/3944-30-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/3944-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3944-28-0x0000000004CA0000-0x0000000004CA8000-memory.dmp

Filesize
32KB

Download
memory/3944-27-0x0000000004B60000-0x0000000004B68000-memory.dmp

Filesize
32KB

Download
memory/3944-26-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/3944-25-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/3944-22-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/3944-20-0x0000000004470000-0x0000000004478000-memory.dmp

Filesize
32KB

Download
memory/3944-19-0x0000000004450000-0x0000000004458000-memory.dmp

Filesize
32KB

Download
memory/3944-12-0x00000000039A0000-0x00000000039B0000-memory.dmp

Filesize
64KB

Download
memory/3944-6-0x0000000003800000-0x0000000003810000-memory.dmp

Filesize
64KB

Download
memory/3944-4-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3944-1-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3944-505-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download