ffdroider | 6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c7117f96c0c2879798a78a32d5d34cc.exe
Size

955KB
MD5

3c7117f96c0c2879798a78a32d5d34cc
SHA1

197c7dea513f8cbb7ebc17610f247d774c234213
SHA256

6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162
SHA512

b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122
SSDEEP

24576:w82jSDss1H+s9gbxBRlq9L1LSLf2cCYoe+bCV9A1XEh:w82jSY2MxqzGZCxGuEh

Score

10^/10

ffdroider evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

resource	yara_rule
behavioral2/memory/3516-1-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider
behavioral2/memory/3516-6-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider
behavioral2/memory/3516-506-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3516-0-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral2/memory/3516-1-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral2/memory/3516-6-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral2/memory/3516-506-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3c7117f96c0c2879798a78a32d5d34cc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3516	3c7117f96c0c2879798a78a32d5d34cc.exe
Token: SeManageVolumePrivilege	3516	3c7117f96c0c2879798a78a32d5d34cc.exe
Token: SeManageVolumePrivilege	3516	3c7117f96c0c2879798a78a32d5d34cc.exe
Token: SeManageVolumePrivilege	3516	3c7117f96c0c2879798a78a32d5d34cc.exe
Token: SeManageVolumePrivilege	3516	3c7117f96c0c2879798a78a32d5d34cc.exe

C:\Users\Admin\AppData\Local\Temp\3c7117f96c0c2879798a78a32d5d34cc.exe
"C:\Users\Admin\AppData\Local\Temp\3c7117f96c0c2879798a78a32d5d34cc.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
480KB

MD5
eadb081b2eced33d62b0913764b10aed

SHA1
8ad58d45712e808d2b85524db9ca0b445e807786

SHA256
6d7858d22be39170c1c568d94c24799565792e250989f18c27966f66d67dc754

SHA512
704899f644832fcfc4aa0956afe7738703137f66c58087b820804818763d910ac0c72bdbdcfcd6510501574eccebe2d9291ed855a10d0b2021e525350ee54602

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7e5d7ad7441f8160a551d6640b7825dd

SHA1
a4c3340556a80824525b0cc508e5b7065a278ff5

SHA256
3d94b35fa62eab578b8de34c8f9aded6b1ec07421405a09f29189654509c029d

SHA512
902ebdc2f77db9fc25bbbf7266b1bdd4ec5a3bafaba06b3252ade1affb14f215dc5be659215f10f3fd6cbdd7d9b086275ff3a2df7d0907dfba19d132262689cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7dd4132f65554bd596704d6b1813c49f

SHA1
e2ee51af7b1015d62e2fdf913c2ade23f4ee2775

SHA256
3da11c4f7c3fff66b8c9f60147815e89c26e8de1fc6d5b55a77a010ca4cb1e4b

SHA512
b3643cfca1bc629f6ad72ac846e68edc9d989f69fd667db9a20cece091441cb2327977b0b82ff1888786ca253a767510a6477ce8aa66fc311901bf14c26d09d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a1d231e3375f40ae70b1dc563c90a19b

SHA1
2faa1bee6590c44e8b0d79b11742e05b79a9902c

SHA256
ffca57858ce1c1a9036f4e421a1852f136c0bc2818f7cc8f70db4c4170d61c7e

SHA512
9a34eafbe33be1443899676b28aee2698498bcd1658fe49aef3fab2f72cc66532f7548cfde3b12cc2f1976f717c43bdf2f4945711328ebd9fbeaced05f54fe23

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5f0cada523c81898dff348ccf9eb7230

SHA1
78b746bda04925798f749acb8e14f2729aa4bb59

SHA256
4244257e5ccd047ea1a91fbe4e6e783aceb477dd061d4d156533e8c574488935

SHA512
030da392efe052fc8fc1c6c732d91116d32e66820bed3b6b6def93de58c646c66454bffb5954dd0cc9f978560270e42f5af22857aeb83451afe6f6dfc7f45a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5ba9c75b1c68c394e6d826e10a4fdcb4

SHA1
3f08116e19eb321982748f4036d2034bfaccdb06

SHA256
b1bc3820c86c6958eb5448a49de4e77a132f66b04b8d6de3177a91d4e95f1aa0

SHA512
3c84a5e32461e5e62feb05a851a20ad3e1bc1e645d84726950e64dcabf56e661ec8b7730a9a83b971088fec343a8e02b5892060ea90bc2913460a983cb358019

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
61365d6bce1b53d26f00b53387e68c61

SHA1
2fda5b252f4bb8bb5833f371de51731535e22ea3

SHA256
88320684439612db0a1153db130458fd839b835bc964440ff50a3f1b95caa41a

SHA512
202157be9c4c281026b7e754eaea5f1b7ab28b50630e5e79fd881e456ba75be82dd726cbe56ea3ca9aa3b8f1c886afa6ced28566e36475bc6a7af64c669ed617

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8114f7ea3fbb666167ec8717851f5d62

SHA1
a11c5a21ed104e9efdb1c32af7b077597f4c681a

SHA256
ea773f04780e1ba3080ab18a6273ee206d52476f341d294226fc5ba5ad7d2cc2

SHA512
af1b16fc1fdf7949be9d7c232ca9c00c6ef5ca1b68ef798542a90901a38b9a9e6858089de9bbcf98d521a4d6b694b710d87837a789c32c9f7bd07f2cd96c1600

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7248147e8354636a4f85120a337d80b4

SHA1
f3347c8a82b534659f1cbf74f495a222a48bb434

SHA256
13709a3f1e1d1a14da39f06f133ed8a2ced91cc232f2570a88b4df6ecb3fe0df

SHA512
338078ae04778f27b502347df800d86be097043dbeae66a34c12c6bd372404b19f821cc24589eab684b082c50488dd97da7a48b50e48004faea06fff707c397e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f51d3b71de44a96d8abcaa820c31b404

SHA1
df270884054a3c52507723b8e203e56e57ddf328

SHA256
e5ed7e706d93f6685fb7111a30c0da5f644a02b47af524d73d5e96905084d4cd

SHA512
35e59889f8b6a217447fe09201820df7ca393e43ae6482a0a66a23d338a55fa1fcc75ff3cb3e3308219d64d5d03b947e0bf7e581c89cbfae95aeae4358e77f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
97694608fb25376371e596f4acc80340

SHA1
11a721122d868ccc960902b64ed1c593d709757e

SHA256
fafd50717447d9ea4aba9372cc2d48e69a6f3708934c676649a9bdb84086c10e

SHA512
669c22a4ce24b13e5fb5faad9972ec82f6596cad41adb1d13f4766f689a331a3e29c7c53e221f50924303270e66c6dc1e14611ec411db1a63f7f89c4fb7212da

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6ef8d3aa9260115aa9eb8f63bb672e2a

SHA1
559bf2d5258af44f6a6cb25dc3b1be22d922a62d

SHA256
5c16a8447588780eb3418e483de410c6c286f116aa57ba9fa30a4d1c45675c73

SHA512
1b088144a9ac4b931108ee2dca5957324a6366ce3183b3e72e350881b456813d7a9f409888a550a138787c92c2852bd5a721178f8c4b06774df8fe4682cd176e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
72de34acebcda643764a994e9b82dc80

SHA1
113477ea80bb74de99ca13c1719e10b9531195ac

SHA256
640d2b0b590698bef4e58153267909506de500c2bfbaacb472f96e0d6b2fed8a

SHA512
b9253acde4a064a452b652fdb7c98eb6ede32396722caeb80249928eade5cf1dd76a533e5205991102ffb96b694762db169750d38ccacd490523088c54fa52c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dcc54d2f8e49d2a4667fe7ec48baf63b

SHA1
7fd41b9c0deefc63fabb235c4df33b412f350425

SHA256
7d7a5bd36e2754f93b3dcb66a29a10c913808f4fba46688c6ad233f460a621ad

SHA512
482c0299bfd137fac4fa5319ce93bb67f4a8eee3f95e2de53b90bc11c54ec4e6519cc2deab4e7c1128427be40cdc54f7d11011c2f385c676b8c01d1c97fedb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a420b3ef1fc82d74670385a1f1a6add4

SHA1
617a06f9ad900e79df990746c37e98a88c573bae

SHA256
f4af4d4e1e69b2f60098cc685c88db15d32206e8a2a6b8907f450eecc46962b4

SHA512
6f59b2da60acaf6c70c7e6d6e4a075804b838a5ac8dd4bb5567b0660d16363dc60282afe69935df9b2f7ff75efd66a60618438bc343fbe7d9a162b99b972c29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2121faa1cf538439979904c5e6343931

SHA1
b79058826d9cb6de6e8cc8cec38a8618c0223359

SHA256
9c54f44168dfb51a1bf7867cded25ffd1a35d59921ac736d52477eca9056540a

SHA512
a907f3ac8cec307bdb0293968435a970dedd2ab7de98b29dbc436ad227e628358b3b91bb78a1434c05dcf7f8d1fe62d4e8ce9e6110713cb16fee44155b6d80b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7f4720beba3bfc814da950336941cbbe

SHA1
5a700e19e521334b7b424f38e46c23ef21e9ffdd

SHA256
f3798da57bec8b92a5d4af6fb963a1ad4a5aa2cc79077065cd4958c222d40846

SHA512
4fec1acae46922960c5b2a58dc58a38a402528f44d2bf9c4856d1bfe1df1574630064d4e2417f5ea13dd6b69365c3a8268db834bc4f7270626e43bf1faa68b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6e1dfd4205b549fd6872d79107fa3e16

SHA1
839f793d47d91df6c21b7d918b910c0f16608814

SHA256
d6e54d0aedde91123e235ee596826053dd170996e29801be101c94a4c31a5f56

SHA512
ab5657ff80bbec8b213cc2edad32ea097c26fdb0ad1aca95966b2370caa7d580ac78ee54895bdc5dd622980f578a7afa35e05ab9ef1beb01fbf9234952955eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
54dcc7800088eb0ced52b5d90192b43b

SHA1
fcab8f9ab26147c4c580893b9a6f51e996ea1a85

SHA256
be0a75acc79eda6c9ce50d530cab74ff5a5e75ab1e40687eb72f9a4fb871e934

SHA512
cac3728076e35c1e74774d163339a0b8076ba52bfcd23b5a8d433b56fbd7b53450d942417082b744e01ea48e01c753f982a15a607844204c7715208d3f73080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
452b9c93b2ad998ad192710fe6bcc1aa

SHA1
eeba83f573661e343c0a0226ec9806a82f966575

SHA256
c58ef08fd19d30366ca0ca86e708d76fda88b589cf0b4b83223e14615152c13b

SHA512
4035d26a9c7b00595410ae3717015a3108e7630b34bb390ecfff229460368c19cc6479b5f28eadbc66c6cd1a26453ab6f5fc92e581dab95f893adc26e56fb7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0c2bc1f63eac19541751188c8e910212

SHA1
fd17ecac5db005ebae96a208d863b59f56ac9b81

SHA256
d849399503afb7a892d0d030f946a847b76b2174490e444104966215cd420691

SHA512
286312ad70c074581bbcea3f50525d9ad377b8015831fcd9955e935528b3de065c0849282f63ca2a764af850ffd2641d2ebc90f4b9976db1e4799c1166bbe131

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
240e4b1278de46af4921bfb64ab1582e

SHA1
f93429750adb8c0c1ef6340aa6777eece29a1327

SHA256
d8042d6e1cb414c6bd6c981753ea538e25ad8e92586cf786442a6d4899593d46

SHA512
caf7138fe7eb939c3e8b1caa30c4df0d352609864b67e35cbd6a29bdc21902bfbc8f5814bb634352375ddaebc5b05e1d33a24ef429a9f6f0a29e140c9a66b117

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8d74ba9d5c036ab7e84a62363061f7aa

SHA1
65095c1e780b159af26de640c6b535a1aaa739dd

SHA256
7afefa5f2fb14fbc107448e890a2c3fdf1ae6a9e3182f9dbe0c97f1c6578e7f1

SHA512
81a054c5ed27741fb39e14214590bbef79b89b0a54667e2f7936342cf80adc07d3a20babda222f798eac0b1d812ffe0e28420f23ca890271db0093a3b04f2a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
724831e2c3dc868d8b543b998fbda8a6

SHA1
5b46e2d16648b33b269a0c61a7b8cad6bd7d9ed1

SHA256
19162b36bdbd3eca306d69f0d54fb3208e48f916e8f752d76349d857c6df6900

SHA512
f58408bb148bf9e198a4c6555c96a6847bcc5050a2c9df0af12980f3396dc2cf424a2b93a0b89e9f8e3d1960bbfc5a90d7d2174ff6869e3b7c7b95f1247f0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
002e6bc55e71d150a0dd29f6e970c47b

SHA1
1a4804e0a937da6754f9d03e9350505d57a7d1a8

SHA256
794561be7516fc3b4a0f640847cc79e911ca5ea31856d983084b68ddbe06b5ed

SHA512
1745d8134523b1f3693826d9c98658ab80ebb5685a2cce6e225d441b78eb23d41cc329679f9596550b9a70ae15eb708f0678cd81d8ed2de374201353e227b32d

Download Submit
memory/3516-24-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/3516-6-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/3516-128-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/3516-129-0x0000000004DE0000-0x0000000004DE8000-memory.dmp

Filesize
32KB

Download
memory/3516-130-0x0000000005090000-0x0000000005098000-memory.dmp

Filesize
32KB

Download
memory/3516-131-0x0000000004F90000-0x0000000004F98000-memory.dmp

Filesize
32KB

Download
memory/3516-132-0x0000000004E00000-0x0000000004E08000-memory.dmp

Filesize
32KB

Download
memory/3516-22-0x00000000046E0000-0x00000000046E8000-memory.dmp

Filesize
32KB

Download
memory/3516-145-0x00000000045C0000-0x00000000045C8000-memory.dmp

Filesize
32KB

Download
memory/3516-21-0x00000000046C0000-0x00000000046C8000-memory.dmp

Filesize
32KB

Download
memory/3516-153-0x0000000004E00000-0x0000000004E08000-memory.dmp

Filesize
32KB

Download
memory/3516-155-0x0000000004F30000-0x0000000004F38000-memory.dmp

Filesize
32KB

Download
memory/3516-14-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/3516-168-0x00000000045C0000-0x00000000045C8000-memory.dmp

Filesize
32KB

Download
memory/3516-8-0x0000000003AB0000-0x0000000003AC0000-memory.dmp

Filesize
64KB

Download
memory/3516-125-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/3516-0-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/3516-117-0x00000000045C0000-0x00000000045C8000-memory.dmp

Filesize
32KB

Download
memory/3516-116-0x00000000045A0000-0x00000000045A8000-memory.dmp

Filesize
32KB

Download
memory/3516-31-0x0000000004900000-0x0000000004908000-memory.dmp

Filesize
32KB

Download
memory/3516-27-0x0000000004760000-0x0000000004768000-memory.dmp

Filesize
32KB

Download
memory/3516-77-0x0000000004900000-0x0000000004908000-memory.dmp

Filesize
32KB

Download
memory/3516-67-0x00000000046E0000-0x00000000046E8000-memory.dmp

Filesize
32KB

Download
memory/3516-28-0x00000000048E0000-0x00000000048E8000-memory.dmp

Filesize
32KB

Download
memory/3516-75-0x0000000004A30000-0x0000000004A38000-memory.dmp

Filesize
32KB

Download
memory/3516-29-0x0000000004B90000-0x0000000004B98000-memory.dmp

Filesize
32KB

Download
memory/3516-54-0x0000000004A30000-0x0000000004A38000-memory.dmp

Filesize
32KB

Download
memory/3516-52-0x0000000004900000-0x0000000004908000-memory.dmp

Filesize
32KB

Download
memory/3516-1-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/3516-506-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/3516-30-0x0000000004A90000-0x0000000004A98000-memory.dmp

Filesize
32KB

Download
memory/3516-44-0x00000000046E0000-0x00000000046E8000-memory.dmp

Filesize
32KB

Download