ffdroider | dd2a5dcb0106f4c6e7b91ececccef95ff651daa95d78210d41287fe1de0cb639

Analysis

max time kernel
0s
max time network
141s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc134ee57553cda5893b69950d8616f4.exe
Size

1.7MB
MD5

bc134ee57553cda5893b69950d8616f4
SHA1

b0f814326fa736e8ad47d92a5a5d8d42eec2e037
SHA256

dd2a5dcb0106f4c6e7b91ececccef95ff651daa95d78210d41287fe1de0cb639
SHA512

c6a6ba670bba5c0c029e98feaa5123563080c05bca28cb96a4034a10f13eec5ca57db20d5d65ee584216f14468dbee30bd18b0c82145fff38a7593574fcab58d
SSDEEP

49152:NunK8G2JQVT46bJQ+bfDTsrA0hleklFNARfYblgmZ:NKK8pu1hJQ+bfDTRRcFNpl5

Score

10^/10

ffdroider stealer vmprotect

Malware Config

Extracted

Family

ffdroider

http://128.1.32.84

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

Executes dropped EXE 1 IoCs

pid	Process
2320	Crack.exe

Loads dropped DLL 5 IoCs

pid	Process
2888	bc134ee57553cda5893b69950d8616f4.exe
2888	bc134ee57553cda5893b69950d8616f4.exe
2888	bc134ee57553cda5893b69950d8616f4.exe
2888	bc134ee57553cda5893b69950d8616f4.exe
2888	bc134ee57553cda5893b69950d8616f4.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2676-47-0x0000000000400000-0x000000000064F000-memory.dmp	vmprotect
behavioral1/memory/2676-46-0x0000000000400000-0x000000000064F000-memory.dmp	vmprotect
behavioral1/memory/2676-74-0x0000000000400000-0x000000000064F000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2468	2676	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2320	2888	bc134ee57553cda5893b69950d8616f4.exe	26
PID 2888 wrote to memory of 2320	2888	bc134ee57553cda5893b69950d8616f4.exe	26
PID 2888 wrote to memory of 2320	2888	bc134ee57553cda5893b69950d8616f4.exe	26
PID 2888 wrote to memory of 2320	2888	bc134ee57553cda5893b69950d8616f4.exe	26

C:\Users\Admin\AppData\Local\Temp\bc134ee57553cda5893b69950d8616f4.exe
"C:\Users\Admin\AppData\Local\Temp\bc134ee57553cda5893b69950d8616f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe"
  2⤵
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
  2⤵
  - Executes dropped EXE
  PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:2880

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 184
1⤵
- Program crash
PID:2468

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

Filesize
92KB

MD5
50629a14eca2b02fa4caac3a9cbb954e

SHA1
7cb40aaf90b11c013be142c0a992277df09378e8

SHA256
cd4a076138cb8cce0e14322cef7a8db3c5cdca158471a5f4a1f8821cd669f4c4

SHA512
531024b0b9534fe929fa5ee55e0f8d277e3643390dbad5bbfb01a05db8af7e2f465aeb5df886ea3e890e98120912a1c5d4a1d86e2a1d2b800079982c34508f61

Download Submit
memory/864-60-0x0000000001DA0000-0x0000000001E11000-memory.dmp

Filesize
452KB

Download
memory/864-63-0x0000000000570000-0x00000000005BC000-memory.dmp

Filesize
304KB

Download
memory/864-73-0x0000000001DA0000-0x0000000001E11000-memory.dmp

Filesize
452KB

Download
memory/864-58-0x0000000000570000-0x00000000005BC000-memory.dmp

Filesize
304KB

Download
memory/2476-59-0x0000000002040000-0x0000000002141000-memory.dmp

Filesize
1.0MB

Download
memory/2476-67-0x00000000004C0000-0x000000000051D000-memory.dmp

Filesize
372KB

Download
memory/2476-61-0x00000000004C0000-0x000000000051D000-memory.dmp

Filesize
372KB

Download
memory/2676-46-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2676-47-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2676-74-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2880-65-0x0000000000060000-0x00000000000AC000-memory.dmp

Filesize
304KB

Download
memory/2880-69-0x0000000000440000-0x00000000004B1000-memory.dmp

Filesize
452KB

Download
memory/2880-76-0x0000000000440000-0x00000000004B1000-memory.dmp

Filesize
452KB

Download
memory/2888-45-0x0000000003C70000-0x0000000003EBF000-memory.dmp

Filesize
2.3MB

Download
memory/2888-75-0x0000000003C70000-0x0000000003EBF000-memory.dmp

Filesize
2.3MB

Download