ffdroider | 1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

General

Target

308da60a9996a07824a1a1ce3a994d05.exe
Size

1.6MB
MD5

308da60a9996a07824a1a1ce3a994d05
SHA1

24828b0bbbe4b975e2d73cfbcd6633113145b2f9
SHA256

1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94
SHA512

84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe
SSDEEP

24576:pAT8QE+krxuiBQZ0pzvtIej9zXs3a/reJkSA3ZeoI5fiq3DMR9HC+QKHHIVqPJ7A:pAI+gV22RjuK/YtLeJQ4IVqPJ7uT

Score

10^/10

ffdroider lgoogloader discovery downloader spyware stealer

Malware Config

Extracted

Family

ffdroider

C2

http://186.2.171.3

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2728-43-0x0000000000110000-0x0000000000122000-memory.dmp	family_lgoogloader

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2848-63-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider
behavioral1/memory/2848-79-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider
behavioral1/memory/2848-84-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Executes dropped EXE 3 IoCs

Processes:

cutm3.exemd8_8eus.exeinst1.exe

pid process

2680 cutm3.exe
2848 md8_8eus.exe
2728 inst1.exe
Loads dropped DLL 3 IoCs

Processes:

308da60a9996a07824a1a1ce3a994d05.exe

pid process

2804 308da60a9996a07824a1a1ce3a994d05.exe
2804 308da60a9996a07824a1a1ce3a994d05.exe
2804 308da60a9996a07824a1a1ce3a994d05.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2680	cutm3.exe
2848	md8_8eus.exe
2728	inst1.exe

pid	process
2804	308da60a9996a07824a1a1ce3a994d05.exe
2804	308da60a9996a07824a1a1ce3a994d05.exe
2804	308da60a9996a07824a1a1ce3a994d05.exe

Drops file in Program Files directory 7 IoCs

Processes:

308da60a9996a07824a1a1ce3a994d05.exemd8_8eus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	308da60a9996a07824a1a1ce3a994d05.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	308da60a9996a07824a1a1ce3a994d05.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	308da60a9996a07824a1a1ce3a994d05.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	308da60a9996a07824a1a1ce3a994d05.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	308da60a9996a07824a1a1ce3a994d05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

md8_8eus.exe

description pid process

Token: SeManageVolumePrivilege 2848 md8_8eus.exe

description	pid	process
Token: SeManageVolumePrivilege	2848	md8_8eus.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

308da60a9996a07824a1a1ce3a994d05.exe

description	pid	process	target process
PID 2804 wrote to memory of 2848	2804	308da60a9996a07824a1a1ce3a994d05.exe	md8_8eus.exe
PID 2804 wrote to memory of 2848	2804	308da60a9996a07824a1a1ce3a994d05.exe	md8_8eus.exe
PID 2804 wrote to memory of 2848	2804	308da60a9996a07824a1a1ce3a994d05.exe	md8_8eus.exe
PID 2804 wrote to memory of 2848	2804	308da60a9996a07824a1a1ce3a994d05.exe	md8_8eus.exe
PID 2804 wrote to memory of 2728	2804	308da60a9996a07824a1a1ce3a994d05.exe	inst1.exe
PID 2804 wrote to memory of 2728	2804	308da60a9996a07824a1a1ce3a994d05.exe	inst1.exe
PID 2804 wrote to memory of 2728	2804	308da60a9996a07824a1a1ce3a994d05.exe	inst1.exe
PID 2804 wrote to memory of 2728	2804	308da60a9996a07824a1a1ce3a994d05.exe	inst1.exe

C:\Users\Admin\AppData\Local\Temp\308da60a9996a07824a1a1ce3a994d05.exe
"C:\Users\Admin\AppData\Local\Temp\308da60a9996a07824a1a1ce3a994d05.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files (x86)\Company\NewProduct\cutm3.exe
  "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
  "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Program Files (x86)\Company\NewProduct\inst1.exe
  "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
  2⤵
  - Executes dropped EXE
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\cutm3.exe

Filesize
576KB

MD5
713afa947d8d2541c555cdfbed8f15f5

SHA1
185228ba5f7fc82e28721a472b66c19b62d06959

SHA256
b3e6018fde1b826a1c601c4d4bbbe32ba2e4a280bed68b12fde686b9d80fdfe2

SHA512
f20f8401fcc8e51eab20db2da7a818f9dcffefbefede6569dd98a721c516aad659761a65a2517a27397be9c3213253fd73e9196e733596b5980654c16650f6f6

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe

Filesize
768KB

MD5
2c402eab02a937803f4dc4e9de328820

SHA1
96fa52fa71f96e1af390619e45468207864faae7

SHA256
b974de0eaa12f1b6bfd3e183a8154c58e20d1cb85596dea5be992bdb621fb0a7

SHA512
baffc7f0870acb4f2428191873b29dddf8a8e2297aa05c49cd156d7fcee790c78e9edca0dafd702fc2bad9fd5c6c97a1272d3a46677266c9764aa73697229def

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst1.exe

Filesize
120KB

MD5
0c4b67896878d36e29f6822641d1974c

SHA1
fa6a326478d80abcc29c12f20e163e86d4c8116e

SHA256
81f361b9d1327582b6f489effefc306bbaee3cb44c8319e27cb94fca764632fa

SHA512
594aedf1e5627fe54de0b9528a49d3eb99e4db0039c4877fccbeebbf9b35efab75ed92e9cfdcc7cb69597b0c94585f4c517c19224e7f273c9988495c70ef8381

Download Submit
\Program Files (x86)\Company\NewProduct\inst1.exe

Filesize
257KB

MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
\Program Files (x86)\Company\NewProduct\md8_8eus.exe

Filesize
924KB

MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
memory/2728-42-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2728-43-0x0000000000110000-0x0000000000122000-memory.dmp

Filesize
72KB

Download
memory/2804-35-0x0000000003300000-0x000000000352C000-memory.dmp

Filesize
2.2MB

Download
memory/2804-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-31-0x0000000003300000-0x000000000352C000-memory.dmp

Filesize
2.2MB

Download
memory/2848-34-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2848-36-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2848-63-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2848-65-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2848-67-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/2848-73-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/2848-79-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2848-84-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads