ffdroider | 1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

General

Target

308da60a9996a07824a1a1ce3a994d05.exe
Size

1.6MB
MD5

308da60a9996a07824a1a1ce3a994d05
SHA1

24828b0bbbe4b975e2d73cfbcd6633113145b2f9
SHA256

1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94
SHA512

84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe
SSDEEP

24576:pAT8QE+krxuiBQZ0pzvtIej9zXs3a/reJkSA3ZeoI5fiq3DMR9HC+QKHHIVqPJ7A:pAI+gV22RjuK/YtLeJQ4IVqPJ7uT

Score

10^/10

ffdroider lgoogloader discovery downloader spyware stealer

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/740-53-0x0000000000BA0000-0x0000000000BB2000-memory.dmp	family_lgoogloader

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

308da60a9996a07824a1a1ce3a994d05.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	308da60a9996a07824a1a1ce3a994d05.exe

Executes dropped EXE 3 IoCs

Processes:

cutm3.exemd8_8eus.exeinst1.exe

pid	Process
1260	cutm3.exe
1252	md8_8eus.exe
740	inst1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

Processes:

308da60a9996a07824a1a1ce3a994d05.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	308da60a9996a07824a1a1ce3a994d05.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	308da60a9996a07824a1a1ce3a994d05.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	308da60a9996a07824a1a1ce3a994d05.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	308da60a9996a07824a1a1ce3a994d05.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	308da60a9996a07824a1a1ce3a994d05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4660	1252	WerFault.exe	92

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dwm.exe

description	pid	Process
Token: SeCreateGlobalPrivilege	4012	dwm.exe
Token: SeChangeNotifyPrivilege	4012	dwm.exe
Token: 33	4012	dwm.exe
Token: SeIncBasePriorityPrivilege	4012	dwm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

308da60a9996a07824a1a1ce3a994d05.exemd8_8eus.exe

description	pid	Process	procid_target
PID 1148 wrote to memory of 1260	1148	308da60a9996a07824a1a1ce3a994d05.exe	91
PID 1148 wrote to memory of 1260	1148	308da60a9996a07824a1a1ce3a994d05.exe	91
PID 1148 wrote to memory of 1252	1148	308da60a9996a07824a1a1ce3a994d05.exe	92
PID 1148 wrote to memory of 1252	1148	308da60a9996a07824a1a1ce3a994d05.exe	92
PID 1148 wrote to memory of 1252	1148	308da60a9996a07824a1a1ce3a994d05.exe	92
PID 1148 wrote to memory of 740	1148	308da60a9996a07824a1a1ce3a994d05.exe	93
PID 1148 wrote to memory of 740	1148	308da60a9996a07824a1a1ce3a994d05.exe	93
PID 1148 wrote to memory of 740	1148	308da60a9996a07824a1a1ce3a994d05.exe	93
PID 1252 wrote to memory of 4660	1252	md8_8eus.exe	96
PID 1252 wrote to memory of 4660	1252	md8_8eus.exe	96
PID 1252 wrote to memory of 4660	1252	md8_8eus.exe	96

C:\Users\Admin\AppData\Local\Temp\308da60a9996a07824a1a1ce3a994d05.exe
"C:\Users\Admin\AppData\Local\Temp\308da60a9996a07824a1a1ce3a994d05.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files (x86)\Company\NewProduct\cutm3.exe
  "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
  "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 2108
    3⤵
    - Program crash
    PID:4660
- C:\Program Files (x86)\Company\NewProduct\inst1.exe
  "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
  2⤵
  - Executes dropped EXE
  PID:740

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\cutm3.exe

Filesize
93KB

MD5
bd59758ebc9c9cb4a94d957a5efc160e

SHA1
ee470f060088199587541917412e205a439c80ac

SHA256
ea6702176afd8095543f5ac3c8aa43e94903c1a544c964c815c7e959d0f25b3f

SHA512
bf8490c707efa2cdde7988c232f4070f34f5e405900aaff939527993e7ab07724dbbb5f4261c68fa755175bf3741c292f7a46dff065861054022260230c1c05f

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe

Filesize
900KB

MD5
7714deedb24c3dcfa81dc660dd383492

SHA1
56fae3ab1186009430e175c73b914c77ed714cc0

SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe

Filesize
381KB

MD5
2b0f2d942c07a0183b3e833d7a0cf68a

SHA1
1c9c1a72b042589ee11b734cfd500c00d1135733

SHA256
5e337d626cbc6e126afc1c2c5be3bdbd2a1b22e92f635ec4a375f550e6022e2f

SHA512
c098a36ab623662a35f7d92c7b2341af455849d2bb71b50e95f2834e5ad70513e3e3e34bdff2c575c22a8074c023774f145d35e907c2e5da1add8328467a3ed2

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

Filesize
381KB

MD5
2aece53ae0ade80be04811e579d37525

SHA1
93f2365949c205f58c8f0e80842f4388e391861f

SHA256
1d671cc9e8d4e58b1366860bbcc9cb330515db2cbc4eacf927620ec5440a6ec8

SHA512
0c5024653df4fbc44a5221a35b4119c6fbee936e03213fe290b68246a060298b5944c1485a66e3215c34653dc7ffb8c58b1125d7a2b026f40c7f4c0f2c21ba9b

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

Filesize
92KB

MD5
b2215702bda83470b6c985f94f8b2844

SHA1
8332306497aa4c2cf459527628c3a870611cf373

SHA256
bb2c8ccfa30cd5a03e3ea6161d2ff9a4afd743458202859cc0e5b62d11797095

SHA512
9a9b98ea68cc83c948c9b61bae342256b4018fadf956c39e62ff5f028a5ad7813fd777e670790a8b8d662db8957e4b81d7176512154b9077f0c681d126a9fa58

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/740-51-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/740-53-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/1148-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-40-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/1252-41-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1252-57-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads