ffdroider | 0e531029c9914e235afd9f2312bfeb6e78303c5afb5e3c5cc753a7825c132944

Analysis

max time kernel
163s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3476deb75801446ac3a3df7326dcac73.exe
Size

920KB
MD5

3476deb75801446ac3a3df7326dcac73
SHA1

863b9c8518e6542d69b8b413766158c0f1a2b1a0
SHA256

0e531029c9914e235afd9f2312bfeb6e78303c5afb5e3c5cc753a7825c132944
SHA512

69cf604c777ea7c41353378523686b8e2b5e6912b35f82c0d8ec34aa569975d53f15e085424f8c899b9e12ddf3532c9e7e07a41cd19016120ee4de0a9213ce1b
SSDEEP

12288:mJ63CEYPtxrkzDxQnvfQBao68kZHRfEBUDOumP2f4sWAoBfg7HI1ShDebZB:mJzKDGnVeARf4P2wjBfEo1M0Z

Score

10^/10

ffdroider evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://128.1.32.84

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

resource	yara_rule
behavioral2/memory/4752-1-0x0000000000400000-0x000000000065C000-memory.dmp	family_ffdroider
behavioral2/memory/4752-4-0x0000000000400000-0x000000000065C000-memory.dmp	family_ffdroider
behavioral2/memory/4752-504-0x0000000000400000-0x000000000065C000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4752-0-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect
behavioral2/memory/4752-1-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect
behavioral2/memory/4752-4-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect
behavioral2/memory/4752-504-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3476deb75801446ac3a3df7326dcac73.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4752	3476deb75801446ac3a3df7326dcac73.exe
Token: SeManageVolumePrivilege	4752	3476deb75801446ac3a3df7326dcac73.exe
Token: SeManageVolumePrivilege	4752	3476deb75801446ac3a3df7326dcac73.exe
Token: SeManageVolumePrivilege	4752	3476deb75801446ac3a3df7326dcac73.exe
Token: SeManageVolumePrivilege	4752	3476deb75801446ac3a3df7326dcac73.exe

C:\Users\Admin\AppData\Local\Temp\3476deb75801446ac3a3df7326dcac73.exe
"C:\Users\Admin\AppData\Local\Temp\3476deb75801446ac3a3df7326dcac73.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
8991ae72333d758bfa1e519cd4b82f70

SHA1
05a92f2e444489200f94b029365303777fce4d48

SHA256
7e48196f6e06d5ed8928b3679e702629f9ce0ac93187645217663c7ac037d3a5

SHA512
6da76c3057bc2a172116724d170da8294f7bc6001458bf9580f43ad1d3c362c1ff4350cd528fc85fe679d37ebb8e5d7a84ab1aa4bdadba2d1942e479646119b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
80KB

MD5
ede4f1c63428180a1e70b2651d6e1eee

SHA1
02854a6a35b80e502f77cfad67231d99647fdc98

SHA256
1cc93f38717e5e1a93f1a1da9d814ba741ccdb34cb383941b3e16c5f0395a3ae

SHA512
d645e50eea8229f81230dcce74e9c5b80a3d29aa9a9b7d5a185e319d77dde48df1647b3155556468451ec920789d67989d56367913a62bf2c0c8853e2b39cb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2e40be0ba9dba3a08b19e296421a2486

SHA1
b27f995f865f2a71fc55695e5c14cc152434107d

SHA256
2f14eb3adcfe4d4ba49e9ff8813445ef93afca7db4caf519dec76c894ae39dc2

SHA512
e8c5a0190db35222c85973faf0d1cc1152b28b74a7bfa5b5e7a45fc6cdaa60382081a289cdc8269383f920a76764a6970ac34db9540fad2e3e0462f4cc051a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
295f2ba75d94274cfc8dad7233d52178

SHA1
dc9d1162661d7e1c1e7122b72904de916822e5bc

SHA256
96269e45d1723e3ae220d3cc30a1ddafcfe0ce47755bcec28abd2ede8c86c733

SHA512
0da8d3f8bc0d92eb1581e30a7651afd739b0fa758be2f2899ef5645642851bc4fb7bf196abdad4b6779b7533f95bd1c1bf71b01d2e1b77d201c0d0cbc83bea2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9ba4c2de3d3874dd3263811f3b249b60

SHA1
fdeaeaa7c7f5b0ad99f0e135e0f8aced4206f3d2

SHA256
4814c35110aa8906287ba6050c944882e2e411ab67e2da0bf6c8f719afb69e3a

SHA512
877371a6c87248122c3a70952f4ad064e75d2c07e22904eac4c01c5ac42c8428530bbf4900adc546a52bc98498de5821077686272a5fee6b1c23accee22b61f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0ea3ece1ab43448b1a92763772cb3aef

SHA1
35f3a323527fc1141030b93a6aba2bbe61714355

SHA256
df72165375b3739cf9bf402b525d9b8addf85f63e05a1e5975c8b1fbe4e62380

SHA512
bd3698e6cc309c60ee3831c2da427cdf051541e8542fc4cef30e9ed08476ffdd6b2c9bc1f5311a77517519ef411b4c442c73000f4840c26518db03250746e72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
17ea3eab49e0c623733f421a9021b32e

SHA1
a812068f06b896db5d147e5f508ef1babf890c8a

SHA256
941b5504fe2da5f8ae4dfc4784fe579545714da844d20f25054e7e3bbdea1fa6

SHA512
c280f9b6b3b5219bb5c077724e5758aaea37dcab2eafc90652aa50491232a60ef0b063139cee4293d89d8669505b181d90236ca869c519aa1d6df4cd187a4fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c17c6d48d141eead6273731dd4eac5e9

SHA1
67f9152353fcf561e0f8816eb5a0413194dccae3

SHA256
eb14253fe7e172c58668e608eca5c11429eb2e6f909fe887ace320cbf153cedb

SHA512
86d70eac7ffb64e3e530194f1237d8abffe188c4a8509e7ef3cad0ca70c83a32937bf7d8862b47ccac83a6d9de275ad07703592b14379acb81f192a5a1bb2524

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
991f97f931757faf404bf3b94e1f41df

SHA1
74eba4fb8283703ac25086fd414fa253d3d5d0a2

SHA256
f70f0ac1c47c31c1c16d878e50497c89083ef53becef37fb9be43e898c4f3074

SHA512
9085eac4521baafd0fa8a493620fcc3a88dae3d0ccadb300fda4a7e2099daea17cf2cead3c3f79b9a95003ff458a89165e9fb75aa9ee8b032cbe7447a19251ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a8b1f3ef1e9cf76462bfcdbf94505862

SHA1
28a150d2f491e6e07f7958d2a3e294571e8a00d3

SHA256
28601e4a8741c5722e9b6ed6f64efd6e86b8c0c2f0ef06f7eb0eb1fb7642a226

SHA512
f382e09182322d10cd96e6fdee69ea9e19e1e645d3ffedfe9eb5dc2f3610b62dc2e5753afe44cd8554af20da96d62a69ff689f9a49083ebd366b6331f3824daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f7918100d0f699d6be379e4982e684b9

SHA1
c91da91f55fc693cbd7a51b55940bce883b627fb

SHA256
405b1a80ab28d0445dc959ffff1644940adefb369f1894d98ae1b91c11ece843

SHA512
ac3317258188c0f2c4b44e82b2bd1a168210a32506851e3c023f3f0f4248a8fa4c6d2d04ddb4e8d213012c63070f0681204e270b6aa6fddfcf4e320da0a25363

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
756880b0358d4e519013ed92e26bfc11

SHA1
c730d753a8a71be375701d969dc3648d4f1ec392

SHA256
ac0c28b456f0c5c11a4ac954c0d4e62617dea1867f8334e36749337d165c9ac8

SHA512
e2543914df730b61b4d754c11c6c82502bff4cfe211102b1283c9707605a3ea3fde93958a557b13784b76b38e4c91e8ea6f2e21657d18205db08ba4f4f5f0fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e0f70efc3089b9ca6eb36e9cc72b4bc1

SHA1
a156afc904d6d71c5ad189edddaec0d0bf1467d6

SHA256
76ae79f4a671d1eab9c7983e5653e523210bbcf27097f4bab1402b679c284a46

SHA512
1d4abad5169e423acf39622d3339ee88e7044ae1da563fa2c76b02f842edb5e6adf88df4b2e0e1b035871dc46692bbe7320a0e57e5649f9379b1ff158fbe37ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4e671715f1099bcb174a06eb311e1b34

SHA1
fa6f585458ef40280d04a45c06cd3270158dda02

SHA256
055f0a3fde27b52b0b1532f7b53c378ef137a01c8400ee7e16fb12623abfe773

SHA512
e013775b765396e144838e80a8f87b169ca230595bd3e0487e53a65d019df3286c045fa42645817600f5113b67d8ab16fe493f21999156c330053205984ffc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9250f918273b65d3edbaafad6d83b9f7

SHA1
a78a8fd28cb89aece962b4ed89b162623c74be6d

SHA256
15f6a37b0dcc5276e876daf7cce722e6c82ef61175d90fddd92065052fc604a3

SHA512
5c664472c36970f1e6036dca559f567e318f948b77c07609838feae661f9003ba8a591140d7d0de11f05f4a01252eda02805ca090828357dcfcde8617badc60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8bf5ec81b6efd920912c93eca36fbe6d

SHA1
9ab29333466c8f21ac454901b39d4c103b1bee91

SHA256
d6bd34f64cf6963f0da614e5db7005cabd9429dd80d8756e37d4a80e685dd561

SHA512
fde56b36a037ee9b997e682e86d75fffde2ae77c7254e808e23ef3e386bbfa0ff82e29c3d60939699a9675cbca89cac7b752534d9a81463928a8bee319d08f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
68bed2ac4234fedf2517f939c8d1bf79

SHA1
463e4cdb494f9386362d02ab56de37dc9c688fc5

SHA256
2711b98e56c0a8bdd4d749f90278842ffd66c8c22c49f4ee03e61e866d61a6f7

SHA512
c846ae6a5e473894aa1add50a5e4ba96ce95cdc716f533c6a73f01e5a642a870c10f07412c31caf3a639a6142d9ec590ec1d55a0c556f26d71cfe167725db215

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2ca8348d96288d68cffa1ae78acba7d4

SHA1
91d0ef9117e3d829cb7a4ce5bf79f7966bbbf3b8

SHA256
8dbb9c409d905bfea0bbea329a0ca34f4bee571a7baefb04426ac206c9be80ca

SHA512
b8a46decfcce9ca56eddbde35633088f149059ef6899e0fe3d534574bfc836ca2d1f8d46e2cb4f80008a4fb9e959843ff94d9860a73482890b0da746a46c7572

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
daaa2ea82da5a13313d16d202dde0e6f

SHA1
901fc23248abde2a4a48e0c655a76035d8ea8564

SHA256
10b33084572510240a403e12d28e0d4653b07f4925ebdaff519ec73511a8c86c

SHA512
51f09f2551001981fde9866375542385e8847ddd4f053e8576c739fc3dcaa1981a5a8754ba27e4a36c5a3b8e533b38fea4e05722e81ec3d8f6d8654129b3b2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e09c1e4a1bf497d7ee73277a1d56dc9a

SHA1
6e5641b793ef1e3da2a0faa7e817592672a03e11

SHA256
dca056753c427a739a968a9df461032e8dab0fc1111cee093631a16db43f0c35

SHA512
57910b23178501b3549818df92591a4c4d8cc27bae40b876f94e78480460c6e23039bcd0c1aa7dbf769d8ade8c2d95e7bad2621443b92c777694ed2949cce3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9edfacaec0c297cc338f8690fa3ca1ea

SHA1
f042f6181c590ad3fefe083e0f6dcded588efe5f

SHA256
063014255c06b6b15c78ec3959b021271ce0275e1e7b65f2159c075bad243ada

SHA512
ffe6a7bd04a7f1d6c61b17edf0c756dcb13fb243c4d9d3635a11eac370cee759898c69ae8c0dfb111a8cd88472d0f1b5b039491636675c8d4f6b0b19d8cebd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f4617d655225c2a4e622e0cd4a0cf70c

SHA1
7d3220ba1050959fb1416704593e898e6bfa07ce

SHA256
142294322d3dec0b1f0cfb1ca20bd09f4471ae8b2cd23f93d21c038409629927

SHA512
20400bc39a1eef7fa9b8a074ab8821b3d925f45570a60d0b1d8bfd7d31f98f516ede497707feac0765296cf1f4efa89ec00301a7be6140554bad6a5c6d382ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a9ddd3451839b233bc8b27787abea040

SHA1
f5277d135583ed6b22fe8a5ec47fde6cefb9e2fa

SHA256
57501fde270c90e692e6253fea07148b82e407300b262b3b666053c8d5427ed1

SHA512
2b61e82f2ea9c1ae2cebb43457d129abdbe38d998e2192dc5a2bc0426d42d91b1f7a72f8b45ca916e475f6f66d60d83a749f89e9e038b189c163b4f0aafb2916

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
89e65f370aaf8233d1aedcb0d8adb77b

SHA1
4b58e14669c7411689a79758a251c491b9deeaee

SHA256
b7746393cd385c85a53c015ca1d8d5173735c52641257bcae4ea1a1c14dc7f89

SHA512
f400cdd7f10a1e27ea1770146daa5f45e151619ef2e41a3934a95071e467717a74d84f15997618bd1ef06ae9a1503f8dbcd07958cff0a5f70ab1c1d59e2d49d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
311f9df549bd7c52fe2997586dc0deba

SHA1
a129d94eed538666693a967f12c239c45a59bdf0

SHA256
0f9462c7f46294f05a12dcae44138f9e95642c456b939cc094315e98d108ea84

SHA512
a50a66cb613da7c745afb5dc38478a6b75d2eaf0f4bab6bad3f4c27dbb5398fb21dc8887659ffe2bc249e85b21651ea73f034f1864dcad5507b517ac708e0e69

Download Submit
memory/4752-166-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/4752-4-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4752-127-0x0000000004580000-0x0000000004588000-memory.dmp

Filesize
32KB

Download
memory/4752-126-0x0000000004400000-0x0000000004408000-memory.dmp

Filesize
32KB

Download
memory/4752-128-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/4752-129-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/4752-28-0x0000000004A60000-0x0000000004A68000-memory.dmp

Filesize
32KB

Download
memory/4752-65-0x0000000004470000-0x0000000004478000-memory.dmp

Filesize
32KB

Download
memory/4752-143-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/4752-52-0x00000000049F0000-0x00000000049F8000-memory.dmp

Filesize
32KB

Download
memory/4752-151-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/4752-153-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/4752-50-0x00000000048C0000-0x00000000048C8000-memory.dmp

Filesize
32KB

Download
memory/4752-75-0x00000000048C0000-0x00000000048C8000-memory.dmp

Filesize
32KB

Download
memory/4752-504-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4752-123-0x00000000043F0000-0x00000000043F8000-memory.dmp

Filesize
32KB

Download
memory/4752-130-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/4752-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4752-115-0x0000000004350000-0x0000000004358000-memory.dmp

Filesize
32KB

Download
memory/4752-114-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/4752-73-0x00000000049F0000-0x00000000049F8000-memory.dmp

Filesize
32KB

Download
memory/4752-27-0x0000000004B60000-0x0000000004B68000-memory.dmp

Filesize
32KB

Download
memory/4752-26-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/4752-25-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/4752-22-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/4752-20-0x0000000004470000-0x0000000004478000-memory.dmp

Filesize
32KB

Download
memory/4752-19-0x0000000004450000-0x0000000004458000-memory.dmp

Filesize
32KB

Download
memory/4752-12-0x00000000039A0000-0x00000000039B0000-memory.dmp

Filesize
64KB

Download
memory/4752-6-0x0000000003800000-0x0000000003810000-memory.dmp

Filesize
64KB

Download
memory/4752-29-0x00000000048C0000-0x00000000048C8000-memory.dmp

Filesize
32KB

Download
memory/4752-1-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4752-42-0x0000000004470000-0x0000000004478000-memory.dmp

Filesize
32KB

Download