ffdroider | 7b1cf1979579775f48e8d20974753453f75963b3094d3b95519d9362e943dbbb

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

md3_3kvm.exe
Size

924KB
MD5

53b01ccd65893036e6e73376605da1e2
SHA1

12c7162ea3ce90ec064ce61251897c8bec3fd115
SHA256

de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7
SHA512

e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067
SSDEEP

24576:pP7A681d48vGlldFtqFbDNaYaPCQFXVDXE4IfmDWQ:pzF8I8vGbdFtabDNUPCQFXVDXvdDWQ

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral24/memory/2956-5-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider
behavioral24/memory/2956-508-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md3_3kvm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2956	md3_3kvm.exe
Token: SeManageVolumePrivilege	2956	md3_3kvm.exe
Token: SeManageVolumePrivilege	2956	md3_3kvm.exe
Token: SeManageVolumePrivilege	2956	md3_3kvm.exe
Token: SeManageVolumePrivilege	2956	md3_3kvm.exe

C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
"C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
1.8MB

MD5
c0401532376d80f0cda78a785117e768

SHA1
41a153611a308d51cbc3670afc4bacdeb5c0b3a1

SHA256
9fc495e89c731698d5a216eba6cd07ab93f096d2c3e716cf10e45651d09d2505

SHA512
a2f1ce650eda18028b433500aeaabf72b5e80b304e8d3c5ee0fb5b9af6e6dd90c73adc84705d4bd8a38beaa97c4022541ff489b1a5294c339621932e8f571b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
48KB

MD5
8fd515c586b9f1602d0e788b910cb0cf

SHA1
65c9dcde087204c402ee807f34a2e8bdddddfe4f

SHA256
4a369be00069b9d0f3ebe25860a7df0dcd97dbc6d286f2aaa6f5c9fb5992bad2

SHA512
e2e5255429655f2c6aa1f905c33723234c9dbcfc5176dfaa27d95ffba9d7a9a69149b49bbaab993d7579d33c1be877430ddb6a111c6ef67c30276252f7e94f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c71d5c3cfd61f002e3ddf403e095180f

SHA1
2995f0dde1b1b366f1ffc180c083475a4b94f4d6

SHA256
f9053414e6dbdbd47030bed40f3a8a4ae2eaab480df001e084d004ea2c658348

SHA512
a13729b3499cbfc684a23c7eb5bf137f1cc4932c58cd01309b929e98f9d29259f864ddafc0abe0ecc324d149ec434bc1f49bb84d3255466436935bb0bd29339d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3ada0cd18bad6dcbd449f5aa81b2f1c6

SHA1
6bda14a0dab4aeae675f74bf0284d0f035cc10d7

SHA256
13306a6748bbd7402c84b5c06d1f3cc5651a8a4f80d48ae8d76a90c12346beaa

SHA512
7986a9fbf2ff13c3507b7f7b69f1a4d49773f1b64b7f6aa7cb465e9a98814c1d50a9ab1317b7face34e629668091e5e25e0ec33056c21487ea522f8629802223

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
eacf1702b94a2963367e3265f14ed4b7

SHA1
671d7a0a0403e3a6620cf56433c64eba770a4dd0

SHA256
a1dbd1381d5769491f5998e90f30bb3ce3a98232a07a19c6be7fbd5fc0e8f124

SHA512
b623a7279363c45d31a6fc2a4313e8583a8af62a8e80e348da2c5a83952580eb82e29e4fc60336ae5124978a1c54fa7c820b17b07dbccb5686d06540df568dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d78623dbe546f78651ea55ef375384f5

SHA1
cc51c67335b5350ed14bf1c30b0fe469f82c4357

SHA256
806e553cfd56a5de5da529713202e69fc6e585b70cc78ec0d7d445acf0af367d

SHA512
46c8b3a69e739c055af10cc243c616f584ba3dbefeed010e7d197cc331b89a71f7eb9056683cc91e8e7314f522fb2a7bddac0c252248866ab9315ca2a593f841

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2f651310cf2ccc5b51c5e8b3dc980d87

SHA1
eb8cdfe5a63a68e0f59d3b746114cc1aa2f92515

SHA256
87c03656b72710b8ef282ffde023e7fa52c5e5d56344cc28694accea8b69322c

SHA512
8d332ff8519b212b31e67db45e643693f47678de95d8ccb54fe56612de84074afd266c4b189eff7476ee381d43f3072c8862aa76c1912ecc0a0001c9e09d1229

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
06df21ec7f90cea83c2d7bb1605912aa

SHA1
122b7afc7399631c8171063ea707b5f3545fab74

SHA256
3f3c4dbbb045bfba7cb32e276bd8ebe51faad8e2f6e0c04342071a3610ee8bf0

SHA512
e77b842ff44fb4953691f4823d600dfc11ff2aa9b58542b89b0b2c14aa95ce9cf29a6633352a214a741857576669d103e0629815440480c200f8a4509995e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
813e6ec39955474287b3e9251924404c

SHA1
3916f96e6d6a518fef99156f1d40372b65622230

SHA256
00416c80453f0cc6f4e4965d7cef2fe41b43082e9ddd8942c009e8b638dfbdb7

SHA512
67fd7cf97343988ae0e830bca498cf870f18b15ea1eda4528e128585f51778915887961a7d9b6fbe9b1cbf61aa6402a4e29490bda656dcac43c348bce35c685c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dcbe64c323fe9f31a7a8209338c24f7c

SHA1
f44425601e982e0eb7c0e3b4aeb86feb62c944d1

SHA256
9ec722c26fcabb697e4df16afaa614ad40cc1a2cce14126c1d0900b3c32152fb

SHA512
2d607169a81c205ccd6c4b2c95e79cdeb27ca3db72437a8f8f1a5fdd9555aa43c603901ed61aaac941e1231095f0e07d8bbd1ddebf15c9f27fb839eb867d76d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c505f45f0ac7b3612f4277e0cfc59c31

SHA1
d4c3d0059ca8eab2d7ebb28ae285e3dc2bc1d259

SHA256
41b06b8873405cf483bfca8fdf0c635389c49151f4c55a5b716d847e91642ed5

SHA512
ada8debe34a544f2f74d8355405324c895769981171e0327d6676e171e456159e23c2cf20be984cb52086c45769e30886d947910cbd2dfef6bf9ae2c0139234e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d4fd463a3b094de42d7f1ec59f425b72

SHA1
55854c78874a797e5a31b397b6b886fb381f848e

SHA256
d02b2b5a173a4e9a345a817b2ae4d6fb03f9c4dd38b7b6eb48d25eaa17a5ea6f

SHA512
2beb078154fe1e0f60a420640145c0339a83ac489a0b4de6e201a71a1457d2c54eae7cd034d0b7d1a5584134efdf8e533134813083eb62e0211695c0f4ea8f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3bd3af831022742a2c4e9c4988574d09

SHA1
71265200ddca5a3619b545b76ca606e0d56e7799

SHA256
20fcc4149b8ce2c1b6a1a9e2a2551f2c7574e6b0957602308efc7ed9e44be79e

SHA512
d7d520f0beee32578320381b4b3345b1e118c6d62bd58456e6e1429df4f09e7fb7d685078662c62d5a2cbd5594cf1d9aa1cb3f0923801a825ab4a21ae3b9207b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2edb08b9b127df78550e1eb5d52f8d5f

SHA1
b07e94c977fca2ea973f41b8725e19f2ec6fe20a

SHA256
0c76c7581c8709c054519b684bcdaa2cce9b42fc23f00fa5933a810c5469c2b8

SHA512
144cc187a30a95bf127a74b6b694ae4b7eb6bbeea42e95719d99742a6128b8fb76253ff9e14fd10bcc229ab861a77f4178e86d68c969e2d0ed10e169b1f06910

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f931747e8f1e43a405f56c8a1cf38f7b

SHA1
8d018d2b92a88159cbf6acc9900be5506415596b

SHA256
aef8f127b14c91bba8a239adee41c9240d3ad652535e503658355a6dd7b84fe4

SHA512
90b54cfe9d5412e60ebbc0c2d372f1f226970311bba91920f19ce58459d1892b7853d7b4efd79f599fa63c2e02f0a8db8463142da38f2d2c6d0cc895074849c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ea6b8e42c54c67763bbb583a3a919659

SHA1
8991648b75a5e8f2f6e8263e0c6397a0ceaa8003

SHA256
158fad9217b36a3d6e7ab9182a0f39f30dfeb525806c4b71a499d384669bf9f8

SHA512
a4ba6bec5fe4c7987f7b6bf51f83b2673144bb9c45620b1705ecbbd1009e5ff06ae0a1803ac874a882eb1e67ada6c4c05750df35dae52ae4be54c0aeb61163ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
142b90751aaca8583e8676d633ead07f

SHA1
fc4c00843bb7d8d54f01d07d42c186712d73a6ff

SHA256
7b37779331d546a5d3029f7dcc5201b7fe8bbdf85dc72f7b3e5748075230ae7d

SHA512
9f37bc8929e3e23beaa3bdbe4b960c62a5b42a591940cd43a8766ca53b569a22da3103bb3ee8d0a9c8e429eae2977e6d3587f4eae25955aa718abe054520cc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
81604fd86a5366a5149f127e7f59464b

SHA1
299ffd22d382c5eaa91cf738ca9e62154fb50c5b

SHA256
f1e96213a67e82909927df6ab57e019344e5e2d5a6a4f5d6266e66908388f880

SHA512
f5b6857b1bbf0221e9844dfa7793cb4969250fb2454bbbba20686433250f0e831807a5c07c617e2b3b3e3c2ee82e086488179da0929c1ea5b831837b435fb555

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e6ac7296c3bb6877107568c9e41e43cb

SHA1
7bcf4c774b0fb6dd4e21765361419ebd9acb60c8

SHA256
05bc23b2c72968863097171ca9c612815fcf0bc3c2d5306632fae5300681218d

SHA512
0da5b4e173c0bfdc634b95e7aa2b57fae17962542363db1ef56d6cefc5933e58bce8f06407f110b9fb5244089b2fe11710e5ff17343635ed53c9c65f0913f43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
bcc82cd966b6fd46e3b07791a99d7d01

SHA1
7c33075e519e84200fcbea3099428964fcfa1189

SHA256
fe1958644ca931468857060ad8688a55cb2fd815a10e49481895fc8ac763b04c

SHA512
e40de3c81fc79f69b22b28dcdf1054debc6737436fd5bb933aed762f6b4404bed46c1956cb44121356c568491f6b8629216acc4109a24698903e4687ea19c110

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0426d64ebbb1b2349ab9cba7a17c0643

SHA1
e8c772997e16a8d4238b2655321e5496c43ee356

SHA256
e60122b6353db6d5a13681a26bb111e2c49924d0734f7f0245c859ac84094e5a

SHA512
cb67ed4fd1ad2ce7a2feb81040a341961cf6184e7d2fd58a53b1c29145a86ef3ccbb6c700abd0efb80cc994248c84db2fd530ba7732317a676853877adadd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1f034f9009ce94cf1a080219742028d9

SHA1
a6acd3abe2a2e40e56817347a80df0427e47f341

SHA256
4f209af4b584b510bf4d4d0ab321d5b701bde7d54833ade7a0b1fe21bfb6ba24

SHA512
5dd1369aff425510e0e6cd95ccf387e218f5cdfd86e0a905f2571787f7a691ec144139e9db123df2543c7276a7a6b2abd229c54da5637005f48b61d93cec0b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
aab1c12d2f82f43f743f1306539cc32b

SHA1
0f621b1170c479f1e195469fe77c8af869d85a8f

SHA256
0d7515c9b94c61aa037e6262751b70a68d0a8451219bda2c6adf6002b2f2dced

SHA512
e938179b4066ff214013661ae2ba234f4a1ea7ff171796ac79cae0e5b1724220122238a1fa03d4e94919688b45ac0d206ee2bf71cf2dc847a488cd8c4567fd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ea05fe8346022c1bed1fcf52fb4b243a

SHA1
8bb63b58d58db0107705f2f88c27889827dad022

SHA256
a40927fab3523c758cc2b689cd71061c904a4cf52b32f363d2deee4215efe605

SHA512
65faa379b624c855335cc39bfee9c4ae1c10947da6193291881c4b6fe9af1830fb36538b8b5a321af849930209924e0f7e35ef1c0a5ea328946960707a9fa208

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d2f77ccb1276c2d433da7772975de538

SHA1
542725222c5fe72b40db6a41ae3d55ed043908cb

SHA256
fd1a4373afc5aa221a7ed7c5700d7772138f4a635ea092151cff0eac72f1f020

SHA512
463d88cacd9c041afa812d0dbc6b790de86c2d6e3f5f6f26a937fc7cc2b98ae70d92c476d80673c6332912c1447e8179d4f980431aebe27069f18c714fc9cd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6ff405d88e1d96285df9d4a5f62cce35

SHA1
778222330a1834e6c2438e29d98455b36a252fa1

SHA256
aaa158ba2f3f17a44877bcb21d841d47f61087b6c7d3c8c0b12b84fbdac9fd8f

SHA512
b90f52db9c6efa6f2ae15b4d01d991cea44b9272b39661a8a3f6a51ea9ebfbbf912431254082a28dc2cc0833a39df1d4f61f0fdcf169873ffb70d3fa08e78732

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f70ba5f44a49eb1d9962680eb20cac77

SHA1
fa9c0db258e9b1bf3c8b5007b1ad99a9dc28a0ee

SHA256
c8b6c68c01c090e1c1b9f0ee2ef5f44c52cf0134b199486f3b9f612d0dd4f369

SHA512
2be2d6254be93e6de649756ffbed78467267179c7518aee5522c30a21546734b2008f17fc8688cebbae7ea0ecbcb2995083feb826fb2e1943713a566ae6617f2

Download Submit
memory/2956-45-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/2956-55-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/2956-130-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/2956-131-0x0000000005040000-0x0000000005048000-memory.dmp

Filesize
32KB

Download
memory/2956-132-0x0000000004940000-0x0000000004948000-memory.dmp

Filesize
32KB

Download
memory/2956-133-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/2956-126-0x0000000004610000-0x0000000004618000-memory.dmp

Filesize
32KB

Download
memory/2956-146-0x0000000004570000-0x0000000004578000-memory.dmp

Filesize
32KB

Download
memory/2956-154-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/2956-118-0x0000000004570000-0x0000000004578000-memory.dmp

Filesize
32KB

Download
memory/2956-117-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/2956-156-0x00000000048E0000-0x00000000048E8000-memory.dmp

Filesize
32KB

Download
memory/2956-78-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/2956-76-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/2956-68-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/2956-129-0x0000000004620000-0x0000000004628000-memory.dmp

Filesize
32KB

Download
memory/2956-53-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/2956-0-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2956-32-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/2956-31-0x0000000004A30000-0x0000000004A38000-memory.dmp

Filesize
32KB

Download
memory/2956-30-0x0000000004B30000-0x0000000004B38000-memory.dmp

Filesize
32KB

Download
memory/2956-28-0x0000000004870000-0x0000000004878000-memory.dmp

Filesize
32KB

Download
memory/2956-29-0x0000000004890000-0x0000000004898000-memory.dmp

Filesize
32KB

Download
memory/2956-25-0x0000000004730000-0x0000000004738000-memory.dmp

Filesize
32KB

Download
memory/2956-23-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/2956-22-0x0000000004670000-0x0000000004678000-memory.dmp

Filesize
32KB

Download
memory/2956-15-0x0000000003B90000-0x0000000003BA0000-memory.dmp

Filesize
64KB

Download
memory/2956-9-0x0000000003A30000-0x0000000003A40000-memory.dmp

Filesize
64KB

Download
memory/2956-5-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2956-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2956-508-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download