ffdroider | 1108d913b6d546b87ce79dc76886a70311e11dd96f9ebf0e71b4e14022e67f0f

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

943d47d83fd5241dd08f4dacf05436dd.exe
Size

950KB
MD5

943d47d83fd5241dd08f4dacf05436dd
SHA1

1babac86e0a9f8852849a9bf3f281b85fdd86f84
SHA256

1108d913b6d546b87ce79dc76886a70311e11dd96f9ebf0e71b4e14022e67f0f
SHA512

3e49f4914dbba02bc75818d701202e262917dd29db2ff19c657361a1183ac25d45f864aca4598481e83183a709a124cae72a16d7adab8b24ceb3584ac72f03ac
SSDEEP

12288:Pivo6XvOrZfr+oeVcmx+l55/E6kFEREcyaf9bKRJVZVlDB1rjOeMozBtV/fRo:atXYb4jrKMObMrhLdMozBtRfO

Score

10^/10

ffdroider evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://128.1.32.84

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/836-1-0x0000000000400000-0x0000000000684000-memory.dmp	family_ffdroider
behavioral2/memory/836-503-0x0000000000400000-0x0000000000684000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/836-0-0x0000000000400000-0x0000000000684000-memory.dmp	vmprotect
behavioral2/memory/836-1-0x0000000000400000-0x0000000000684000-memory.dmp	vmprotect
behavioral2/memory/836-503-0x0000000000400000-0x0000000000684000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	943d47d83fd5241dd08f4dacf05436dd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	836	943d47d83fd5241dd08f4dacf05436dd.exe
Token: SeManageVolumePrivilege	836	943d47d83fd5241dd08f4dacf05436dd.exe
Token: SeManageVolumePrivilege	836	943d47d83fd5241dd08f4dacf05436dd.exe
Token: SeManageVolumePrivilege	836	943d47d83fd5241dd08f4dacf05436dd.exe
Token: SeManageVolumePrivilege	836	943d47d83fd5241dd08f4dacf05436dd.exe

C:\Users\Admin\AppData\Local\Temp\943d47d83fd5241dd08f4dacf05436dd.exe
"C:\Users\Admin\AppData\Local\Temp\943d47d83fd5241dd08f4dacf05436dd.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
6.3MB

MD5
a3a21e6d1e7f2fc8f0b0e494a31ceb4c

SHA1
31b4e04783e6aaa01d76f7a2c49baca0b631d177

SHA256
5cde58349a7a6db8887663c989cb00d9140bf1830a4d1aeb9c26c462f391fae6

SHA512
32d9714fdc7c116f57f6f39e053eebae6ca3af879babc80bc87915fa868cbffa3be01d7e161439a791318e8258390d4d4154b4fb2b45628c691b3926def046bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
50KB

MD5
68d0d68cf4c71dc207da2e85bdb598e9

SHA1
397755b39eb1e8038d9c0a04b6ca1fceb0ad4f5d

SHA256
31b29882c7e93e44c926dacd07c2bcc9210976cef3e3e941360c82c533c05f03

SHA512
576283ba3c5491aa58c51ac930f411b74139dbec16146182d867674cd9b96afa6414a55ea0801561ba6bfed3fc49ccda7953bade08c0cf749d853490708ef9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c7ccbbae0811c78b9a186b53775c9acc

SHA1
32a908e840c3d43e9f5579cde723987855e109ae

SHA256
baf10ffd50b8eb4a13e374a3ea522aa65c8341c79fbd6f69ddd48e98c9f37e3e

SHA512
e2bfad0b24fd3d4fd237d8ce7e99007666022b77ceac2aecefdb09a0abe76b1391e25110231bf727c90e44b180f3b0cb8c3518b91db756944b738407aac6d1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
89fc15c362e4dc1db9d4d8710b60e270

SHA1
df5be9a6230912d631327ea6fedd4ccd6262636e

SHA256
9dd0f18f549c532d6830ac08f404d0b51b000c0688440cdeab1bb53c808c60c7

SHA512
8bc10496aac04d45d0c03b076eda500858aeab446837d73f25a032cf81fef70b2736f8cedfb8eb336af71c2f7896eeaec1a176752f5a8d5fa89c991932801263

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
58d19035e46a3a2bb9865e9ca8a93db5

SHA1
3cf10ae7f605e3740eab00e414ad16687f150ce5

SHA256
51325410b5a395ced1ee4cd149fa9af1edab67a6ee70163a135a3cc6b6b36df2

SHA512
b5527ee036ad1ccc7b86a0ae8d815202b6bff573d7179fff994a44f0af466adbefe69190c870673e06e906b2c1039887f19809d76ee92e02ad2b26370df52065

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
22fb358644eb6a596dfd5f469a23d2ad

SHA1
c40a67bdebe585542e92dda9bd91cef8f00d483e

SHA256
59b9b11b99e62d05a63341abd621b7982aa80efd9ee7629147b36f8485c03451

SHA512
9db4c24b9e5c8dcf7bf2c30482cc57a39e31efb0c8a5ef1432f1056018f021fd4da3507dd5a80e86a93f12491fdc9cd9b82c323f1a8442dd3e2fe961d8e9217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3ece817bed3862ca2a7819b54a603309

SHA1
4ecb3080bdb0f2b81e07ebd13c1cb24d18370997

SHA256
b9f4789996e45e2b73e7a0724801a9ad5f584676e5b0c894e180458348f6eea5

SHA512
994b947a43092d4caeed03b8fd26903eff5f77d9d84d900844d9678dab7bb79d4744917b8fcb68a9049172e94d09cff7c6cfb169c37c1f4c14ec48fa42cb5f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
246948d312e0ba02ee2e3f97e3019160

SHA1
dd40dcfdfed05cf2883aa2f672e0c5724b3abf94

SHA256
c8bd8b3b036b87e9736411cfe1d720287a36a2369c086f9b34390797a7769c22

SHA512
9a6364bcdbcf0ccfc8ead61af56090691bdd92636d77d4a2ddb72ca4cbf1cbe0c656d5b4c1b88103c8a7b7cb9f1bd828ec3bcbff6c4787b217daacb7d64009e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1089d1e20c5e60ca45889f999dbb797b

SHA1
bbc5e198783bdf6aff1f626d6b87a1356ca72380

SHA256
dfb5ec50c1435e424ce8a0717eb127acd8166bad32ba3770e6046f3079a39b88

SHA512
88cb2db8542a1195e6240da5d39524b7376b694ad21f746a4336ee3231588dd8cef6bb057454d5351efd8f7dd9adb4ed1e3e01048903ba352463b3ea87de5ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
bc9518c7514c177621af48f10cbed4a7

SHA1
b0b47b5b13d233c05bde3f1d6d884aecc2d69e9e

SHA256
f5bde8b393a95c721b46d9ad281e599ecbfcf404248a7a02e0f3d783bece249c

SHA512
f0a1e5d7b1ec52eb63e337828b6f153622e781e4b703c0856ced3e9779a341b75b528a03501428b30a7286783876e410d05444cf98f828a3358ee197b95cd3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e5c68ac8a17a4905886c7020684c3b5b

SHA1
a0fbff122060ab4ec1add046392514c41f1e3bfd

SHA256
cb308500bcf3a906b42ec6eb8b5b174cb944f18c7478a0f54e32683066897209

SHA512
9dcfa586b28782468c01547d2dcf909002748ef457280799d7d9895fa56b5dfaa13c278d88eff67ebfeaaa24f77c78b1055d875d4749ccf68e705b4efd3d2209

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
22f05f55a6350354fb7a06358dda4419

SHA1
fa48939424cad763028ed509c06be3ef88e6f486

SHA256
ab5279a2c96d8170202f59b4ce16e5c8de1181e4c63d1afcbb7b1ed5d74eb3b7

SHA512
e513d96f1c5d9466bd0e5acad42e7a1ca68e03fc8bd1e4590b0b3871733c7fdc1245019cbc9fa317907d4d6463f2d96fafedc2a83588713432f5b17a7d7aee64

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
976368c5ecba07e8196eb1a33018d082

SHA1
33506877872a5df108689d1b8a476ce6dd71990b

SHA256
e55ff150bcceeb32969956989ad319d99ebd882b9deab2331691d6444b51e70c

SHA512
0ac8f1684156522132bd44f67637b91fc56794b5828fb4fb2eaf80cfaeb673fea86b5929c74395b73bd4f9c44b6ef70ce5db9e67982ca79e01574b0fd91177b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
77de66b345453696869311a353d63219

SHA1
ea82d63d165d19d9788a44758ba6cbb77c3d09a6

SHA256
ae6833f3ce7fdec72b6939217f64e5c1ef3fa9223f037d6fd110ea3da39473ef

SHA512
4bcbdbe935d171d9a0e8bc7e75e2a5d53dcbb09e6d21211694f13e42b133f3c564bc6ddb69a999733a6ea51ff62f99b35fc2c002ad5b26d22441b2373ac788ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a2c20e10698c832863e23d8d21361438

SHA1
619816ecf9def84a37083a4ee19cb72a0b36e85a

SHA256
59873fabbede374f9784c705c0810960a91c6c33f23d1a5c76ddda969333072b

SHA512
6611ff6cd7dfda921f72e7d9382438197e21e232cc6f545ab3a272e9e80de9260f572f5103b984533e2b77f0d912d54c1956beb2f7392cbc8b24465679c9ec2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8558eaf52eb5082e0532a4df1c563418

SHA1
513c4db9d660f16eee429b2f59e565d3dd82de6b

SHA256
3811a1647c6559c515c4d29f131f603fcba8195ddae2385783b8267c818a15c0

SHA512
83f54fdb9160a7531846246f3d981c0f738e187451c0ffdc848337d5e9d4d9cde489d6b706cb23bb6687bf8c3a1fb25a47c255646d3e20d1615cbdc6b728b9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9ef23bfdae3bb5e540b03febec7b7c6d

SHA1
4f6a6f137ef9c17b7a5c814836332225b7cfc09e

SHA256
54962eae640ee95674fd510a71e34bf37b006d328bd49dd8c3575ff5bda03c69

SHA512
92baaac0455d7b82cd8b60465c296900648a11478149f70548693b0d19af4bca66ef1f10ea01e5096bfadd3e2aba6b4c20246f7adae0893faae419b2c0de1f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8fd9feb1e10d440bc5563cb9b039b66f

SHA1
1e5124873264984ea6832f568e468954537860e4

SHA256
d4e64c40975e23f598dba27c7edc10686df7c970283cad81eca482f78ed3fa21

SHA512
e2a49e8aef3d398e27d906a4ed160a54cc8d4d6dffffa9bcde0c3df03bf2db7f4e91c4c3836a07a8a08d0acf0231dae466c29d3e0bffb5f14ce2495730184b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9411cbad866b025e71b2d222659864bd

SHA1
e462ae0c0928bd387c1cdca26754908abe53a2fc

SHA256
031cb05189faec0c2691860367ae51d8c7705e2be1521d30e4f5805c3d503a86

SHA512
e1f1bb1961e47994b36a15c78b653f774fb58bb90d9a6ab75aa3c5bb68eeaa53bd38789e71cdad41924f2287af35e3411a861b1d1d01b777f51c7afa97b0400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
540be86c9b00e7ae1871effcf73b6852

SHA1
d8212701a24d8c271534409784e166fbbe861dd3

SHA256
97e4269b0c5c890468d893c903ca75c1d661e0da348ab787e6902e42dc205399

SHA512
b4bff73c5af618239ae0e56ee865cab5b88f08296b74f1abbacb6a94d5b3d430547a3990efc27384a9b5c5aa23d4933f5d584cd6090e7035982eaccdfa07a5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b54c8c3f011eb733f09eff5fccb59f6b

SHA1
092110c9d7d9b551ddbd6963421a313b35b9db0e

SHA256
2a3d4b8657c745ba148033c3eb13f264b074768aff9309dea6827b8c276b6631

SHA512
3191f0518876dac5f777d2cb4accc21206ea754efd8d7692ad3ffd541a85c5549d73cf25a9992a45730b30e47345b92fbcd1ef12c0dcfeb31da52cb755f2976e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7504dca17e39b542ed9126afd1f631f9

SHA1
6c911e28e1cf2b6323dc97357aaeb71569e756b3

SHA256
c0833d1d2ce4c0c83a194eda222ea1d9f2c091f8b56883b06c7ad5a8495b2d21

SHA512
410d945eb6e184cd70288836a0a02fc60f3d68dd429b4300c1991304cd73c1d167beecc92f9baf02605fb5fd75c6120242aa4c7991d9e33e677ac92caa00a14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
de61f2291c8e7a0d3aeb0290e13d2717

SHA1
9f210e61e5201b24a43ffbc00346959a0a90d106

SHA256
ce2261e15568d11c284df2a688e2194502317396dbec7dbfbb848e35825fe97f

SHA512
314eec28d4ba4af50a5eccad46e065619484124180399fd8b709125d59ddcb00662c9e50a932fa71eac06ed44bbcfce5a06077c769352f16b85f2e2aefc78add

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
612527287d7ac80fc057e86739ad1ee2

SHA1
3a1b66bb938eeba31302424ab45ef96adadab4c5

SHA256
3c1557c03990dc5fddd598699f349a90b18d528ace753baa5e33f5dab1ef6255

SHA512
f8bc96e05c311cd77743adbca0ae1376527b857dccaedf0dfe4310d84832e8ebfa4ef21074f5061d28c498532db37e6137e2881d77fb06fe6f1764a0452b31cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
60c6beb6ec9c88a2a904bb7b82673fbd

SHA1
7fc4d3c89c8ed96022ca969cbde70f50f0acd9fe

SHA256
bf5d2867bd513a7dce76119050b930719786924d64d01453f652a92c806a81e5

SHA512
dcafc2762c50effc3aa85c37618a072ec02495796859568bd5530e9daa8bef1f20b87a51eba6047abe2b86dc078f1d8e5dc84110b7393e7169c5b7bff451ffd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
367ff4e23e414f32d451007f1f46275f

SHA1
3431bf7de48f88635d74db44d20bcb292aca7d57

SHA256
55947ca2bb23a937bf9fe47596bb36d3d0543da4822080b09216de24ae150f7d

SHA512
29fd35c2241a7919fc0f86a97e547579089d377512e7b6d3f5d0930692f46a70fddd8f3b160a3a50c7286a69d71629770bea52d0dcbb6336701068ceca540ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
12070c0bc66891fb898faa07429ca088

SHA1
1323f92fe8e1675d1fb45f4c96c10e8384a553a5

SHA256
639d63e88bf548bec67acffa788962a97271564f1b4e4e1bfdad76eb93b5e2df

SHA512
7a0b71d4b392362e1d3b575d0d0baf309fab2afc4722f3f7bcabcd489c45e33fe9fdeb51ac3ea347825f4c2138b95566d1a9205e61fc5a55cb57a90e89e2f2fb

Download Submit
memory/836-41-0x0000000004360000-0x0000000004368000-memory.dmp

Filesize
32KB

Download
memory/836-64-0x0000000004360000-0x0000000004368000-memory.dmp

Filesize
32KB

Download
memory/836-128-0x0000000004520000-0x0000000004528000-memory.dmp

Filesize
32KB

Download
memory/836-127-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/836-150-0x0000000004480000-0x0000000004488000-memory.dmp

Filesize
32KB

Download
memory/836-126-0x0000000004460000-0x0000000004468000-memory.dmp

Filesize
32KB

Download
memory/836-142-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/836-122-0x00000000042E0000-0x00000000042E8000-memory.dmp

Filesize
32KB

Download
memory/836-129-0x0000000004480000-0x0000000004488000-memory.dmp

Filesize
32KB

Download
memory/836-152-0x00000000044B0000-0x00000000044B8000-memory.dmp

Filesize
32KB

Download
memory/836-114-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/836-165-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/836-113-0x0000000004220000-0x0000000004228000-memory.dmp

Filesize
32KB

Download
memory/836-74-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/836-72-0x00000000048F0000-0x00000000048F8000-memory.dmp

Filesize
32KB

Download
memory/836-125-0x00000000042E0000-0x00000000042E8000-memory.dmp

Filesize
32KB

Download
memory/836-51-0x00000000048F0000-0x00000000048F8000-memory.dmp

Filesize
32KB

Download
memory/836-49-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/836-0-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/836-28-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/836-27-0x0000000004950000-0x0000000004958000-memory.dmp

Filesize
32KB

Download
memory/836-26-0x0000000004A50000-0x0000000004A58000-memory.dmp

Filesize
32KB

Download
memory/836-25-0x00000000046A0000-0x00000000046A8000-memory.dmp

Filesize
32KB

Download
memory/836-24-0x00000000043E0000-0x00000000043E8000-memory.dmp

Filesize
32KB

Download
memory/836-21-0x0000000004420000-0x0000000004428000-memory.dmp

Filesize
32KB

Download
memory/836-19-0x0000000004360000-0x0000000004368000-memory.dmp

Filesize
32KB

Download
memory/836-18-0x0000000004340000-0x0000000004348000-memory.dmp

Filesize
32KB

Download
memory/836-11-0x0000000003890000-0x00000000038A0000-memory.dmp

Filesize
64KB

Download
memory/836-5-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/836-1-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/836-503-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download