ffdroider | 01b6cc40ce1ce6611be95ae1789fc6cfeef9cd7d1790bec437df56c54e1de42a

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2024, 12:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a651eb4302692615d55758345f634f96.exe
Size

945KB
MD5

a651eb4302692615d55758345f634f96
SHA1

e01b65b9d6779eab784918286fdc29339338e181
SHA256

01b6cc40ce1ce6611be95ae1789fc6cfeef9cd7d1790bec437df56c54e1de42a
SHA512

d4b0075c89660591073e3f5ea82eaf080369f48e0b1f2b69410120f555e21f5c0a1e9f0bf6709a70370801cc3645b9bb44b5c9b68932945370164e81d84cd30b
SSDEEP

24576:dcLciIlEHnNpkzmOEAEBFO9PROHx9zN45hjsz9ReVmb+h:dcXIlqLkCOFEBFmPy9B45hjTVG8

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/1672-3-0x0000000000400000-0x000000000067E000-memory.dmp	family_ffdroider
behavioral2/memory/1672-507-0x0000000000400000-0x000000000067E000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a651eb4302692615d55758345f634f96.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1672	a651eb4302692615d55758345f634f96.exe
Token: SeManageVolumePrivilege	1672	a651eb4302692615d55758345f634f96.exe
Token: SeManageVolumePrivilege	1672	a651eb4302692615d55758345f634f96.exe
Token: SeManageVolumePrivilege	1672	a651eb4302692615d55758345f634f96.exe
Token: SeManageVolumePrivilege	1672	a651eb4302692615d55758345f634f96.exe

C:\Users\Admin\AppData\Local\Temp\a651eb4302692615d55758345f634f96.exe
"C:\Users\Admin\AppData\Local\Temp\a651eb4302692615d55758345f634f96.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
6.8MB

MD5
993c38ea217af081b1e24a9123c651c8

SHA1
d120c8adcd8675b928152d6bcea111b95ac76372

SHA256
fcf012e1424eb01cd945029f12a978c338286c3ddf25b5a648c0425a147cd5b6

SHA512
3174f65316121f068824e59940dac7069f85d201d271b3919ed90282cd377b7ece9d15dbe2f1895432f5769b0f06d3ee20e6e91e800dd6e38a96af6a8d76d7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
68KB

MD5
cb997ca08182b4abcaa31e32bae77897

SHA1
0eb2104a7b8673ff3993f8034ff745c74dc87d34

SHA256
f024db8811873056c0418b9a299e7de4979be4df0ee1db80875bc0c29ac2393b

SHA512
05775123ebef4cb7106a41ee8324c587576cc31e3fcd3d144d9ac31d59df53fe985fb9d14bf13404e93d4c42284d5972346458fc1134408a634b283959132567

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
991fa2ce2b620bd0c3c213e701e55ff1

SHA1
1fde27f2333e710b4e553115152079bcd9768e98

SHA256
406a23976e026045f75ecb008550324b67f1b1f7e7627661d0c53a50cc2fb371

SHA512
45cedeeb31101805e59620d2ac1cefa4768412ce93496b0aa2e57d642e072c11126f7b348886080f014f2d5a9917134b1c8c8b463804a8689d36421a336b5554

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0d2408cfd632ec30d86554ef16213540

SHA1
21a70d491cb56ed9a42aab53806a1f0b2c5910c2

SHA256
82560502ab4fb9a01d079b8447d013ff2c8a69a77ed57ab90a9d90ddd5edb9ea

SHA512
5071335faa8fa4ab004fe769c50d84552ad43bc8ae26ac72250539bb9cd54df362d7f5f1b2ec130a9fc46f18da9e8048e3ca97b68752e263f7b8a49fc3bf086d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
90e688b83589e56059e7a01d09b77f99

SHA1
4f2d0f8e0a58e8026f1aa804b0fd7aedc7089033

SHA256
85786c4ca887d3cf361cdde86fbd36d066ca4fd473a49dc08e7121f530086d6b

SHA512
6839b93741a68119abcfff15f9d857a6da82bffdbdafb73e295c74fdd64fd8e99f092a65ca82f5eaa542b034359568d29170cf3f809181b3f5e1ecd0d2c5c3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c332439a02b802da105697785652bc2d

SHA1
7c268733beffb5df178d6d35726a1af1f66af15e

SHA256
d3ccfdf721f01d90180aa1d3b7a23b1b524569dbd361294cbd1734109e349062

SHA512
d3dfbeb719749ce4a8f636ff523dc296b693840b756e0e52307e99cc1c49a36f084d6d79a00a344e6000f7843b2404c17f53ca44110b549ccb8f9976ae8df266

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fe5a5659c8ed1f34b6f5a11016b63579

SHA1
b62304b8e15ea2f741267e601e68e09b9e489328

SHA256
a278eb612b076c1755391b9d1bc86ecb7071c8ebc206f29944dd9cb496ce1291

SHA512
063adc2c53793a1592630cce64a5acbbb03c8223bfe74cc422af16cc19025474519a95e0c698f2e50dae9e1a1ec593ed3ed9a79e7574a53e5e442ac9028ca4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
eca049d1f421368aa6eb6b7ea641e9ad

SHA1
58f3337dced09a535c87fb7b2d22c5ba42dc3206

SHA256
820ed7a1b40487965704aa1b545d125c321b97b7ed24283964e15029fed452f0

SHA512
02c07f080fa10b757f6c0ff2d9480d8b09366f9738e1cc929a8c6db3d358de7cda59f73b2f17fe77ff88c9012b5008818a8cd474f02cf8bcc37abde7b39a2b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
699b8854dde0774c5ef07c48881da37e

SHA1
7a0e09286696358de126f597f05ac74d2e3b2d98

SHA256
d388b05916bf77152af70359756d49d14c5716d4e9046e9dce266c33358e71c9

SHA512
bdb8c8db29840c5e3d6d1ef4279328c716190d5ed113695071bfa608797bf99e7c7974c87b415ade885626946039f1aeb4926eddd6f055aa1e12f82345616a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9d4de2b5f877dc72de5363f7049f9efa

SHA1
c869345bae348c96179c526a9efff13f794bc6e9

SHA256
12a6e9a3f04ee06d17a160bd25df88e8ae1cedda4d811b8ca614b9352531aab4

SHA512
6ce3402dbe18196903c80aac5fbd332729a436d50abe552ece979f44e0b07eea2806d36100f0b2943ebf65f53eb965d2719a1e7bb9fd4b27555243188812deb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5c42c0cee663d81be46cf86e3899e158

SHA1
6ea240ffadd50d7eb3a77d605113a27376e4aa0d

SHA256
f576d70f0824b66282a8b9588ab32b4b50d7d634ab7067b0c411c0050518a949

SHA512
3fa52a9b96a5900305e543fec08899f58f436fe202a91bdfa76cc78f6a49a67ee689a5c4246b04f35e81aa0af8242f7b0e703a575ddf2a4c83da621af6fd3caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
13d664273183602d762f33f90e4c934c

SHA1
eae7a7c294bfacf3b4fee6120a267e334a4c13bf

SHA256
f9509bde60b3afa5ea31f5bd6eb248ef20b0bb2d578700c2f0bc7008b10dce68

SHA512
7f33e0d3f911a17d3c62dd768e8400c5a1299d4245c79606876ffd719c05b5b19d72434dbad126cb5c1e16a6e593b92f3f26d51efbc236d8523e3b34324ea81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3387d6eb6865e0db34729a6879178fe2

SHA1
980679e75be511fb654f77bff49f68a7df6724d4

SHA256
a9aadef321e7d0483daf90c9a2987b39817834f1804caf745094bc0f81b253e4

SHA512
96f1c856ca3a108c34e9360fb3f1e15f80e2de0c7c39e46a82ea47ed5d8fd6e16535ed523e11201a27d95a8368e6169982708e9a79c94c1008fcf1df2a7f13db

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
31c495f17b85d39753ce551cc6dc36cd

SHA1
48ef3fa818279ae314cfd89d2c598aca243a4fba

SHA256
50052e4684f547c1ea29ca302149a2f73c492168958563f57f5d089828ad5a5c

SHA512
f213374fbee7d8413d2861c7515cf0f1113062e7bd9c20a2a9fa2c4fa67bd097af664aaa488940055a04071152b3069f2967c596a113f25ff59f48a0bf7a1833

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
144707cceda2b97173cef24ce927e519

SHA1
39c93762511f9438f79be4a168c6123fc9751a5e

SHA256
f29a25f12148930d162458f7b957e56cad79bceb3a6e45f58c1e6945ca6ecfd1

SHA512
5f8e0a530f92579546e7d946a23dd047ac4636043e0da3dbe11b1ed936a692a83b5b10f34f5642f359c428959d15a3f37d886011b446d8ac1ffc5be90081ff5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
67e08bd71d7b5678db19d57af02a90db

SHA1
55ef75c9937ce5f4a8f6f1653bfa7b1a89ff40ef

SHA256
6a83931f33e94b31339eaee9d59b4cc5abe1e2004da235e4bc995558e4a01811

SHA512
996cf2c39ab8c73973e429cc711b9b99dcde6710b706ebe55855d44675d1d37006315ef6072a6620e69ea7e1f91b42fb1d1f7d9348441a1193c11ed123895e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
683a5249fc1eaa0493580a5b8741051a

SHA1
1be6958b0eb0c04100d5434fe32635d27a2000d2

SHA256
16e003caaa384024512ab988251966aaa7194e753fe11a6f627a02eb0246b4d9

SHA512
8a2fe24a647bac2fb35dcee5bc9a3c24994ce655ba9b031c662711670beb7dae605015f0797cde52e0bd1d7042ee76c3219daa60dde7ebaf493c302fec981bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b8343c9c468a78c962828bbc9cf1f792

SHA1
39f7b3dd8281c98314ca4f38c7462713fe1b0579

SHA256
f9ee1a44d68608275ec3476278d7a4db05bf97fc1a90d6c203cc7f5ed6239eac

SHA512
e20f6984cc7ad7a110cdd03270c5c9bae42cd22c7733c4937c151988dac59d27231fe974b9bd1a67f6df987beec83c5e02759072a81319fcf2db87609e23b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dd59e2b870cb73b23733f54765834e36

SHA1
c7b288d67097cea0e27e0851dc9690d9bc62ffca

SHA256
91d4cd12584a4598d597a83418e9a60c6c737a95a5614bc4d0c4a792a7252a35

SHA512
4757b49eca4a52a74ee109d75ef2757d5fe3521fb29720481fc144f8c888535533f0d9f771a2b1353e10851e00f11265c659b256201a6b35a8254b2a97344f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d669d4737152dfb320e0e6793c01168d

SHA1
d2a8b6f43b8a853bc624c5d9b559bc08af9da586

SHA256
06cdd1228cdde32def8b269cdee63ee48425269c4103d91982343553de3ebf16

SHA512
cd81134f8fb736662f2873abe9c51f975566c9efa1dabd25f506e08cacf63188a4019c4d8057f90eda77129122753f40972a2ddac4c33312b0054c166fbadfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8189da4e169c78eca2b71cdf5aef17cc

SHA1
817cc6eee9147df667c078d177e28b21cac7949c

SHA256
5f78da2943aedbeae2bb155419b3afe835e06825a273daa8c0c07e6a4702b515

SHA512
88a24b71d7b49f4dc10ebf7f9b079ca002c0de21684ad14e3265c3e3e8affee7bbe4ae08cf5f1b0a7d3736bde1fe97922c8ba50e1fadbda22cbfb7abd6fb40be

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d4b46cd326c5d7fbb578e7a466f01e76

SHA1
65b9a3a916bb9480bce78e7f38d93f1e22ed245f

SHA256
f469bfc121a1674c450c74869589aca16953aa43eda8fbae55f226445b1cf97a

SHA512
57cf4bbc4ca0cb9812d1af0ade4b11e17f5b8ba1c2e5081f98053ebc2b76acb281c7360a67a270b34c65d32475aa30064c4c60fb301be7c3b71d403f3f991f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3c662a3e389cddd31a7a89e3fe0abc16

SHA1
29b938f1821751dce1dff312ef56a06c1c5a4258

SHA256
6b2917ec6fbfd5b6e613b39b6953ba2820c50ec2596663db0d12f0f71f168068

SHA512
158d06ede81af26e8e409143d5c11258a348886521bc5356d2f4dd7ef3a3ef14703faedccd0c2f400deeb0065f8760d6221cbdf5f9e81ef68e8f7d76b59c0efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b107ee0b052860786e2f6b00b1d29534

SHA1
4cc7a024f2c0221c10f71b123ae26615c48de306

SHA256
cc289de4073fdd73115af1c6c2511cad1344ba3ef22ffe99831997cef9e6b16f

SHA512
fa12e3d43f35bdb9da45b9c67066628fef0ef4e3d5124fecaa4d62ca0f250ec2c4005a6cd28a5ff578616011a2c77cfd15fc8307367c2f155a990a477a1f414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6e146acc78349166854020a4aef9ebb7

SHA1
228795e410db15c1fa9516ee40ac77a37aab9af0

SHA256
067a094027fd4dc26dafc4817abb57f049341f0668bb1f1f0957ca46bbf3a60d

SHA512
25777cf180fcab0668a27ed1db79b48bb0d53bc8730750a86fe64612a49ecffa7287ee52130fe931579021dd7c219d50a658114be0bacca1df61c6e3436310de

Download Submit
memory/1672-152-0x0000000004F30000-0x0000000004F38000-memory.dmp

Filesize
32KB

Download
memory/1672-23-0x00000000048C0000-0x00000000048C8000-memory.dmp

Filesize
32KB

Download
memory/1672-124-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/1672-127-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/1672-128-0x0000000004F20000-0x0000000004F28000-memory.dmp

Filesize
32KB

Download
memory/1672-129-0x00000000051C0000-0x00000000051C8000-memory.dmp

Filesize
32KB

Download
memory/1672-130-0x00000000050C0000-0x00000000050C8000-memory.dmp

Filesize
32KB

Download
memory/1672-131-0x0000000004F30000-0x0000000004F38000-memory.dmp

Filesize
32KB

Download
memory/1672-29-0x0000000004BD0000-0x0000000004BD8000-memory.dmp

Filesize
32KB

Download
memory/1672-144-0x0000000004700000-0x0000000004708000-memory.dmp

Filesize
32KB

Download
memory/1672-28-0x0000000004CD0000-0x0000000004CD8000-memory.dmp

Filesize
32KB

Download
memory/1672-53-0x0000000004B60000-0x0000000004B68000-memory.dmp

Filesize
32KB

Download
memory/1672-154-0x0000000005060000-0x0000000005068000-memory.dmp

Filesize
32KB

Download
memory/1672-27-0x0000000004A20000-0x0000000004A28000-memory.dmp

Filesize
32KB

Download
memory/1672-26-0x0000000004A00000-0x0000000004A08000-memory.dmp

Filesize
32KB

Download
memory/1672-116-0x0000000004700000-0x0000000004708000-memory.dmp

Filesize
32KB

Download
memory/1672-21-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/1672-0-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/1672-115-0x00000000046E0000-0x00000000046E8000-memory.dmp

Filesize
32KB

Download
memory/1672-30-0x0000000004A30000-0x0000000004A38000-memory.dmp

Filesize
32KB

Download
memory/1672-20-0x0000000004800000-0x0000000004808000-memory.dmp

Filesize
32KB

Download
memory/1672-13-0x0000000003D30000-0x0000000003D40000-memory.dmp

Filesize
64KB

Download
memory/1672-7-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/1672-3-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/1672-43-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/1672-76-0x0000000004A30000-0x0000000004A38000-memory.dmp

Filesize
32KB

Download
memory/1672-74-0x0000000004B60000-0x0000000004B68000-memory.dmp

Filesize
32KB

Download
memory/1672-51-0x0000000004A30000-0x0000000004A38000-memory.dmp

Filesize
32KB

Download
memory/1672-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1672-66-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/1672-507-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download