ffdroider | 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce11de1000560d312bf6ab0b5327e87b.exe
Size

829KB
MD5

ce11de1000560d312bf6ab0b5327e87b
SHA1

557f3f780cb0f694887ada330a87ba976cdb168f
SHA256

126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a
SHA512

655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655
SSDEEP

24576:+Fm+gA9AW4k++iO31ad4uOcpg/SPvFLI6:3+gA9AW4bkTujZvF

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://152.32.151.93

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1520-503-0x0000000000400000-0x0000000000644000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ce11de1000560d312bf6ab0b5327e87b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ce11de1000560d312bf6ab0b5327e87b.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ce11de1000560d312bf6ab0b5327e87b.exe

description	pid	process
Token: SeManageVolumePrivilege	1520	ce11de1000560d312bf6ab0b5327e87b.exe
Token: SeManageVolumePrivilege	1520	ce11de1000560d312bf6ab0b5327e87b.exe
Token: SeManageVolumePrivilege	1520	ce11de1000560d312bf6ab0b5327e87b.exe
Token: SeManageVolumePrivilege	1520	ce11de1000560d312bf6ab0b5327e87b.exe
Token: SeManageVolumePrivilege	1520	ce11de1000560d312bf6ab0b5327e87b.exe

C:\Users\Admin\AppData\Local\Temp\ce11de1000560d312bf6ab0b5327e87b.exe
"C:\Users\Admin\AppData\Local\Temp\ce11de1000560d312bf6ab0b5327e87b.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
16802eb26cb2c28dacbaef57bcd1aa95

SHA1
b11656276ff07f1cab9214bf528e86eed2f22a84

SHA256
472405f759df5b3ab33af638480f5cae42f981742acf373337bf5e326e0b3870

SHA512
86504d7ebbb3cf5dc144d3b6523c272e044f00d78816c1c09f4b80e3037db0681d783f53f80ab24c63c231448363b95322467a1570e682b4906683424c90b0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
51KB

MD5
beba225cf177787390fdcde072111c28

SHA1
271dca02b9618f63597c5a0b5fa22efe4767a5ba

SHA256
16bc37855a16c5db464670b7df9c13018b157bd9287b4b4c895e89bfaf13b359

SHA512
12a15e9a08dd26b0cd337cef47707205da32eededf762345744e6ec4aea2edc0e61b801baa8781bccfc6ce844a07d6b07b4cb4088b7e8cd00cb3f891b2fb6138

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a13e61d361e2e44f9b9bfd42a52284d8

SHA1
0e3bd7db6342aecaa8a4aaad74a09a45b2f16d37

SHA256
72b7cb4023b574674bfd5a5f821e696f1e53984e29c4273a08a3334f2466f663

SHA512
3cd0ba661633238fa50e6ab2f06676a9ca53331e129ff1deb1347a00fa2be34470a509c2246a935db10c8359592043583012dd669bbc3da18dc4bcbfd629dd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8800f496a458787d3f4b2158daca66ad

SHA1
0acdd1c7d9bb630c5ad2dbbac2b959ac7f5d34d4

SHA256
0df37130e75b21c54a3d130b7ee2702d5bdb9dfa6ed93f2a08ead03d1a9d416e

SHA512
d104ecdbde799c30c4577f04c7bfd8586b958199bc927fa2a89295b28a0ad14d272c30be88756622a32019d0ccabbb99fea4531cb3e4345e8354df3e4fc34ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9c683f8ea942db310847e0e8b11ed0b9

SHA1
0d5ca0b5012b1511e546a619845c74faa5b5e001

SHA256
1d23fbe22b350b589aeb4d3b96e45f726d2e648933a9f69e6999dbbedf337efb

SHA512
407e91f94bc317caa4385eca269ab3bf84faf04fae28d763b510e587c7f9da06f2e0e1f80fec8701bdae326bd349572d80d9231679140632126c86cc24c1becb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
efcd02e3ccc45d094c55946bec4b222d

SHA1
6f0200c893f91cf3d1dcbb06772c8d8a090fb1e8

SHA256
b9bddbb0739236350da3326311b0943d866c3f08f84557355a19d71c805ae6e2

SHA512
f20628a1c62de6b5750c6e2890cd3a65aa89bbe1a0a206ce6d86da5919c8f3d49a56077af2d1d39873331f0bf06b8aba22a6536133b48dbc59efdbf6ac4852af

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3a69c326eeaa78f1a7a3cfb25823f71d

SHA1
b56961b38926345763e459350a8895236f873ba3

SHA256
ca207c46905981a1a526b2fe86a437c3296b162837e786a0760f5c5a9c248faf

SHA512
52be99b448aa423771fff8e346db0e354e739eac6909f00e4c51bebb4c53ce7459c3088948bc0a641e8f8a6b734ff360116c4cba93a937ee9bbfc2b37d0db384

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
983260da0f2e6d9cfc4760ade28755e0

SHA1
8acdcfa2851048635eff4bc2d2dbdf02ec98ada5

SHA256
b798d4ce9f249b68dc67e41a1ec76ca1a6a9afa7d62ec0626bb3539040383d26

SHA512
80b6150313e6a42491502ebd8bdf90aaa3acb5efb630c4cb2dc8c8e429034ac2b7a91ea6ab9c13c904799225f727e8e6ba6d55ef9caffc240cbb9c42521e2002

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c642d255f9faf2854d1126e8ec72134f

SHA1
0f5b101da4eb7e16f59305d6de144b5f445ccf91

SHA256
b65b9bece1c8e9e2cba3768db28b55e2d57bfb27464f1122eb0a1b151d6bfcbc

SHA512
ec27dc55490ea8176721950fe75136f44376af89eaee098587399be8d48850fd18c06a01c61748c99ebe3812a6dc04637b3a35653b493582a574e69922a1a997

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7dfe244968eea6ed183cea7f5dc0ef86

SHA1
e830d4e09e397e9adbf8b32103a61fd7f1b40401

SHA256
4d9e591aa4af2034aec8a242f4d343e70b125642200f34d27c09adeaf5eb7018

SHA512
c2dd1bc64d2a4a01c14134a8d5feb312611fd9ee999b9c71462e2ddf1ab5880372dd46d42c34abe6ea82d9e393aa5f43b58238782cf929841aba50b9a13f3642

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5c18f8853c58612d34da945c628d8237

SHA1
fe173810718e2206b4282ea46e45955d2cb752cb

SHA256
cfc17db9c4dca788b754a6162a3451d072f7a82bb989d8ac8480f74c1d6fc5fa

SHA512
0c6634e819b446e6695e2d6e4391d97093249f577b99d542fc57fdae5a79aa2ad51dcd3770c7f96ee37a21470a2e069117b9a6add5e0ff08b6d9e8233e065d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
476859989d1b54f97c8e0c9e611da783

SHA1
38502548df1e42f8e460acfb061397d8d6039940

SHA256
0ece3bb80bf31cfbf04b63ca742ca6d145323b10b6ee0a660db1147419b5561a

SHA512
8c03b8905fa10170161ec36083e3e4f2cffa3559dabcd2e58a7e4c884ea6847733bc5aafbfe65841a19adf8aa8c28012436b23fa811b0bf6dda446bdf095bf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
021d829b51901208fb3b3bee3b0cf34e

SHA1
106f5b91237164800a976e3aaf62601784d84f38

SHA256
6b608b8a1da9d60a73c1a3bc863d10af050da45e31ac49c764680748cb7a3faa

SHA512
fb2a3bd060b7c8b9488373788e4cac2700c1f17ac7ad6ee7b24decd85d548c7200d4d8a8ceb2007727d291af857acfc35eb65f553a8affdc5f56a073df7d4d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a15e4d625cb0c3d4859b74a8d3fead51

SHA1
cef3b7967cbc3147950a590f07b87a22d2f8829b

SHA256
ed03bef06872383dc48261a2b7621023872cdffd05b28d2e988199766d800b89

SHA512
a1c4adc8603b273a3f4c9bddae8f9cfbba47d66dbd18e9dbedcaeff79bd65044016104225d6ca44d2adff35789e78cddfaa420b7d8222c2877ce997968b7a113

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fac1ff6a1799920fd41ae14b942cd71e

SHA1
a6c817c2536cc3d6f4b442f2173b56bc548ad301

SHA256
d3f4ac67ea857d4dccdf02a0816d2fe0f14405f3b9a5e4bb1502889247d4f538

SHA512
c72be98a795e1f8f1d97cf32ecbd91a70fc9e8205439e73807fd2c0e7e3433ac994148597caed772d6a594e7671bbb322bc355397d6766c938b57564c35599b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5add9f5319ddf4bd0f8cf2dece61cd58

SHA1
5bb9a8c9fdc994916df41d87e96177ce78c21ce7

SHA256
7348cc929dff61c405115ec5a2840fe6ff86b1ac90dfefec4237e56ba35dc54e

SHA512
fcf7b10515e1eb2e8a2913cf573c580545bed7f9fe2bfa08ef5bfaaaca6d8f26d98f9b0809edb1c615613dd13f68b0976e7ceb1df9b48b804d8a2a3557c9a919

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9ceef54534fd209bc0c3179cf8bce519

SHA1
9eaa155a05477166111514c2e1cf857a360e5d9c

SHA256
132cbea58ff56f4c30f1ce8bcfb6a1c47f02aac3d1f5842bffe70c9c8995c7e5

SHA512
6d60033a9f51f13082d70cd82be034e2c7217ed43452224683691527f1f81588c48bc8e53a55876c919e5444ca3c7d16fa3808cbb55e1b28de2749d75ac30791

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
26a25d3887c14e797d796413c8b95d21

SHA1
e87e3a8170f094862024d69e3f9c6e084a5795d2

SHA256
565ff92380c22683903c8b9fcbe5836690e4966ceecd4d426452c04a19fb7946

SHA512
f555d667e1a12a1de4ea57351edbd7f1f2750dc0298176571a43e3137f380aa6084d46062ebba1ff52a0617c4346e5373e4e6ccf036edf94b107398fbafe28e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dadaf3a5450a0a9f9b357de0dad99db4

SHA1
e4fe2ad981bfdb725769239444aa4a4920306f07

SHA256
c2a5387e1821fe53afd7ba97855dd5aeee8c76509f0bf5987b749aeac63b6bfb

SHA512
e42fa529b90ab6d44dc2a380ee57dd51b3ebf6d67670fdf57bf54fe1977443bed7fbe4d17c780359943f51e02b7ac6f5d781f3254afd164639a910029259887a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
446c27b17bbd22cbff6c99ea75fcac5d

SHA1
b22e60a806bc64d154e98eba055ccaf04cf8d019

SHA256
48e3f809c3b469ca968fbe23a13a839e07bd1596087487d0af13aa53f2478c60

SHA512
384915f46b6166ed46c99b059593ecd37751a8c81f13d8fedbca97ef72779fd964c18388f88d54e05e1dd470f4dc4254163a306db77af70761919d7928b9dd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fc7a54ba5915befee4549610bc69d657

SHA1
b1cf1f72ec4e9251f5b886269e791ea8e120db87

SHA256
a876edfa93854a49e69ceb316d3a3f97fd12b2476e1e967d98dc4decffa7c9de

SHA512
c7b004f1e74fde9a8bab5b766449129ac26c8eac0b93a6fad672452307e6e0a4e5991ec7e8d1eb406592aeb725b0082097bdf3c01f65fc795382c9dd0b0b8734

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9c6a57a0cf152f51f22e3d73e317c9ee

SHA1
029d6be784999fd4de901c4ae5afb4e44b2862bd

SHA256
1d8ebff8bd4915a9a660d650db9cf202ef7eb117ac4dbcd200d2e0a6d392f279

SHA512
bd94e5f72f4f2ed26f571d228a8a72dd6d2cd63d921652355699769bb979c79f1ed984346ac9f457b1c418878ae3e21a1bf38fb93401ec3b8ff012b80f3225df

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3fe4f17ad7c30826db9780708e9fb3ad

SHA1
697fd5307e6160dbb0e51f6b05911999acb7cd94

SHA256
1f5889bf4336c0c90b7a8686039a5717226c2494c2790586e2fd21ef67c819df

SHA512
596b99f813a587da5ca0204dbd083ad712fa4d4383173fd1514aa5957730b71a2cdb7357d0aaf4bf531499a5ef51736355c352b758da30da8b690083ff5a3bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2bb0da2f5158e948a04566d17b3eebbb

SHA1
fd2c391792cf3f3aba3aaa78927d1d37176fe015

SHA256
ffbaedd9f0672e558d52f46014346b7bb59d3a54bad93bf9bffbed844fda91d0

SHA512
7e8b9725e1081304523d091c9ae5adc38f46bd5019317870b794aa7c4b6dce2159fe84b073554e2b135837f45da926ffd227aa86fac79779864de3113e062ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ac23bf3d85f97882aa86c3506760a5ca

SHA1
7fecacd0a5868e8ee9f25ab177dbd9de85cdba8b

SHA256
55eabd834a6f52edcae0904e831ce0ff0a388c0962e044e4db2244f90c5daf5b

SHA512
0c3be12ed7da2fc55357868602ef0088c29fd3c0e956636e15f8a2aee85b745637706ef38fbe81139c30986ce6b0015f42d6cb43959f0bccf59b2f91a2613bef

Download Submit
memory/1520-40-0x0000000004560000-0x0000000004568000-memory.dmp

Filesize
32KB

Download
memory/1520-63-0x0000000004560000-0x0000000004568000-memory.dmp

Filesize
32KB

Download
memory/1520-124-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/1520-125-0x0000000004A60000-0x0000000004A68000-memory.dmp

Filesize
32KB

Download
memory/1520-126-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/1520-127-0x0000000004D60000-0x0000000004D68000-memory.dmp

Filesize
32KB

Download
memory/1520-128-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/1520-113-0x0000000004440000-0x0000000004448000-memory.dmp

Filesize
32KB

Download
memory/1520-141-0x0000000004440000-0x0000000004448000-memory.dmp

Filesize
32KB

Download
memory/1520-112-0x0000000004420000-0x0000000004428000-memory.dmp

Filesize
32KB

Download
memory/1520-149-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/1520-151-0x0000000004AA0000-0x0000000004AA8000-memory.dmp

Filesize
32KB

Download
memory/1520-73-0x0000000004780000-0x0000000004788000-memory.dmp

Filesize
32KB

Download
memory/1520-164-0x0000000004440000-0x0000000004448000-memory.dmp

Filesize
32KB

Download
memory/1520-71-0x00000000048B0000-0x00000000048B8000-memory.dmp

Filesize
32KB

Download
memory/1520-172-0x0000000004AA0000-0x0000000004AA8000-memory.dmp

Filesize
32KB

Download
memory/1520-174-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/1520-121-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/1520-50-0x00000000048B0000-0x00000000048B8000-memory.dmp

Filesize
32KB

Download
memory/1520-48-0x0000000004780000-0x0000000004788000-memory.dmp

Filesize
32KB

Download
memory/1520-0-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1520-27-0x0000000004780000-0x0000000004788000-memory.dmp

Filesize
32KB

Download
memory/1520-26-0x0000000004910000-0x0000000004918000-memory.dmp

Filesize
32KB

Download
memory/1520-25-0x0000000004A10000-0x0000000004A18000-memory.dmp

Filesize
32KB

Download
memory/1520-24-0x0000000004760000-0x0000000004768000-memory.dmp

Filesize
32KB

Download
memory/1520-23-0x00000000045E0000-0x00000000045E8000-memory.dmp

Filesize
32KB

Download
memory/1520-20-0x0000000004620000-0x0000000004628000-memory.dmp

Filesize
32KB

Download
memory/1520-18-0x0000000004560000-0x0000000004568000-memory.dmp

Filesize
32KB

Download
memory/1520-17-0x0000000004540000-0x0000000004548000-memory.dmp

Filesize
32KB

Download
memory/1520-10-0x0000000003A70000-0x0000000003A80000-memory.dmp

Filesize
64KB

Download
memory/1520-4-0x0000000003910000-0x0000000003920000-memory.dmp

Filesize
64KB

Download
memory/1520-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1520-503-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download