ffdroider | 1dce5d2a9682c811f7c4dd7e4f4c8f26ba35bba8803efe316aabddafb41c1708

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7eb620404874d7f77870f1b1ecaeee3.exe
Size

758KB
MD5

d7eb620404874d7f77870f1b1ecaeee3
SHA1

e281d765ee3facac0140732427c291f1a31d90b4
SHA256

1dce5d2a9682c811f7c4dd7e4f4c8f26ba35bba8803efe316aabddafb41c1708
SHA512

5042740a5f8d650cdce19b07eb45896dac5b76c853a60158b4c09ddbf83f3463ba6789dc93357aad18343add3a84e1e518c9511e0bc1af16ff16966007ad4bb8
SSDEEP

12288:AfZMnJxs7QUxOwR8s3AYxHHu90MnJ33Px1MKU2GLcOPSv8AQv8JyWOOFPDGMi4:AfZMg7QXw2sQYtuHJHpORncOKv8TTWNM

Score

10^/10

ffdroider evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://128.1.32.84

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

resource	yara_rule
behavioral2/memory/2604-1-0x0000000000400000-0x000000000063B000-memory.dmp	family_ffdroider
behavioral2/memory/2604-378-0x0000000000400000-0x000000000063B000-memory.dmp	family_ffdroider
behavioral2/memory/2604-504-0x0000000000400000-0x000000000063B000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2604-0-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect
behavioral2/memory/2604-1-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect
behavioral2/memory/2604-378-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect
behavioral2/memory/2604-504-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d7eb620404874d7f77870f1b1ecaeee3.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2604	d7eb620404874d7f77870f1b1ecaeee3.exe
Token: SeManageVolumePrivilege	2604	d7eb620404874d7f77870f1b1ecaeee3.exe
Token: SeManageVolumePrivilege	2604	d7eb620404874d7f77870f1b1ecaeee3.exe
Token: SeManageVolumePrivilege	2604	d7eb620404874d7f77870f1b1ecaeee3.exe
Token: SeManageVolumePrivilege	2604	d7eb620404874d7f77870f1b1ecaeee3.exe

C:\Users\Admin\AppData\Local\Temp\d7eb620404874d7f77870f1b1ecaeee3.exe
"C:\Users\Admin\AppData\Local\Temp\d7eb620404874d7f77870f1b1ecaeee3.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
c4e90865ae38edf4458e51614d803aa3

SHA1
d1d5129bc3b12459af9fa2f4a0ce17c4d4aa555e

SHA256
f6b8a5e7a9616b5582a8bda6674e5be8e0c56cfb72cf28d1c6345772e70050da

SHA512
84763c93a537d4bbd506e8ceeacbd5f6d84243e1f1ccc937e61a51c55459555ae710286f0154128f5d107ee620d178c8cb1fe0c5b42ef3c0836c804b73419711

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
72KB

MD5
12c9535fb37a5a7821d9527530e7bbf4

SHA1
6a35fe5b3520f523c324ffb3d14732609101d01d

SHA256
26512ca3ed5fdcca4393340fd32ebc663c2f0a198bd4c6f8e18844ab0e44d14c

SHA512
ad6635a9735ec18d684142143063c853865bcdd5be3099a61a14d1b03ae3bf10d6870aa959a91d48b1e01edd185587797fc1cdb41ce1534550a8c114c2472329

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0aa46adb76dbdb3d4c200c64dfe83480

SHA1
97a3ae4618d65f67072ba13cd418e8ed2cbe1149

SHA256
d6b8dff7394495edf98336f7ef4b11e26268fa8e6537672ddc25ee5f5d531242

SHA512
26ebfddad58349d106b593bf14f2c628c515a69c0730397f03a0fa0ac6d32ea36e6ffef59c75eee70fea9f8fc4e63eb6a4bc02ee01bd6b67c53d3822869cea2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3f88421374250d718bb58e40ece7ba9c

SHA1
a4ebd80e88d22f0b5d550bb3253089aea589c878

SHA256
ff9b2f6207bd817b4998754196a221aec7b8e86b6b4e0888b53b6bfc90a30a30

SHA512
c0147a795aeed2bea4943e3e423f5ff0dfa1b1b397a7a1dc49b2fb296c807ddb2d9564da65e1a8e26d4d7832cf7e157a3370816238d678dca08ea42918ca9716

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c59ab3a7ce45befc28896c2747cc797b

SHA1
7bf1251e6257199ab65dbd8a7b5520c667eb781d

SHA256
9eb7620e04b106699d457990a52cdd1119cb7a3da150257d5225c0d1e2fd948a

SHA512
6172340b931ea2fd3e8521bd02572d648e994964724b575ab7f492bb1f21f7e5cf554a5646eeded85ba86605b50e96e6935ec557e966978ca68e20d7837b1984

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c1dcc312aa8737d15a763b4b0374c400

SHA1
58d96f4501e94c1aa34e537f360e80915edacbe8

SHA256
2bedf210dd328c5d11d6ff5945cacc2d2706689be3200f50a55b2adaea3d0ab9

SHA512
1024f2a3dd2963cd4b0c6244f6a906837ee54ac20c31847e692e79059c329313c34a7fa12ddbca0490669807488cebe1a1b3b7732f6b3c7ac6839bcb038cead8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
30ac103cf4a0d23e489b8dc526806063

SHA1
68edb9734df3ecd5dfecdc0f2e809f822b1d7fbc

SHA256
9b1432c2bdce8f26887da4dd96a94685cb113f3d53c94b69aa6d787b63f1225a

SHA512
9fd8d4dc0e312ad7142bc924cf17bd29011cf364e4e18e798bd3fe0ff0af8bb6f84e94dd425be37724116d86516a6c0885ba6518ed5ecd8fc7a8ec6c20e70ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
124c21da185e8f03f4fdc4f267a8da67

SHA1
9eb85fd06dd24eb19d9a11ba7066122289c3c2f0

SHA256
b2bccd20ea63df747b9407951cfdaeeb4e263d865109fbb970d222c79fa64e3a

SHA512
0aae4133f915522ce59718e14af42888c19f2a909b8cd5d2211bce6a145445b46c8d6158fbedde7e15fe4bb1db23fca915a8a799992f7f7c1d01ea6352f44917

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
94b70cf969d229dd5779fead7a2665df

SHA1
435049615571a8b6a7b717cda584ac7e5af6307c

SHA256
97febdc55f1fdcf1d8f7bafee08e1901a4cdec944b05f435929eeae7dc9bfe83

SHA512
afcee2e7f2d7d8d56624c514fa7c4913b418f89e29e959ddcd74d1bee0be02de466d284bf05c67628c16a4d90d95bb6546e80504b746043be4621885e94503f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
14d6dd9f3a0d9d6e54a246fc821abc25

SHA1
ebab9668516c29c95488b8141ee8b9fa442a412c

SHA256
9b18d3e445eeb7389783beeeab986ade2e48c1fc0308e8c256e6f1b57aab1361

SHA512
cad8477ab5b745b92c36930f4301c0e5973acf181ae1f7bb62d91633bc051516497b63f68bd56622d5076157ec42914909c16cc9ac6d6fc6f6e29e4f013f3eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
00e172b0b4ea665d3ebe9c4e346451cd

SHA1
dbf595deb4044ee1e0c8837c60269855ac024da0

SHA256
ebb9102c636d5130bc45cc8e4bf743a65676eeff0d7be2fb3c470540008a32eb

SHA512
523734da1b9c25c881f7c7bd96599b86ce3142a0e053be9587c00d28111aab14878310330359a5331e40e56e846d21c1dd48b15a714a4abca09bc0af20b38625

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
89dc41512fe3bb85e1aed345fbc72605

SHA1
5dd7c60f15e23c175a7ce982fb141c7365d48eae

SHA256
76ea7fe34f174558125f627bdfbb6662ae8f5f594e93e9dabef38a917448aeaa

SHA512
7c1e2552f10b01caa26c8253983020d939d0e420817daeae06f823fe1800781ed0d1cfbdf632245523c66b7192ca06d621be42a34735888f5454628297c7374d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1ba612e5e70577d4aa0523b8b91ac511

SHA1
2bd9b1d71dc1a2321a23125a75b319f894478071

SHA256
0e835f26c0cc9a9ead1a1c26cfaff9cb2443d7da568707dc0bf484fdf5feeacb

SHA512
39429a1ea40407abbd48ad3ef1022c385779df7fac293cfb98f140129b5e8111759605bcfea2d3deb61aa76d7459f6063bc534d709b7ae507c8b27f171603de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
08c09d7b1adcb0b27f8f19446740ed08

SHA1
2c5c5df7bf1604ddab692c5b9a6e40c27644786b

SHA256
99ea578912ea477d9501b163564f06418555f3616013c785b52e33adf4e5e73d

SHA512
0517d5d80bd8e5846105f4fe1fd2268bc5f6f9d30e11cff9843e592a6327987c0b51387f0510d3967279fa2890491a47bb3fe6fd6b598dfd098417f1b83dd554

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b916e63f8f346eb99dc8da0be505dcc3

SHA1
d822098304a989c93d9ae6ad77c78c5557c2c198

SHA256
5bf7d03d7af9de8675b844658ee5e1046290ee3af6e060c582a7294e8eb8d164

SHA512
71c6db361dfa41d6b1666656eb6bb1be602d70a4e191a92500f2699c30f7a4055c5a5660023b2ddbbecbbf1f75ee3f1c0f1cce67474ed7b3c96474071eb507e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
39b101beeafe3e03b4b7d98791aae173

SHA1
4a51ecbe2d0ccb91c7bebf669fbd665d930d589e

SHA256
c0051129104a583c3b2d973cb9f81c1491f26d83960fd2c1bb0d725ff973df3e

SHA512
80801ea62e69f92fe21a1129f76799b30bc226f86237d8da0a9199626c5c3e3fb80d84fb4bc422f6be4fee5959aab1279f9a209d54db6b32662e00dbef38a664

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
60d9516365256c94ff156d3d13484d0d

SHA1
33668ff614fbc6b50d67875173676e48528daf89

SHA256
37ed4853fa7aa65bf6520f82893b3f4c6174227c2fe575e4a37341c80c2dbf90

SHA512
e2e662c835a813e157ac8fc39dbc11d03269d7e9711d37e6f6342a700d2c26a3f3b2582a2f266b86ece7aa2962e3c830a8e3f15f894a09e2bf6d4f32d4a9263e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
576bedfa7e653c4d14804d37f30d7d2e

SHA1
f079e7e36704c2b79fae440d2abfe264fe9c9694

SHA256
efa7998f1eb67f7cff95add9b520691fb6bc26f7ecd00541961d2aca38736faf

SHA512
e51e4bd1b12f57d08bd3f75ee3a29dad5f58ad6edf38130db0092e805baa38f8cfb8930fb4ab72f1fbc2da025a7954fde7794f929daae29f87005c2845c7701a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ce4fe608640c959b0c7539353a9ebe22

SHA1
1fcf6467c8e2ce8dbc0452a92a145fb45f0e0f29

SHA256
b1cec2549fe27a5448308a02b9a197119f806660fcfaa2bfe27be4fe93a10e8a

SHA512
42e9a5b1dd4b12e3a88967aef5359b3a22baf4918fd384cc61ec3758a2bed22dfd6372a318fcf21bdf03bfe00295365399df18ec528730203e08b15ac4f9baa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6695b0c240e5d5561b0355314bf853ba

SHA1
d36e8e5b3b204b7c24532ae32207f416ec1c0ec1

SHA256
1e42efe86dd4715389ba6a82b4da67d8df06ad7552f906a4eea9d0a920d98253

SHA512
929cdefdc9f93cb284a0528c86d0199dea17695c206ec97830e9e12e302522dd88cfe0746cb3e4843155661bcfad28847bd9f553171fc4a7753030bc7d5f3d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c3a6e46b352674b0e8bd14292e876b38

SHA1
95add4a91789ab2d8184a98353835b69441c9ad5

SHA256
6ae768c3e05e058e885a16df6fc23425b9c7c3f92393e39d226dde0d16c07fca

SHA512
8ae3cc58083626210a4fa46d4914c7f483ae9ac073bb98ccb84e984af86a759a578415b92866295f3b1537d0868c1ecb7ca1cc82caa73026cc37c1180844dd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dac0d68bc652867ca3ddad2d9642e503

SHA1
28025d36d8a52453710f51d7e15a838fc1651789

SHA256
b12975c2eae70c7f6cd4a7ae2657228c114c96514982644bc327a65366f703f0

SHA512
da2f9fe9821fac73d36f4530579e0db790f3601474b4aa4ca26656a1fa0b3e3b6699dc6079fb041c7fa8b6af23537ee8f1f812b432a4522313dfa17e9997f8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8c606810a9df86efeb167201abc9913b

SHA1
0229939d8994d9b195e07f032e84769352981b78

SHA256
e7c9c081cc4a629386c90435f0500e810ed6540504d1a6afb86d1f39d873cc08

SHA512
82a2dc32c6e0564445d78e6a21b732aa0394554c878b7ebe0a62c80ba06068997772f2ff9a147ef28350bab8d70906c1462c70c79c78dc5547321304229e5fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9e888c011f60a3bfbd7d16c44514b505

SHA1
65d586950c989b5559e44f0d6ff641b68936f1f8

SHA256
c0f473f63d2eaf9fd71dc8c765c75048b97fe6f6b63c5d93c4f2d73a878be838

SHA512
236441b77dfbb0b18ad13544db7f33e8aeb259e74b367d124e1a189b402c9342b83a91233d64fd4373ed03bc65444ad96d90586955a927f7f8bb7a69f5d20545

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ea40f6793f57bcab03f19caf85d01837

SHA1
7163f3b5a8b242c4039d354990a455e5c216e94a

SHA256
fb7817c90cc8dcc2af05bcd642e5765e6935a235ef206219698e06eb5f826866

SHA512
63cc7f1276b36dbf485cdb8d350edf3f75240b29c3447144565504f2572bf68c00237d7ddf28b9b19be007de7b1e45d7ebdcc3459a0c773b72ecda1ba6d99dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
64348ed0a1a21e68ce4f1229be9701a9

SHA1
9e26f7482ac1f28dd826c915d171bf1c85c8f229

SHA256
18128f18e50bd52572c169ecb297abb8cf5e228ed2a9834f03badb25ef86b42b

SHA512
9fbd43e4949ff7aa11a90534367fc1a19b301edcc615b4a0e8e756142b605208d928ddbbd60fa8adaa1b2a06a831c455d2d648208ee47f9cda46086e24cb50db

Download Submit
memory/2604-41-0x0000000004450000-0x0000000004458000-memory.dmp

Filesize
32KB

Download
memory/2604-64-0x0000000004450000-0x0000000004458000-memory.dmp

Filesize
32KB

Download
memory/2604-126-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/2604-127-0x0000000004600000-0x0000000004608000-memory.dmp

Filesize
32KB

Download
memory/2604-128-0x0000000004610000-0x0000000004618000-memory.dmp

Filesize
32KB

Download
memory/2604-129-0x0000000004560000-0x0000000004568000-memory.dmp

Filesize
32KB

Download
memory/2604-122-0x00000000043D0000-0x00000000043D8000-memory.dmp

Filesize
32KB

Download
memory/2604-142-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/2604-150-0x0000000004560000-0x0000000004568000-memory.dmp

Filesize
32KB

Download
memory/2604-114-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/2604-152-0x0000000004590000-0x0000000004598000-memory.dmp

Filesize
32KB

Download
memory/2604-113-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/2604-74-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/2604-165-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/2604-72-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/2604-125-0x00000000043D0000-0x00000000043D8000-memory.dmp

Filesize
32KB

Download
memory/2604-51-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/2604-49-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/2604-0-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2604-28-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/2604-27-0x0000000004A40000-0x0000000004A48000-memory.dmp

Filesize
32KB

Download
memory/2604-26-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/2604-25-0x0000000004650000-0x0000000004658000-memory.dmp

Filesize
32KB

Download
memory/2604-378-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2604-24-0x00000000044D0000-0x00000000044D8000-memory.dmp

Filesize
32KB

Download
memory/2604-21-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/2604-19-0x0000000004450000-0x0000000004458000-memory.dmp

Filesize
32KB

Download
memory/2604-18-0x0000000004430000-0x0000000004438000-memory.dmp

Filesize
32KB

Download
memory/2604-11-0x0000000003980000-0x0000000003990000-memory.dmp

Filesize
64KB

Download
memory/2604-5-0x00000000037E0000-0x00000000037F0000-memory.dmp

Filesize
64KB

Download
memory/2604-1-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2604-504-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download