ffdroider | 011995e4a15b31e09854361d1c1f1024f5c0c2e965ba2892cf0080c586cbf4e7

Analysis

max time kernel
120s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eff86670294eff00ad9939f819212fe1_JaffaCakes118.exe
Size

954KB
MD5

eff86670294eff00ad9939f819212fe1
SHA1

d19b908bd145091ad5daacb527f226c6fbd61be0
SHA256

011995e4a15b31e09854361d1c1f1024f5c0c2e965ba2892cf0080c586cbf4e7
SHA512

f1f81fe38147d390eeaf32b6dfba6b042a935fe4e814694fd0a64ec178248a3d803d0a2b0e64560995c3b6583e0ba062f53bab9b6272200c31d61a60996eedb9
SSDEEP

12288:2OArYqQXh4GCSVtwvPhC4wq/qkLdTu3rLS7Q3CkMQbk9s7N1eb6GziPEwkJU56v9:fAmZTwRwoQnQnkJkNFmP0RvbWKvt

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/3484-3-0x0000000000400000-0x000000000063C000-memory.dmp	family_ffdroider
behavioral2/memory/3484-507-0x0000000000400000-0x000000000063C000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eff86670294eff00ad9939f819212fe1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3484	eff86670294eff00ad9939f819212fe1_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3484	eff86670294eff00ad9939f819212fe1_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3484	eff86670294eff00ad9939f819212fe1_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3484	eff86670294eff00ad9939f819212fe1_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3484	eff86670294eff00ad9939f819212fe1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eff86670294eff00ad9939f819212fe1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eff86670294eff00ad9939f819212fe1_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
17d16b206de7ddca415983e95166d751

SHA1
9bc032107852616b599edd773ff2dc1574a0b525

SHA256
cb5de69af2f8557a6851b87623f4e06c88fedc3ad01526d386f2c55edd474c1b

SHA512
4def3bb91f350ec88d5d052ed7e72c33c3f55933a92c3d48f4cb47771d7d4241fcc77400ec59ca87770be3695a7856f3f8b379bff76ed83e9c6aa6f1f20e92ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
80KB

MD5
c63476afd7abd52b826edd448e37183d

SHA1
64dab8708fcfb88a7c5b9ea0f30cadbd725fd7a2

SHA256
9d3539385d5c58626ecc5ca5c8ca86674de66053fdf84a89cab21072562f6d59

SHA512
fd8d6368e6fe8af6572b05d0d67e5000066f1d33c49730fdba4bce61df9256fe5a3a025acc8a34ecb133320f71fe387c8c1e93690d2fa0e49e0db3fbacb94764

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
08bcf9f3d9ddc0c6d618030378ab32ab

SHA1
92c9026b4ee2040420284687b0788d63a55314ed

SHA256
9c0480050869443f74f7e6762fbd6092f018828f1db2553562585aa3e277aa78

SHA512
eb63aab8d00f4c2446957f6745bbd8995f65a6b7b8aee4e0b187601e30d78b8e61f4aaea2bd679ccf0a6d5d341a154706b7a5544b68f0f3b7142eb9da546e9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9d02926e6b9eb3ac7c4734a93a6c203e

SHA1
3b20d326d8931388643bc543887f71b980989e7a

SHA256
267abb9923e928650dc417a4f1cf1e250f2d6c7b9858054e787debe835777e9a

SHA512
e3f33f2fd76166ee63c2e8d611246e1f1e7d32ffe4c7aaabd9ccb14266549c01eb4eb423825c7facc211c6b32efb387545b5129ef6fa1d220861fced73de3e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2760024325aa91806315a3657b1bab91

SHA1
5cfe02cb77aef9a6eecd7928e4c8c952ab290280

SHA256
1b169eaabc3e57b01008adcefea1b52276993c97838188df596d67e15a4861b3

SHA512
1d26f0adc26ab473afe937f40f1ea0f9b023f6e9dc66e7f4750f82d3f316b9cdc8d683373098b558480a8e2fa657672a673b5094c40af28cb845bc33bef0cf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
cb0b43a038c4c99b5425a1fce98c5d1e

SHA1
dffb58d9a15bcb9ecd66881a2019b02d258efbf6

SHA256
07b167d7ddb0b22c9d99d2cbae06791c2e88780c16c543d586b09f19c05600a7

SHA512
a6359ef6adfb60a33e3e770f99fc812a5c4a4f75dfed6d37a7ccc41380f5909cad2397599f2ea3232d3215d9788fdd64856d97dcb7fd97438235e93cd569b5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e303cade007f4c2ff5f600bcdbf06e73

SHA1
11fbb184ac811ed5b5b4f44dbfb78ebeefcd2a9f

SHA256
f4da9df30ae2a86f4fee55ba481e82ec53ae74880c5efc2d931ce720efe8d7cc

SHA512
34f0c792ffc16e1514165095cf7d6ea42803b96610e4db8297f3f9b7b815ee7b8f9f8c2f7b66641c2811a694552888260a68d3b68001935f478dfafd65d465ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b91effe75b63d164e03991879ec7ff7e

SHA1
ea8c7143e1ca752012ba1465ff117538006827cb

SHA256
3b880285cbc0b57f3dec97916c723a6abf2fa677a764d902752592e734c63448

SHA512
c660b1a2aa396b90a9d1174867e4521e761f1e848b729b5f951cc852bb4efd1adea8da37b221ed48e8eed9fbdad00b7a64c19d2c5c0c5db2b89dd30bcf55819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
678cf51e2be515a8776f6ea65409a5ed

SHA1
518e53a9f694ac5ee517357ec7460a6cd90684d5

SHA256
6d794a650050f365be0c730d0002d75d79c2db5d8dbdeed632ddc2625254993f

SHA512
fc4fbfbf56832080f9a04f5727b5f3a0e026cdf28b46683873de363791e4387d1ca26085170e7c12bb8f144f48d15cb16d7ddfd7a53caba0e2898626d6a8b7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e571104ac0b8e0cf7acf95002cb235db

SHA1
b2d82eb7bfc30e99778f503ad01725f94b5fcb30

SHA256
e5441d382d8f6438d8b5a21aa8a52d512938327ed02cdebcbbe6eaeb5770e5fb

SHA512
c650e4494f40e63ac335bea09dec9fd8ea92aefaad47f384b01bd94d4216b98e02df950a9a913ed8f5e4f4920720d9afd47f724e608f2e5c5db735411135135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e372a2e1bd5da8a2a9e71f69d99babde

SHA1
07f99e16ee115abc37e308bd4da00826784d54d8

SHA256
0e14424811e94eb49202d061831bb5cf0891a992122174341cbf8cc8ab164527

SHA512
c1f9ef4447c7db7d37e08faa6d8c28c8556ff2f99336f4870458844e9b448fe93be5709b7f49417717bef16694096d1d7d9c81dfcbaca8dc66fcf196a67e21a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
025b4de49934a1ea208d7f5cf78f26aa

SHA1
c2f8e8770a50e102555350c9c23acda81719dcb4

SHA256
2f67cc561dd3d90b9970f72d60514e8b5701ee9c2d67dfca98a5f559b9200471

SHA512
1906d2f5cc4ce8e2773a5ebdc431044b63a1e7307d1ca7c7c4e2a5771415a57508bc9e41f7bae9108b73c3994adc6189340dd50a4569cafb1aeba6e8d34db994

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7b64d8abd7a11d2ac7597758b9962fe9

SHA1
e26c901ee103fb8b19ab034d63a7f075cbb96f97

SHA256
c36093a1be60f1e6e02e232dbf4b72650a99b40aad045a91d54c7ced9ea38adf

SHA512
9c234cbb7c0b9c1156e0d4a996dd2dc682cc9e60694288263197a0addffd97f45fdc8721075ad72cc2c5e9023ef512a532f0cfaad52d9a522656c7370240cb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3808aeb889ad8ae621501d8197ff8bde

SHA1
d2fab72ce7043e66131b216bee1261374c307107

SHA256
c114b478cc73775848ee039a3fdd9cc6cf51ea818d4d1a31253a1167055a008f

SHA512
2a6bf057d3bae22e36c58fe7c3085d85c8882f1b76d60711b80b85ddbab62032ca225cbcf6a9fa79e4c4c5ecf11bcaccd5bc4a1b5ed01312c2aba0ab592d5405

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
db5206115b8ba7b435528e1c7b889578

SHA1
3adce25f36c40c83fe193d9058edd9544231d818

SHA256
1ff05e9efd32407727a51e6cc3decd610add7b7f4db29c0cab8f37c174577615

SHA512
48e998fb8422bae90dd9350b59736e332f96c41881009620ee51b4570c30b207bb1cdcefbafbbe49a254e5aa76535a9e86ed7190c5b12bf501ebfe6e82d32c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
175310d3dbbf6ff98fdeceecd4071bed

SHA1
9def229d085006b74fd0fb2dfbe0aca833ac98e7

SHA256
31d96f344736bc5bad90e48e74e7c6c317edcdac033a8ca95235733275ced9a4

SHA512
ef14c337e16a69fb3337d8ad34779bef940021ff3f246a818363b118ba82a60135558b7285de7cdee90da016f0e43b2c247c5ac2e1bd91d949a0da00754a0bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
194ff07166bade34db08e9d2eec3a8fd

SHA1
47452ef710419ebbd0bef06509dc680492806406

SHA256
666d13ae68d91c1a60a8658527876360bc41df1df7b33bb4c4a635deab0c3688

SHA512
8adad9fae4997791110a14a72e053861fc334c92c5a332d23d503b9cce165131d89677f6e5f94cd4d922804b7a81911968394eb4cb0bc29eef40f5f05bc79e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b360274327dd9b1439abd650e40a5ed4

SHA1
f7cf021c1816b7662d5931af85941ad1844c5e25

SHA256
5fb178fc705468576bff5c982724290863965a54a34403bd1332d76eb37eadff

SHA512
91d4abc4c163d0bf9ea105801de9d5e2580c45443a2e1c4fa408883413b19acdff833b2eeef0247323aad78c6d621cb67da3c52c0508f21c10e4798029bfc0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
619cb60a59b0c4d6810ccea1bb0ab547

SHA1
d654d6d15f07d27d8bb1df3326f3173835a05988

SHA256
e4a98891ba52cf899e70b0fee3b893213cad210ad2bc26f7db77c6fb00e2b407

SHA512
989a04045b509de738b1c798e303c7721e2518a48f9da7643afb50995ec5b88c46d7f9c3c952216d39d2203eef64a4a13a3e3a830d42e6cca31b7609611404b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
453a117a692baf366a39fed2c34b2425

SHA1
41493f8e68cc9df2a5191d129f1889950669244f

SHA256
360e8f8e2e34aaaba6b3d4e667cb4f56f5e3e860e2132292b41eeefc73083246

SHA512
24ea389e10eace745df9c0e1cd01edbbe1fdd598cf6d0f5a88183680fec001dbdaad9425d0c7fe10a717a7f03707806448d259b2d794959dab82094767ff5ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9e67c056aac82f95ab8b11d130b816ac

SHA1
44a701cfe8f0d877776bf3bf5f18cf41bec231d6

SHA256
bcc5763c3838ecfd61087fce889d806f970ce6a9e67001edcf786caf44c0edff

SHA512
27819a066c06da4e70fd8544abd14d00617171805edc354faf81347aeb39c3124d6928608ed8d91d47c28462d33c663f6a35f2a554e04e5533adb12ee1dc0934

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
baacb746788949581eeb20ad9c63ef27

SHA1
06ea087d4205dfc8ca1161abaf53f0bdfe5b3b30

SHA256
b567a6ad93263be11b072752819d4a3038cfa0b0e1c42492dbd5b5401eb5a9da

SHA512
b1e7e83ba90f2e2d899a54d8022ebda5e8504cb9f22b5728cf29d3f37d98788ae24a241d905abbff24341085152c12bcb4ed1d4a282635adeee59fd42da43b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
92e2387a76e6fd05c59c398b1d50b23f

SHA1
25b0bbd98e0c1367470781d91fc0561e54f1195b

SHA256
ca4b6ca424ae8b43017e48ed33a318520d6422b65a9343d6ac71347cab4313af

SHA512
47098fc2aad0697f138a152ef1d8d9013b6a73afed6104de4590d66134fd8029c1829f5ca661739d570215ad5cfc7981105464fd4f14b04b447355c2610fdf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b3aee8d938f3e08a4f69af0f8260a620

SHA1
b46bd5b245ba27095c507e4db723227d1d95ebe6

SHA256
30b6862585e164db7bde4916b43f75729c0301a95867613d0928520198383fec

SHA512
31884eff5ae59e79190f02f39ea6f258b0ad2dbaef8d971d6bfe4840f9685ad26c374d36e9f3dd620cbbb215ee6a8a5c1d479650eda1139a23a1deb9beb1f81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7289445d66cfe29654e06a7ea2811210

SHA1
30489eaecd22f887e40c91b8f6e7eb9219e5566a

SHA256
c50ffccf85aacea45c8cf82e4ca5ff7517afb970c8a416a103c62eea50f0de84

SHA512
ae251974e9cc93fa0690423c3d56d7cac240e3b27b6a0ed061ce2552fbeff2eaa6d0a755e6e10bde3aa5fd55b569fee84cbe68371fc0876cd6a9bde569541826

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c84fcd8e74c519cf7f750afd0b070e6f

SHA1
bd6022661fc13d8d2fa590c199d2b34074251b29

SHA256
dbec32c228c5b868f1a1db3793592ce85c4c77f4d92d466e9c99633b8e4efbfd

SHA512
f75011472fab4e8a9eebb3f357cc12c6c8f1b93d07493aaed8e7d7a7b8f3f1565a888cab01258adf15c534cd5a20594429dfc34ca93206fcfda54cc991ad847d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e46627de2dba02543bc4c856e1d72acb

SHA1
395b1c795c55f5d5bf02ca48706adb1498b9b674

SHA256
2a71b9226a841bf23e37c5eb03b6b27e3586b4991e8960bb43f79723f3a7f62e

SHA512
8ed3f56015451138daf7df157bf0a8a2f61ed7e9db49830308fdf605cbbd39469ea7469900ae55412864cb6d1289aed792be02dc89930eaccee013525cba67d8

Download Submit
memory/3484-31-0x00000000049B0000-0x00000000049B8000-memory.dmp

Filesize
32KB

Download
memory/3484-54-0x0000000004AE0000-0x0000000004AE8000-memory.dmp

Filesize
32KB

Download
memory/3484-128-0x00000000045E0000-0x00000000045E8000-memory.dmp

Filesize
32KB

Download
memory/3484-129-0x0000000004760000-0x0000000004768000-memory.dmp

Filesize
32KB

Download
memory/3484-130-0x0000000004810000-0x0000000004818000-memory.dmp

Filesize
32KB

Download
memory/3484-131-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/3484-132-0x0000000004780000-0x0000000004788000-memory.dmp

Filesize
32KB

Download
memory/3484-117-0x0000000004540000-0x0000000004548000-memory.dmp

Filesize
32KB

Download
memory/3484-145-0x0000000004540000-0x0000000004548000-memory.dmp

Filesize
32KB

Download
memory/3484-153-0x0000000004780000-0x0000000004788000-memory.dmp

Filesize
32KB

Download
memory/3484-116-0x0000000004520000-0x0000000004528000-memory.dmp

Filesize
32KB

Download
memory/3484-155-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/3484-77-0x00000000049B0000-0x00000000049B8000-memory.dmp

Filesize
32KB

Download
memory/3484-75-0x0000000004AE0000-0x0000000004AE8000-memory.dmp

Filesize
32KB

Download
memory/3484-67-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/3484-125-0x00000000045E0000-0x00000000045E8000-memory.dmp

Filesize
32KB

Download
memory/3484-52-0x00000000049B0000-0x00000000049B8000-memory.dmp

Filesize
32KB

Download
memory/3484-44-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/3484-0-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/3484-30-0x0000000004B50000-0x0000000004B58000-memory.dmp

Filesize
32KB

Download
memory/3484-29-0x0000000004C40000-0x0000000004C48000-memory.dmp

Filesize
32KB

Download
memory/3484-28-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/3484-27-0x0000000004840000-0x0000000004848000-memory.dmp

Filesize
32KB

Download
memory/3484-24-0x0000000004700000-0x0000000004708000-memory.dmp

Filesize
32KB

Download
memory/3484-22-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/3484-21-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/3484-14-0x0000000003B70000-0x0000000003B80000-memory.dmp

Filesize
64KB

Download
memory/3484-8-0x0000000003A10000-0x0000000003A20000-memory.dmp

Filesize
64KB

Download
memory/3484-5-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3484-3-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/3484-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3484-507-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download