ffdroider | 310f9471a8f858c6b02b8c70629efebf85956a02e7fef0d55f37a2e9731aac68

Analysis

max time kernel
131s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ed77a382b88d0def763d0b7a35cbda_JaffaCakes118.exe
Size

1.2MB
MD5

12ed77a382b88d0def763d0b7a35cbda
SHA1

e0f2bfc61e554a1c889cb49fb9a8cb605620bc26
SHA256

310f9471a8f858c6b02b8c70629efebf85956a02e7fef0d55f37a2e9731aac68
SHA512

c9fa3b05cc24e2f6815b01b76def6016a4cef9ca3cb389edb3bc790ce4639324987771ec2141e58afe0d641871656a7f2c46c8c6da1972177ce3a0c3810203f0
SSDEEP

24576:dOJE8pMemVlorMQS4ePb27twmZ1+ROYDj4hKR/xYtFDIdIfVnXxPxT:dtvemVgMQplThKR/x8IdgnX/T

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	12ed77a382b88d0def763d0b7a35cbda_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2512	12ed77a382b88d0def763d0b7a35cbda_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2512	12ed77a382b88d0def763d0b7a35cbda_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\12ed77a382b88d0def763d0b7a35cbda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12ed77a382b88d0def763d0b7a35cbda_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
031b67733896636fd419bd881705e8e2

SHA1
5c33c024572e56c02317d40059d65a8a0fcff76d

SHA256
9a02eb06b7aeea228df8b6ff36089035dedb382a5522585276552698a4506046

SHA512
9861e7ebbc3f899c0a55a5557a8ac70311dff364a7601c0f1146ff1c945052970f362a1f680eac66d2a4d2923f82c4e4d5839e218519c31455ae4c73f0d3f08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
42758e912212eb7282edc4d1f37e56b1

SHA1
6762fcb9c125e5b00e93e42be0c9af53dcd4e539

SHA256
6025faa8057a0f27066c5f0c26d27bdab96197de826de1c0b1a1f64dd4e247dc

SHA512
83b59a2be65e468e777678a25573a6e0d02a2f28764f32fa343b0076cbc09df70aa5e175f53ebbb18e12abb7065c2216c4f6c9b3fbb933b809215dff29a7886b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dc760eddbfad0b9d736c10ec108db560

SHA1
ecf64b4ca2ddb4793ba9d07ea235f32fb8ab2744

SHA256
d5a177bc12f1b01a1bcd2e3ab5b19987623a15c09abb4d5929ff64e8f8291686

SHA512
27974a14f025a154a325b00fc342165caca0f820c8c9588eff6f340ef87861fb08ee0e52267392af717ef8e6e7a64b4abe692c6343d4a475ef0ac369a0251487

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8c4c55b35fe56f5a3e376e956b4b88b6

SHA1
4db761932801b10673d0c6f11fc9884880844af5

SHA256
c227fae6ab79c8a94cc2517c4c53135fa36892b991ebfb68cbf5d8c795bc2e22

SHA512
986a38364dc67da3ba02c39cc34bafce056fb22d55ef0fa8127fb9850da7a86dcc7de53d64bf67e6cba2eb508c5f11d1a84351a71ec9d599301d248a07eb126e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0019b65cd21afd9009ae59a8e0e0fc49

SHA1
995a69e55ce13ac0e92e33423c8deed048dd5ca4

SHA256
4e03975c17f1b12e912733e5958bfff1e9cd09615055955f9e374f299d8a75d7

SHA512
7e2e72bc00df269b94ac497cd45211232a826410aaefd92cefa52581f1e28df8654b60a453d09853e8daba7586d51aa30d93905de467b498f8dc3d908c77aa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
cf610bc2e7bbb76a9d7b346862fd9530

SHA1
442796f131751324ed7cc3b6e4c82918a71859e9

SHA256
5bcedfb7739a048c396bd2a2d034f6e5f8568652f3eefc128a5f0670a4e379cf

SHA512
6f601dda16d1026d8b58fbc8ee65896d88e747fa9f067536a919043fc6df0dd4ea90b3e091b688d7aba1510672df1e2ad726eb37945053141fd978193d548e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0c81d4e3182a3206cc2325cdffbfb117

SHA1
7fc7ebd22319de8f15b5e4189f1403045ae995b1

SHA256
3eb7c6a54e8c4ba83fc2cbb14c7809e3a08fda2170a3e72523088d0f8e8bba40

SHA512
d0d55ee278d85301547e37b3280dbcc09e56ee6e3232bc2c03e50ae871332e2593bab6c17024f40b6404ff714c5e45e56fc37daea690467da173b004df75e6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
aab719edadbb707cba7a4572547480ff

SHA1
f09628cac48b6cbed9f32cb380a4da8daeff3733

SHA256
c3fb4d594295a8f0a14193bf3ebb9c6985b3225621afb1b523b038c350b23ea6

SHA512
421a897c04ac8f98b719c771e550cd0fe282698f16486897e99682d7b38f74aeb3c45805e72790afa0b89dc4094c9898ea1a32077438e7d052f9840d169d4f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
deefb0669f4fe5f613721e55a6b99376

SHA1
571aebebd8333f9c66098ed0fe9f5c8039d63de0

SHA256
de93a682825d9cbb19fb86e855494b1a915c4003cdd09fa980935048d39e0736

SHA512
95629c4b5637256559942489f21eef6114b31d72a577a24e1f179f604c1782bbc75fbbfa2a9ddb606f643a710fdae514084718e1bbf37fa10ab73865b8ebffd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f68bc01da3944653240d4428075e4e0d

SHA1
0ab0569bfd64d195c590c1f672fb03d692b84dca

SHA256
77600baca342e4746b3c4746413d26382f4316aacb8f5de8eae7d4dad259866e

SHA512
73ba5181977ae72a6376f9740915d79053878f3908fa8132ee2c2e5a1d8471d951764535bd8b44b04da8b6711075ba283382e76fb90b519c0a124e44a6de1257

Download Submit
memory/2512-49-0x0000000004750000-0x0000000004758000-memory.dmp

Filesize
32KB

Download
memory/2512-125-0x0000000004370000-0x0000000004378000-memory.dmp

Filesize
32KB

Download
memory/2512-39-0x00000000041C0000-0x00000000041C8000-memory.dmp

Filesize
32KB

Download
memory/2512-17-0x00000000041C0000-0x00000000041C8000-memory.dmp

Filesize
32KB

Download
memory/2512-47-0x0000000004620000-0x0000000004628000-memory.dmp

Filesize
32KB

Download
memory/2512-22-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/2512-16-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/2512-62-0x00000000041C0000-0x00000000041C8000-memory.dmp

Filesize
32KB

Download
memory/2512-70-0x0000000004750000-0x0000000004758000-memory.dmp

Filesize
32KB

Download
memory/2512-72-0x0000000004620000-0x0000000004628000-memory.dmp

Filesize
32KB

Download
memory/2512-9-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/2512-3-0x0000000003550000-0x0000000003560000-memory.dmp

Filesize
64KB

Download
memory/2512-111-0x0000000004080000-0x0000000004088000-memory.dmp

Filesize
32KB

Download
memory/2512-112-0x00000000040A0000-0x00000000040A8000-memory.dmp

Filesize
32KB

Download
memory/2512-120-0x0000000004140000-0x0000000004148000-memory.dmp

Filesize
32KB

Download
memory/2512-123-0x0000000004140000-0x0000000004148000-memory.dmp

Filesize
32KB

Download
memory/2512-124-0x00000000042C0000-0x00000000042C8000-memory.dmp

Filesize
32KB

Download
memory/2512-19-0x0000000004260000-0x0000000004268000-memory.dmp

Filesize
32KB

Download
memory/2512-126-0x0000000004380000-0x0000000004388000-memory.dmp

Filesize
32KB

Download
memory/2512-127-0x00000000042E0000-0x00000000042E8000-memory.dmp

Filesize
32KB

Download
memory/2512-0-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2512-140-0x00000000040A0000-0x00000000040A8000-memory.dmp

Filesize
32KB

Download
memory/2512-148-0x00000000042E0000-0x00000000042E8000-memory.dmp

Filesize
32KB

Download
memory/2512-26-0x0000000004620000-0x0000000004628000-memory.dmp

Filesize
32KB

Download
memory/2512-150-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/2512-25-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/2512-163-0x00000000040A0000-0x00000000040A8000-memory.dmp

Filesize
32KB

Download
memory/2512-24-0x00000000048B0000-0x00000000048B8000-memory.dmp

Filesize
32KB

Download
memory/2512-171-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/2512-173-0x00000000042E0000-0x00000000042E8000-memory.dmp

Filesize
32KB

Download
memory/2512-23-0x0000000004500000-0x0000000004508000-memory.dmp

Filesize
32KB

Download
memory/2512-198-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2512-199-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download