ffdroider | 708542577a656b24962e07bfb4b958a57a7e916475bd99beaed79f91c71504f3

Analysis

max time kernel
133s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-07-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

md2_2efs.exe
Size

1.4MB
MD5

ffceece2e297cf5769a35bf387c310ef
SHA1

2758f2f99b2b741e4c85d0808952cf1c0ca13be7
SHA256

708542577a656b24962e07bfb4b958a57a7e916475bd99beaed79f91c71504f3
SHA512

ecd0de3eb036d6fe62a08b84dd16a533ab3f0310877d17e998be9fa5c503ce647f9a0db8fe7d44caef298a92681ffc8ded7818a88fe0c67ef2d879f8a53fcb5f
SSDEEP

24576:ZEl3CiZjrmmDzA+uWtcqa4J1Fy529Esn9bsO4nTb3sKnhrwvQYV:GD2mQWcqnbsjf39hrwvQYV

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md2_2efs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

md2_2efs.exe

description pid process

Token: SeManageVolumePrivilege 3336 md2_2efs.exe
Token: SeManageVolumePrivilege 3336 md2_2efs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

description	pid	process
Token: SeManageVolumePrivilege	3336	md2_2efs.exe
Token: SeManageVolumePrivilege	3336	md2_2efs.exe

C:\Users\Admin\AppData\Local\Temp\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\md2_2efs.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
25.5MB

MD5
5a35b7ae7c2a696ce5fca046cad1a3d3

SHA1
b4f13049488c2ccce89c5d783bf4318549cd45e9

SHA256
1696a34d63995d8d11d15f2af21049c3188e820ef8c909fff90c6ce4cc6e41c2

SHA512
508617178d1cde030f713ab26575aa3e7e20ff652e248b69411d82896e2eadc2f41dc26f36d293fcf0d354cddf70e05ff35d9c2fb697cc6c869ea2ab949a84aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
221eddf8869f7095bccdd43f87c089d8

SHA1
e2c9ec41515fcc0b6630ac4d69f0964f375ad365

SHA256
f16be05174eb0c1b71cba0a917a07086a5140c7c68e05cf5c52dae529fd89f04

SHA512
70b7d5ea2dbb84665cf22b141d1f0ca98b133a0c6435b73554b07e11d3aff6242da6b1f92ad7be32b39e764f1da05cf37127ecf03845ee9d85febeb40438b9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
234a614eaaf4a3378778c267da28f83a

SHA1
d0dddf16d18c797f28bfabe631971819eb680cc1

SHA256
25814e48452bdb23d4369d88a1e7e3e95d73fdea14536d7cabf03a50e25761ef

SHA512
e75d3325463f26c6e7435d02c7d56c6f70c00b1e6e5476d93fe9484121e9c6fd54881f499901865104be660672e614aeb80f0eb4e9f41315d0e9f14d58f0928f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7b37b3c2285a2cc8940dac4ab9a2e078

SHA1
e0206184f1fa39f5ee70225d12af92d6e70cacdd

SHA256
3f236908aace38fbb3032010a79ad61897c29b03df4e643b9e9fc90fa6168162

SHA512
39dc0f1c7cf25a8d2ad4eab596f1f7d81312eb90066b9871e633e951cd4147245ef5314581de232a0c137f376db256353d6feb9b82f2dbc43050d89e8316f2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
94aaa742a5fa4301694120746099992b

SHA1
07bbe063fecfe941f9ba00d88cde7a29db1e4211

SHA256
4bc7fadab152f5d9c34025f6c44e66c39f352d7f2fa0ca0d63a3c397002dadc2

SHA512
41c340745a5260f97546b015a6bbe8cf746cda72b3271b8f53bdaaac23f439d9361536c671601221cd32210d0363ae1016b93407beb051760744e996e4e6a38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b5e5ad064da4c3b32d51ae3fe0002d32

SHA1
3c767ebe44c8a7721f2f6d9c179c9654ebd33378

SHA256
1976492381a198fa9e38f3437b7eb8d56a5df3a9896c06d7db5b0f67c35c7e11

SHA512
3cd16c43b6f4804b5fc43cfc6feb119f735d230d5b06394d482806ef03fe75ba371eb2e3cb4d6a0b39ce792cf5f3801195ebf4218f7c653725cd2fc4fd0f2f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d5267f713163297179b92d45a21a5080

SHA1
8dbd7e23e97458f744a6b551bf44b1b7f868b71d

SHA256
6881783fee884dce6f4de8948c8964606fb4fe8265f0b39b0a419cf6606d5d54

SHA512
9ddbe51c9667e90f1fed9e849d5def694bcff9a076e42de664d855b8c02027c3b5cd78d03594e1dcc55bded3c4b80766c453d707a3a23dabdd052ebefc9c983c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b15f2e0b3c7684ca1bfea95701be053a

SHA1
10dae3983589816d948689993ac67b99720926ac

SHA256
4d01bacb410f5d655292cc742b1e7c462b158871180903f6c28208e06c115f79

SHA512
7de2f6842616c7a50970bee694f86f194db3b2831a94720f153543cd465c8c8e5613e70514096014fdd6f4e492e4aafa1de235484d89ebc3a3832e8b3a3060de

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7682570a2f794bee2ca8d94368347044

SHA1
637923511d82ccf124921b0b1941b2153952a1f9

SHA256
999edee07e240922038589c4d94692fa946070fe19c2bff2177778681435155f

SHA512
cc2181a794cd5ac656786beb26624d6c5dd65c7b1bd0429b3252f15749e93fb4ef8c7f6aa95f83be4d55aed78a12d4d4c6c77ad7d877b66be10d72c8412e22db

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
bf45af0a4fbfd18d3fadb235e87619bd

SHA1
530a6a4cab85350c187b25a1abc23309c17c7ac8

SHA256
a7e2be72af6145a03267dcad23ea5f32e5b53c096f9d164f958a4e87da9ced26

SHA512
08eaec10156b0bff482a2c47c54aa3b099b3fd2fdfbf9925102acc3b16fd030ff5a66b57ace6fb23af6d59a39333ff8c988ff973753d834da01df1328e24e6bb

Download Submit
memory/3336-34-0x0000000005060000-0x0000000005068000-memory.dmp

Filesize
32KB

Download
memory/3336-18-0x0000000005100000-0x0000000005108000-memory.dmp

Filesize
32KB

Download
memory/3336-57-0x0000000005060000-0x0000000005068000-memory.dmp

Filesize
32KB

Download
memory/3336-42-0x0000000006A40000-0x0000000006A48000-memory.dmp

Filesize
32KB

Download
memory/3336-65-0x0000000006B70000-0x0000000006B78000-memory.dmp

Filesize
32KB

Download
memory/3336-67-0x0000000006A40000-0x0000000006A48000-memory.dmp

Filesize
32KB

Download
memory/3336-0-0x0000000000DF0000-0x0000000000F64000-memory.dmp

Filesize
1.5MB

Download
memory/3336-21-0x0000000006A40000-0x0000000006A48000-memory.dmp

Filesize
32KB

Download
memory/3336-106-0x00000000047E0000-0x00000000047E8000-memory.dmp

Filesize
32KB

Download
memory/3336-114-0x00000000049E0000-0x00000000049E8000-memory.dmp

Filesize
32KB

Download
memory/3336-117-0x0000000004A20000-0x0000000004A28000-memory.dmp

Filesize
32KB

Download
memory/3336-44-0x0000000006B70000-0x0000000006B78000-memory.dmp

Filesize
32KB

Download
memory/3336-130-0x0000000004940000-0x0000000004948000-memory.dmp

Filesize
32KB

Download
memory/3336-138-0x0000000004A20000-0x0000000004A28000-memory.dmp

Filesize
32KB

Download
memory/3336-140-0x0000000004B50000-0x0000000004B58000-memory.dmp

Filesize
32KB

Download
memory/3336-16-0x0000000004DC0000-0x0000000004DC8000-memory.dmp

Filesize
32KB

Download
memory/3336-153-0x0000000004940000-0x0000000004948000-memory.dmp

Filesize
32KB

Download
memory/3336-9-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

Filesize
64KB

Download
memory/3336-161-0x0000000004B50000-0x0000000004B58000-memory.dmp

Filesize
32KB

Download
memory/3336-163-0x0000000004A20000-0x0000000004A28000-memory.dmp

Filesize
32KB

Download
memory/3336-3-0x0000000003A10000-0x0000000003A20000-memory.dmp

Filesize
64KB

Download