ffdroider | 708542577a656b24962e07bfb4b958a57a7e916475bd99beaed79f91c71504f3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

md2_2efs.exe
Size

1.4MB
MD5

ffceece2e297cf5769a35bf387c310ef
SHA1

2758f2f99b2b741e4c85d0808952cf1c0ca13be7
SHA256

708542577a656b24962e07bfb4b958a57a7e916475bd99beaed79f91c71504f3
SHA512

ecd0de3eb036d6fe62a08b84dd16a533ab3f0310877d17e998be9fa5c503ce647f9a0db8fe7d44caef298a92681ffc8ded7818a88fe0c67ef2d879f8a53fcb5f
SSDEEP

24576:ZEl3CiZjrmmDzA+uWtcqa4J1Fy529Esn9bsO4nTb3sKnhrwvQYV:GD2mQWcqnbsjf39hrwvQYV

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md2_2efs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

md2_2efs.exe

description	pid	process
Token: SeManageVolumePrivilege	1652	md2_2efs.exe
Token: SeManageVolumePrivilege	1652	md2_2efs.exe
Token: SeManageVolumePrivilege	1652	md2_2efs.exe

C:\Users\Admin\AppData\Local\Temp\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\md2_2efs.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
994306b62121a11735b67958724e4269

SHA1
35744ec4dcb503e8d220dbc0c2d52eaa8befb76f

SHA256
54716ac7f71a33322edeec19f7f03131c25e857a3e9b879abef5ac5ab915a497

SHA512
a4d89ea85da32f50f34291d3c6a1cdab42491de3a9413d17a90a297de2df780cbc8ef35cab233b2f168cd12a7d8a302deed3f63a240cb99dab018be0b8a1ad16

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
90134c85c3e9c7aae87f78c3ceb085cb

SHA1
1d2b3e5f8f5522b9fc2fcbc04f912355086a86ea

SHA256
4dbfc20c1531b1ff53ec752bea2be93024440dd901c55f2f327acfbe68d2c8fe

SHA512
f94d44ca57300a97e259d596c34568554e093cb0771679387a4c458290b2cf7c6d435f41f296edb98407217d80fec08d693f3ef4a135d52305586b46846dc709

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
65cf847e86af2e63ffa4706595355a41

SHA1
1246004df336f87e6b78ee8a0ed7082235561236

SHA256
3745f963cfedfdbc3608a49516ed38c2b22445ee49968ffe26b48f50feb38ae7

SHA512
1ad0c5aed9f11e5a029815ce0445c2e14ef596ea4d2c4220d4c240296d4ff847f19c84a87790f473e1a40dce5b1975f6f893e179849ba20df9735f7b883e90f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fd975c09b9392ea1c558c472ce9b2dab

SHA1
89f00442245c09a757280527d1575e70b0322f09

SHA256
492ea6825c22e47db3f88d53fc22fc6273a748fcca673cbe218be8b17262471b

SHA512
cf65ce741cd4c2bcd8c2117b986568f4b4684d2724647daec0cd6711fab3989105e76a43b794a7644ab6420d2a2a2c30262cadf2b48e94de63ed129ed8557eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3e37c736c85d96cf74a26bb9e61fbd8c

SHA1
b557c144e1444264c2e053d7a37a9a0a0bf90b4b

SHA256
701299dc974a17821929ab606380a8cfd5342b4a0913e208c7820674dfa4c7a0

SHA512
36c5b2c3a564eb660a1828838af9cf8a03cf873b0d6a6c1370aa106a0814f7f0e5a07af1f31a85794796d6bc28f697056c4836526e8287e74839d3486b4861e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
11cc653234a2b07bb9294434a8f739a0

SHA1
64ddfa09a73f0f3031a9904cae43201cdb0b0907

SHA256
c298a780c4ec420c0af6fed87fa35b8caa61b4566d90f27b2d9d334dc34fef92

SHA512
4e91ac75fe1dfa2215e4a70162399773f28c4fe10508e60f6fa14661f1088860229e94372b7f8626c123dbc86cb9f932ab9d3eb086e67c6b0e81c6cb4b79fd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
caf8da53924b47b5439704a370f45787

SHA1
1dd524526780e8c4b15dcf8859456ab4984b4384

SHA256
fa8b2aae9a6a9086515734edac1b4e1bda323b5398d37f8142c9105fd778215d

SHA512
4278b80f9eb2805a62e9286976e84cd781c2abc19ce3edb29153d3df7f24d96f32dc3d224e5380de890c0b75ef9f17a48285cb854944452884e7eb771cad3096

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e4d1b91d5dc970a2e9769f1f9ffb20e8

SHA1
410817a48ab9394b1e4be065b46707cf7b9b00d0

SHA256
5e890d6f30cb995eb49a6a8e36a6d2003ae040d674cdcd30f68a875f06821bcc

SHA512
9480b34254e15792f2f6dc646c6adfc168f3b7d13f33f3b8a96c71250cf8e7b5a779307766dc2b557b7b4f6663b1d0694edad53ffbd269efefa9c2b9d6ebfde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1562ef55b3469fb6e5d32f60f708a7c2

SHA1
27ca0649204df1266bca113c0ff4a36ac9d3bd9e

SHA256
bf6cddbcf12848f4edad5c56ca6eacd5cd99f977928db848bd291e4682a441a1

SHA512
9ee9fc7fc613aa93b38fd254dd06af58ffa0ac4fb1a0686968f2437e4e0447c3bd984dcda182e140d8ef1d40135e365612f81ea2e4792a15db880ec441be9576

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9e3d879e04d55de4fc080af927fc0799

SHA1
c5f3a920ecf86640620b51add8c37b4201758275

SHA256
fb2962968637e996f1830cd0fb82f52c4337824e0f25bdcc5b58330fa20b8528

SHA512
c2b022f2843f7485b02f4526c703d88eb289328a7850224433510b78bc9ff967bbe34c156092a31ceefbaff8729226f1940f5c29bfa08ea5fe1354e01bc96f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0a634a16549deb211411690d73c7a511

SHA1
d75c88acbdaafaa9d2a76755bdedfe6685c46962

SHA256
008d80170494dc62ee6b2dafd022c8ad1440b12d4d175cfa5737fa674f503bf0

SHA512
ac3c7cbb7c41289d2c683a72fa2fda36729ffdbb5883d5f35678a21daa2658c2a342fe12fd1be601576c9453c96d96d166a0db21a284fd047f3c1bbcb1628598

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
39856782d7e81962a2dcea2195fddd71

SHA1
70b29a677a2061b4f668e164ef2f36afa3e161bb

SHA256
bccb8eef52f775021a592b1a9adf2c70625f694a027cc7a858b2441ba8a28ad3

SHA512
f7bdd63448807f291e9938cea17208b1bb83718656387a32d4a6bf857b8025075cea93c2c19c2532cd1d118eeb14c040d8ac0686618a79832f3c0ca6074da49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c60b15cc64063c41ccd4bdfacd64f641

SHA1
87fa7c130c0a5a51d2deff6aac80356965e9bcde

SHA256
3808448c75b32cae756f3f296896cb09dd7fb8032e529f8cdc53f5912e0fde77

SHA512
478399585e81de7c1e46be0de918a9adb24378aec254a27675cbea8eaf9f7ec457f3359f3472ae0b9224551d47da9d9e38f77e0aa330b46e02a0d9c0e7aeed3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d3b4a34f23c586a034430b9d07f04692

SHA1
da1ea16c2eadb3528fd1ae158f2788a98af7f0bf

SHA256
8d2439e40962a01be13d65c71490e33240f6c6ba8b66aa6b5ac3540972f93e5a

SHA512
b1e37b380b588aea55f5d76d791148dec33085c56b35c13e38948264a640a564153cb7aadd60136ec7b9b1f44b9fd122a97c62c7c29d7d6a43adb6b6f6a7cf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
77b1731c87bc9ce3eb500986675229b5

SHA1
0ed047982025d55b38906a8b8817b9822a907913

SHA256
ab1048394a1c64af6201ff1a3e3763f8355d560ec9e422688abcfcae4d263b89

SHA512
ed056c081f376450cc5f4ae89bfdb16bb06d0191754ccca12e45d99db6fa6cc7500cb39b837350a78b939566e3867c9cdfa003f1e8172bdcdac9881418f3cd67

Download Submit
memory/1652-111-0x00000000048B0000-0x00000000048B8000-memory.dmp

Filesize
32KB

Download
memory/1652-26-0x0000000004E40000-0x0000000004E48000-memory.dmp

Filesize
32KB

Download
memory/1652-62-0x00000000049F0000-0x00000000049F8000-memory.dmp

Filesize
32KB

Download
memory/1652-70-0x0000000004F70000-0x0000000004F78000-memory.dmp

Filesize
32KB

Download
memory/1652-72-0x0000000004E40000-0x0000000004E48000-memory.dmp

Filesize
32KB

Download
memory/1652-47-0x0000000004E40000-0x0000000004E48000-memory.dmp

Filesize
32KB

Download
memory/1652-39-0x00000000049F0000-0x00000000049F8000-memory.dmp

Filesize
32KB

Download
memory/1652-0-0x0000000000470000-0x00000000005E4000-memory.dmp

Filesize
1.5MB

Download
memory/1652-112-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/1652-120-0x0000000004970000-0x0000000004978000-memory.dmp

Filesize
32KB

Download
memory/1652-123-0x0000000004970000-0x0000000004978000-memory.dmp

Filesize
32KB

Download
memory/1652-124-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/1652-125-0x0000000004BA0000-0x0000000004BA8000-memory.dmp

Filesize
32KB

Download
memory/1652-126-0x0000000004BB0000-0x0000000004BB8000-memory.dmp

Filesize
32KB

Download
memory/1652-127-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/1652-49-0x0000000004F70000-0x0000000004F78000-memory.dmp

Filesize
32KB

Download
memory/1652-140-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/1652-25-0x0000000004FD0000-0x0000000004FD8000-memory.dmp

Filesize
32KB

Download
memory/1652-148-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/1652-150-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/1652-24-0x00000000050D0000-0x00000000050D8000-memory.dmp

Filesize
32KB

Download
memory/1652-163-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/1652-23-0x0000000004BF0000-0x0000000004BF8000-memory.dmp

Filesize
32KB

Download
memory/1652-171-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/1652-22-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/1652-19-0x0000000004AB0000-0x0000000004AB8000-memory.dmp

Filesize
32KB

Download
memory/1652-17-0x00000000049F0000-0x00000000049F8000-memory.dmp

Filesize
32KB

Download
memory/1652-16-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/1652-9-0x0000000003F20000-0x0000000003F30000-memory.dmp

Filesize
64KB

Download
memory/1652-3-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download