ffdroider | d335aac3dfba859d42e1280289dde0f4bca2d13d49077220e84afba588df0680

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240729-en
resource tags

arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe
Size

2.0MB
MD5

770986a9dc4ba53e1614bd2c332d3fef
SHA1

b45eeb63a90a3c6746a85fbd08b10f0da2ffe5ab
SHA256

d335aac3dfba859d42e1280289dde0f4bca2d13d49077220e84afba588df0680
SHA512

7d91f021a6afac01951f654e0a214e585a9d4e8eb139c205b2d592ca6e2761f1b4d62104ea38010526f820bff8ae0fcb2d3d7116ad996e512029ce69bfbcfba5
SSDEEP

49152:Xws0SgcddjsF/Iz8NE9cymBlyet9X4MFPrtMizu1za:XAJs5Lz8NZyEyk4qPhMvQ

Score

10^/10

ffdroider discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3740-503-0x0000000000400000-0x0000000000912000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe

description	pid	process
Token: SeManageVolumePrivilege	3740	770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3740	770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3740	770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3740	770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3740	770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\770986a9dc4ba53e1614bd2c332d3fef_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
e0e33282198037ef31d71d09824ecf4a

SHA1
33d5dbbc765ab7c5aafcf03e1a2a50da7a78533d

SHA256
8b1b0336e8a88e0597ccefda97d6c0fa550f95d407b65e6673c3976d00f9db2c

SHA512
ede5342ec7b81dd3a1b398c5161ac45e3df9aebeded76af6d94777c17b0177db3e419919cbc2f3b5e03738b2eee1df2b4e246035668012a13b89bf15db306835

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
51KB

MD5
febacbaf15b3245eb922a1cc15930922

SHA1
3bf1bd229ad78e00a3a0e7b61c512e6fac0e8622

SHA256
188dde0e9e6e909f4cac2ac51923cb26360600cce42317755bda970e82b2c658

SHA512
2b8ba27ed645503a7959402c9025e8a1ecdc56a3312fa192fae52a1f091ff3ee4eaf65dc7256f8a29b249dcd4666a90f040d9b6c966a788ffd7f4e9d25a12456

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
751b0c26ed3eda45ec0467146305de27

SHA1
d25226b04b9c1de318b70a79efddbc77c843d7b0

SHA256
b73ec94a765dd063840d577fbfcb0860a6c714d09481ab06a1b441c34dd33dac

SHA512
f8bf352c4c6ce128dcdb006709b485a6f5f5b59780511db2dda03af592850feb2ae491787229765e79d498883a2ff91f40fe6fd8a8d1c255d63c5f44f3187973

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0445cd3f02f4251405e4205a385a5b0b

SHA1
0d8c8aebbe7114b4c9549d59f71d15fc3ac66936

SHA256
b7d6aed1a70eec361838496652fb1ab5eaf44c1342a4a8048d352164fcb34c0a

SHA512
d8531151009cea5dc7936ae419564e9305a6eb30c462c010cae9fd578cb04444dcf3b314f5aa3e0f8a433cda6c323bf38629fd2602ff5e9ea229573a5d18f5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f38158fe5ba89dd421eb2ce0aed8b79c

SHA1
f126efe782aefe13f9a3db32e81565433f0a25da

SHA256
ced537bdc52233c8e54f41bfe3ec9dfb01de81c548b595f094bef84d6a63a3ae

SHA512
40ad5c5c15237bc70008106a134da818e99e7ae8be16eb21e9d55bd0d5673be2f643898adc9062d6dacf2ffec7b8132fc0d1d8916fa98aeb6a3fb852ef4c34f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c1ada3d2e16081afb21f666a42ec0f6b

SHA1
2357ec66e1fe8f226e075b485264ce69b2716f26

SHA256
3e15cf0946b53b78983051ffe54647578e665b37b54116a320f970cbd53ea23a

SHA512
e2ac52bbb4567de520626c0039982cdcd02aa12fb84cdd27342ef4e1e6fb142fecd250c8169a7562af488dbe49bbe832ad36a8d1a3af55eafc6edc4d9ed18b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2d9621d4f78ba88b21c26c42b101593a

SHA1
99a6c281b8bb28643731b337299d05fec979ec20

SHA256
75436f8cf21feb7f4d5d0c79403f5f589a1410a57979a5b9382bd0f7c2709e0c

SHA512
181674cee98b3f49bb1df3b59bd9e14e7199f7f5fa8f6d4b24b19ed189768598d64e2dc04d7eff5de18fcd0f47be2cb8ee4831c04ac5dd94dfd603aeeb7140e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
20e666c0307bbad634cfbe02e5f099e3

SHA1
fad42981e580e562e6e46c8c2f164875a4024aeb

SHA256
a4172fb3420e52cb9df1f41c5376143d73c5c1849a8c13fb2d839f46da27a253

SHA512
b8ebe96231b48552827a82de8e2874e3e25b87f63c239744a89ca28496017207600f94c2acd2dcdcf1903f84da28e807d55f9ea086c71d7233a19cc89ef2acd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8f6b3f5885d713746238e9083a3d9ed5

SHA1
8ac90c60e114fefc4f0d757defc6f707494851d0

SHA256
af95ab867fd6a9e9fcef60739b2fb0653dba6e287db8a7ff85877e2e9a246c42

SHA512
1541d0e12ad49ab7768cf4b7431b58db7bb65e8ebfa9f0875ef2fb7c80c6e6609bba671d2a5898b92eadbebf5dbcbcf75fdff603da3f8ead407fb55a6255adcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
87ed9ed7e5c4b46cd5bf90f6a6732989

SHA1
73b0b8fd61caa649532e10a451291a2044cdeadc

SHA256
601674ff137b70a6bbdcbc0c36cd74943efd16e1d942c0ab48fab02ef01e1321

SHA512
1901d6e284223b5966e0937da421a19f819cb65ed115f20a7931d193a1576929bf71a3c8da44810317bb630536abbf1393e86d0c2529c435bcd8ff2df242caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4b6e4ee66d51e2c7e592c5976c67c27a

SHA1
e0c8666faff9f7644a2da763c83e8c445f6c0ea7

SHA256
46536079e6b1dbd6524674fe9cb5c8ff811cf127294e76356e0edf011d619ae8

SHA512
13620ad43d869d954f419988c0ad997c85e457fc67d74f1f7364e7755b3974736b9f21d24e0f245403abcd4b063cc0f3f67ab6c70c66f96776c0861075ee68ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dd1a30a66efbec10eb9985904337c041

SHA1
e7d422efecca35c00e880bf77ab44fd9b9025434

SHA256
a50ff43161c11462e79527d8b065538c7c425e77960641323d13bc223787149d

SHA512
ded7cc5b4be7609ff1f3dfd8e43fb98af38f2a192f0d69a0ce24d04175c95cf09f8b52324bbb756e70eef5834e124885a12c9ea7c95911c77af7c6a63fb20fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0b3827cd34c51dbc7fd4c9088be52d3b

SHA1
a7be7af9b24be852ffe861daff2288602417b412

SHA256
0934f8f7f96573ce9e17ff58c21570b16696d8150f09f58e23cd4e8463dd1359

SHA512
718a8434b3cb6651a89d0a2d0bbed5affb49b1060b21ef93f2edd7b85b9ce80bcfc6bb130fa09116b204a0c62475ebdf122407680b108e448cce8acd210d1b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
17bfc97327121e3f4bf077c7fcc26d66

SHA1
8c5021dcb2acb965a2b35a46bc079fc97e669e2c

SHA256
a01ec56ce20f19e5c96db29b6dd91c5eed68e6051748adeb19211fe01c898e92

SHA512
2f26d7f3ff71d8fafb2c358d180bb8e155cf68c686601a9ca48da779b9badcbfdf1be536ed312d31e0fd92acc7aded1ee1840211a7722016ae5ea0d0dc6b8562

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
47e26158f94312d1f6565d0b85742f9c

SHA1
cf5c7a1fa09255c87fc8c4de36ac00627704901c

SHA256
e8a4613ab1889acc9624dac382572cc2b249dc245f45748b6b52fe40b651f878

SHA512
093d6cd0b0d4ac05198ef359ee3f22d8e67ce87fcec83e16fdb9edfd42306c9c8ba231cb823835da71b6b81573be1b46928e5de0cb965826d24bde229623a79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f28297391ec6413b6e18aef88736ebec

SHA1
1b22225337414b4ba36f580abebe42be33cd48dc

SHA256
cd389b5c2c8b9310c27d3ce353403de3176f00bf5f248d5e4adb50a629210d28

SHA512
45e844e2755e7092178be84b4318e6e8d9bfec13fe156b343fbbd7a1627ecbacf72776aeba766c2282aca9fe155ba8c686c21967f7020d81c0d249e4a0365187

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b7602a1ac4ff678cc8dc489d4f79a674

SHA1
1cd3af8b0c18ebb06277ec2ff32a8ec2aca161c9

SHA256
9d38e88556b093bb5c46a1bedcdd6926f5ebdda2cca780d7cf6edbdb4ce8c5cb

SHA512
6e59c5c4856cc231f7812e6651567ba4994567088c4dd7c840a86633181099106d682eb031e6cb2022febacca4ece537fb71f0e9aaebefb7bd1ee0378b4f267b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5f25d1e4481972b69a8db816cad9288c

SHA1
bcbb65d8751bf7a38779c527a8287f5503a1f092

SHA256
d54fb16e0e607c22515f27643e64943166e5d2781536423c951a7fca57ba3fa4

SHA512
349c62589ddde8c95c3b37d552cb0d22fe83c1dfc8fdff17e70e2f20c63dea8a543733f0ed5b88954f6df423cc8c2fde28b42bdc18ee5e185cfd5953feda2799

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
cb43739fe55d8865d608df9b99cfbf8b

SHA1
816b7e26322d947e2c0744320445f8b84bcd9517

SHA256
e1d4301d65e2add62f4168029c6257274a93ed7d81e3c7087e365de585deca94

SHA512
f75bc0a2b2b4e993f8dc43e26a5c99f4fa7a4b6c6bef7bd032459fac41662af5efd54080635dea0e1d878771d87723ba90b9f8d09f226d7a4f5551892a20b7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
54dc1c93ef3d1b1fdcedf4038d4ef218

SHA1
61f3af6fae5de14ddcd91d9dfd5d9f47fe117156

SHA256
91c0f8e6e5197d14d83f07b024eaf7c0304f9b8277a317bab4e2d7b5cd0dad76

SHA512
26fc1f592ac2e9cdb972a1360f6da04d370dcaa7c836ef3643000c85feef5ca4a3c95aa661c0ca81064d1e2d971b7763f6e83e827b181ca1b7e10976a9912cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8ce8002e67073540ad8836360cb8be8d

SHA1
9e8f90f87e2196fbd34b90ed8c6f31a9f4f184bd

SHA256
ab4c878d55aa196d321d24e70b6971ff2fbc4633247804e36d2e3ffd7c269ed0

SHA512
fee933c24b39dead5ccc0be4bafc44733340e11c7f3c4f6126f520d71884ad752b547b43e541f4ed5945f262d01f4b1737382df2417102af6c8363b67813c031

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f36e38488b303b548fb30e69a59677d9

SHA1
2cf17ae5272bed75a1d5d3c3082102a5e3fcb3cd

SHA256
520c0d28a027d22134a597bd4c60d2b6fc540cd317c72661df0af3ef5871ee33

SHA512
fd7be1bc398860af60d883c7a58e801ea0f4651050d513f16d0e37a8520eb9cc2bc969fe144a6db9ba7186c6da5bd4def66622e12782fdf90837aef77f506add

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
15b90f74e1630b1aa71313ecd60794ff

SHA1
3b76cd2f8645d6a1f62c8b6e9446390eba34e946

SHA256
8b2b4def48b223d335d39ad086db340f66fd6ddf34446637a18a77c5e102ef3a

SHA512
de808dc66918701f335a3e30867799fd3513797a72b3aca010c55f0178ee75b801efc091d78a49802063971e39c0e0d84a9b6de7c74d57e67c18d31b5def2b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5f4b4cca01c7542b43ba32d807119003

SHA1
35e15450c5d737c1872472469b1b34793d9203b1

SHA256
3d8bcf96bd679763d45353f2582ac61415049db4b2deb670471f2f95d5906a36

SHA512
4f81adc2302cb803cde137b30bec1fbe9e9a796e3127909e2b03c4c8dbe98d73f2a47e1c3c5b30a8ed4dea66dfb77b7b82f22dbfcb956e6d786ed8e4ac4ca4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
029f96286e45381c801e9f7e50d39056

SHA1
ca3cd6cb6bf385c5dc587702f1280e687d0b4850

SHA256
b61a9bb4bf8fdcc9f3a2be814f95f87b7f9e15d47953fd2255c53a4c656fde11

SHA512
f1e342b3ecdbc366d4d83f83b8de5419b25d08a3505aba6a71e47e5304f8df5e35b17dd2f4a5167289662bcab78b8de526c2a1f61df99cb776817acb45be3762

Download Submit
memory/3740-40-0x0000000004C50000-0x0000000004C58000-memory.dmp

Filesize
32KB

Download
memory/3740-63-0x0000000004C50000-0x0000000004C58000-memory.dmp

Filesize
32KB

Download
memory/3740-124-0x0000000004BE0000-0x0000000004BE8000-memory.dmp

Filesize
32KB

Download
memory/3740-121-0x0000000004BD0000-0x0000000004BD8000-memory.dmp

Filesize
32KB

Download
memory/3740-126-0x0000000005600000-0x0000000005608000-memory.dmp

Filesize
32KB

Download
memory/3740-127-0x0000000005500000-0x0000000005508000-memory.dmp

Filesize
32KB

Download
memory/3740-128-0x0000000005370000-0x0000000005378000-memory.dmp

Filesize
32KB

Download
memory/3740-113-0x0000000004B30000-0x0000000004B38000-memory.dmp

Filesize
32KB

Download
memory/3740-141-0x0000000004B30000-0x0000000004B38000-memory.dmp

Filesize
32KB

Download
memory/3740-112-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/3740-149-0x0000000005370000-0x0000000005378000-memory.dmp

Filesize
32KB

Download
memory/3740-151-0x00000000054A0000-0x00000000054A8000-memory.dmp

Filesize
32KB

Download
memory/3740-73-0x0000000004E60000-0x0000000004E68000-memory.dmp

Filesize
32KB

Download
memory/3740-164-0x0000000004B30000-0x0000000004B38000-memory.dmp

Filesize
32KB

Download
memory/3740-71-0x0000000004F90000-0x0000000004F98000-memory.dmp

Filesize
32KB

Download
memory/3740-172-0x00000000054A0000-0x00000000054A8000-memory.dmp

Filesize
32KB

Download
memory/3740-174-0x0000000005370000-0x0000000005378000-memory.dmp

Filesize
32KB

Download
memory/3740-125-0x0000000005360000-0x0000000005368000-memory.dmp

Filesize
32KB

Download
memory/3740-50-0x0000000004F90000-0x0000000004F98000-memory.dmp

Filesize
32KB

Download
memory/3740-48-0x0000000004E60000-0x0000000004E68000-memory.dmp

Filesize
32KB

Download
memory/3740-1-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/3740-27-0x0000000004E60000-0x0000000004E68000-memory.dmp

Filesize
32KB

Download
memory/3740-26-0x0000000005000000-0x0000000005008000-memory.dmp

Filesize
32KB

Download
memory/3740-25-0x0000000005100000-0x0000000005108000-memory.dmp

Filesize
32KB

Download
memory/3740-24-0x0000000004E50000-0x0000000004E58000-memory.dmp

Filesize
32KB

Download
memory/3740-23-0x0000000004CD0000-0x0000000004CD8000-memory.dmp

Filesize
32KB

Download
memory/3740-20-0x0000000004D10000-0x0000000004D18000-memory.dmp

Filesize
32KB

Download
memory/3740-18-0x0000000004C50000-0x0000000004C58000-memory.dmp

Filesize
32KB

Download
memory/3740-17-0x0000000004C30000-0x0000000004C38000-memory.dmp

Filesize
32KB

Download
memory/3740-10-0x0000000004180000-0x0000000004190000-memory.dmp

Filesize
64KB

Download
memory/3740-4-0x0000000003FE0000-0x0000000003FF0000-memory.dmp

Filesize
64KB

Download
memory/3740-0-0x0000000000400000-0x0000000000912000-memory.dmp

Filesize
5.1MB

Download
memory/3740-503-0x0000000000400000-0x0000000000912000-memory.dmp

Filesize
5.1MB

Download