Extracted

• • Target

    20eb6b8655de71aad0ba6e71a045b1f6_JaffaCakes118

  • Size

    2.6MB

  • MD5

    20eb6b8655de71aad0ba6e71a045b1f6

  • SHA1

    1770246098ea07e2024dd31de0fba54916d7236b

  • SHA256

    685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757

  • SHA512

    bb6a8f071ca9d77ab6c10f90b3ba1ad1e86c7b326fa7731c13fde95554bba97cf374878a64a7ad4fec0aee3301751ab32d280a8c440aa78319fc89f5391f2259

  • SSDEEP

    49152:pAI+mPQQSU9afXEDN50Qx8lMmD4gGovWhJLEx2BwDPw1V46hi5SC0DNdSM2SwMpt:pAI+M4UsuNxyvGoOnEx2BoQVlhi5S9OG

  Score

  10^/10

  ffdroidervidardiscoverystealervmprotectspyware

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • FFDroider payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar Stealer

    stealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2