ffdroider | 8433fe414ef00a0c1eabb4c12a9274f736715ecb0f73bcc28d7ead059f5f0bc4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

md1_1eaf.exe
Size

1.2MB
MD5

9b55bffb97ebd2c51834c415982957b4
SHA1

728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256

a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512

4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2
SSDEEP

24576:0G9h7lhNYhemeqcCLtbvL8iNJqzM3cITaF3+pJiP8LXloL5113GrfhM59ta:0G93SemeqcCZvL8i/qQ3ccJiPiXOL51C

Score

10^/10

ffdroider discovery evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

resource	yara_rule
behavioral12/memory/2480-1-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral12/memory/2480-4-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral12/memory/2480-504-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral12/memory/2480-0-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral12/memory/2480-1-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral12/memory/2480-4-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral12/memory/2480-504-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md1_1eaf.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	md1_1eaf.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2480	md1_1eaf.exe
Token: SeManageVolumePrivilege	2480	md1_1eaf.exe
Token: SeManageVolumePrivilege	2480	md1_1eaf.exe
Token: SeManageVolumePrivilege	2480	md1_1eaf.exe
Token: SeManageVolumePrivilege	2480	md1_1eaf.exe

C:\Users\Admin\AppData\Local\Temp\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\md1_1eaf.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
251bc3b1fc85a8689b0dcd757d196319

SHA1
15f792b639d7d354c76ae0add2be8819c68a2a34

SHA256
652230ac1de8b2295b6e614cb09089710bf1a46be1d3d70a1388e5c508dd810c

SHA512
3f87d58e3655935f76169f4a50aca8681892a4d0d3d0821c8023ec37358dfcbd1907eb7518429a1e4ebea30320fe411005ff245659f7983ea66c2f313fd3ff0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
74KB

MD5
ea9a906d4175f8fc3790be18f8f4b1f7

SHA1
71c63adce3341c57ead724eb514a307503205f6b

SHA256
a261fe2943f424f0004b720fda1829b94e2d0e4b96d489347fc8ec311755f8fd

SHA512
a0609767e196edb2669bdfaa7b4445b846afe487b3ef8d8107678e67e53f41fbd7c6320f44f92586c2aa96d34a56c4878f6aa587e7bf6e4b39dc7350a43ede86

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
df3aad1c570862d1984a059b6938a9f4

SHA1
643368947a1c5b12ed13b5c4aa907509fbb558f4

SHA256
606918489cdb7da61aaf3a5ce139738c5b23a1fabf29141ccfadeaf112754ac2

SHA512
7590b3ad4700fe7947c4ae98afe3227508767752fc404196e261fb96e05ed29f953edac3434c93f5ce6259e9f46d55b2d669a4e650a7a759a2117fdcff70fb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5c5d90469c0b4873f2253be4eb30c843

SHA1
0f5f6d5770d3b0db4a2d30144dd123e75edf5b7f

SHA256
43502e38067d6a2d05ca59f14c95aa0067aee60fcd3f8a3444a8e0eb9b90fef5

SHA512
d343566b25bf88e2e64f279bc3adc80e5424e3253cd36cc9618430ceb541345a414de03a79c6c838d2a588a06cda85c2883292d95c68a7c526512e9802bf43e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9c1e8f3a500fc303d1deed0438ec096a

SHA1
90c463fe8170158e56ac34f439dce064b9d5268c

SHA256
d79dfe06d240ff395b59153e21253b2533ddb84a60399f5fd97befa187aaa59c

SHA512
ac236fd66c29eaf0fd89634718775f0c55dcea7d9ca56df6dad1ab5a1121affd02a5094f2e6805efa672b0b5a682406fd852922dfcca4651c31cd24a46c84d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
24b75241a8e13c78cb9855108e1d313a

SHA1
37e6ecff9d5b156721c5537c0bcf1de4847aa8e6

SHA256
70d98d114c20f5ef22512cc74669e94f10a76e6cae617964d184ce2188ae58d0

SHA512
f81b6b9c11cc5777871191d88adf309b6e1e40e6118ae221209d3276c81083940260041be170eafc9fc3d26e7aaad744098d25c7bdb13e9a8a625d18bd529add

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
057c79da656efe20065a5488cb86a370

SHA1
424e88b45ad6e243d13b8bcc0a4af5c0a309fbbe

SHA256
325ffa1f555119dd2d91cb7044c8d6c3990faf954e4ed3d9691b06affe7b5e08

SHA512
3dcda75f6748510517b1be25246227bce97082ab3318056f77e9649d23ce25a34a960c4e110fe034d3c211729a2b2c90f916fe7b80fed2ef54ca8ae1392c7c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a306f5503ee940ef81606172f2975b38

SHA1
388485ae5da88189a8b4f19740c73d62eea171ad

SHA256
4b45615503974ec52542382aa2942dcf07c55735f501972b7ea7bd7c39fb6e9f

SHA512
7f3046ea9ae04a93eeb0237ee6bb9c998b8b0d1371623aa154d17b790ef7e21404b7e01bf2166df3fafbcdf36def7d6c54b90079a3abe4fde07909b914d07e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d5e6056710ef46db72fdb46f189aa2db

SHA1
f947058289a0dd737ff4eff6452b95c34c69247c

SHA256
67111ea1b2017e3fe076e4e78a946fa1a8b3fb87da190b6a175b0ab7880e72ad

SHA512
91c78cb82a17c4699fb983b7933429d57369fe9163adfd9c86ade1f51148fd6162476df63a103556180af36d7838ec02e84366915b7fa1e468f34602a3537fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c0c6a23e71d7bc4c2e495fc195fe3dec

SHA1
1edf7cfb36f63201b5792b5b4bbfb5668ab520d3

SHA256
b29b612ff5f2f93a6cf59887093cd68b9d67bada13aac53e16002583e8acbdb3

SHA512
f968b715529a52a63e2dc3539a723d7f39c36685acc129c7c6788d5259e376fa48313fc4c9c04df3b5eae62750e5e152cfb136c935e983a6474598011d49c9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
694208b8f30a1cc84d897a3c0678b0ca

SHA1
a37ff09b34a3c4e7b7e92259b6ded56413e59cfe

SHA256
8c9c76050c40ac63ea46bb697b96252e836e7f109ca3e84c60223c220bae97b3

SHA512
df88a219bce7a8d683a6b297cdfe63fa3e522c34b51892156bfbdf71f4def45248dd1afcde25de79d2957764fad29abed34b02a39d6d46efc8815ec5c326cafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9ca9023d5ed957e0d515f2d303d45db3

SHA1
d44f5e075e74317990810237f3cadb06c7770351

SHA256
ade798e2ca4abbe55b12e3d944796b9f699e37d8c9e5ff818dcab7a4dfbdc4ac

SHA512
a624ee5e148c7060e5daa690bfcb976f73c60335ac1ff612e3513419c08b8e3af2473266ddb28de268423909e96d092b30b0a7d80c16403cd71a2476a1e03ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7c59ec417e1813223df0d6e1c3bc8bac

SHA1
bd4b6b89a9ae72cdb806d335619fa6c978d8f587

SHA256
772f16aead9907fbe3c41fbc18af54a6254f4d2c8e6ccf0fce0404c73f17f5ed

SHA512
48a5e16781e21758d802217dcf11ab9a9eb50619e63d57a58416d75b4bdbb4b86c2a6897935a217130f989c5c4fc2d65e85dec6bba52d117af7498168a39b144

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f97d3978c9a577550c7437515d514ad8

SHA1
c6cdfda4be732e0f5ffa405913aead34c1bc697c

SHA256
1072c882fb8c8371e1306cbe68dd7a2caf5342bd285eb3dce321d4ae0462b241

SHA512
33abd254ccce45f82420f2a31267e82c1a285838d0842b118ede632e3ba2309b1d99867d70fdce7783de3749db17b6ecd2a48480e7dfcb55666804477282f559

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
76818f3cd62c2856eda7f3afbb6a55a9

SHA1
cdf44505d2ffae9706c8ab32036f073ba41c2a5a

SHA256
ddd217101256708322e3ef8da28b356a7abf1bf97f5adc202dc720356fcd76f6

SHA512
8983d55bf52a93f9a5d0da03cb47148508ededb330c4e25efbee785f2ef1e5fb83b0a43780ff373806dda418b96e7a0099663fce66979eff27f59071bad2973c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4059b7dc7f5fe28a239087585c0079d0

SHA1
0526720ee229867b56c3033fce9d8300101eeaa6

SHA256
4bfa5b5f24b4c36306a05b4d6de8154ca9b3f0a487bc5f94130e74ebc09639cc

SHA512
5da4ea5583127f355538645b45568293670fd3a4eceb236134bb255af778f67300e021d17b8f6ca6d8e3cd3807feb1d080523bef7fc736a7bfacd4552498806c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2290c49309de7a60e19afae2e059c33d

SHA1
6727be296bba7dabcde06d2f23c9afdf466b342f

SHA256
2b42080c70b64a1a61731d9cb1bc0bba3d032b6d2e48a3d91c83364b1e5897ea

SHA512
8ba1d8893f1089a5ce3629584c0bdcc3d32de294d10ed30703e39ea4012f371c2f6cc35d3320c55e7f1416231b3e7189575fb64cf6b7164f5a1891b6f9ce0ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7d01a9ce41972f0b1c910e8c184f7ebc

SHA1
51e282bb0bc1965d328ecce73beaf74264bde5cf

SHA256
c99b009b75485aab775eceb2483cd1a297ac381314052efe463bd3e1f5de04b8

SHA512
7f5371601a47a8ebff64e923cea9188c3ba32a3c426f5403bdf42c71d07abe7712ed0e421f0bad2781c4a1acbd0714b02c6a49fbc053ec4510c91d06ea3188a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
53c23ed29177ba5494b6d1d18961fb08

SHA1
275e1bc7bd29f9ccc7b65b43fb1e54fe5c50d993

SHA256
6b1aa96ab2c57fd17c1f3bd75409ea17573f44e7241d4dcd7debb2f0c86b28aa

SHA512
e22e9225fe44446614b7afd2d2a792eb9226a8ef5fee40bb98467bea4f0b8172ca9ae903fe72383d3d1582d50880227907d027ad8d9deab4e40eceab13ebf276

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b941c82ae40674095b77dada6b0879f0

SHA1
8a4d9c1fb2522feac5c77a89050075fccc86f8cb

SHA256
c86eb4b6c658b757725c4325263f5e6f7d1cd0a71323c44e8961a12e74f9a804

SHA512
1604920949e2504c60625b836f228e6350fd791500dbdb61e834b158098450e7a7acb84676e47c7d851bac692aebab64af1f828cd98dd0f3e08e20bebdd3f7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f803c0ab62f96b1fc0313945c19622e1

SHA1
636419054da2134d68c558068cc2d7d0e5b8ac1f

SHA256
d6660969bc560f56004dfe992dea4af2a2e9842ffe4164bb6275fa738f9c33bc

SHA512
5f60d74faf2ae67272561692243fbb24e2a94901999b054a4fffd75cf16ae0d20e709812a016e51a7449f0ad21bbc2f53cc7661e030afdb01db6b7d018b232a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
53ccd5a0aaf135343282b4951187454e

SHA1
158975605b9294a9223d1bf2ee7a062c29c6ca3c

SHA256
ca3c8e870bf2e5cf233871db1cedf32b1f5e8c90de905d25141538521f87a290

SHA512
37fd0c8eaca3919e75a034a37715d934e25b9c4cef24b28513fa0424c8bca3153d9a634666999310f696015667e0e72f84bf0a0fb7d381b00cbc9ff9823193e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c13be1b4275a0dd5c782d8d754f75127

SHA1
012f2f14d30ea1de99a39d3ff03771837641aa8a

SHA256
fd7a8b5713ff054960c15a5b0a49b3a7ec6a12b14c4d9e17b8ee1068a5863feb

SHA512
54ad034aa926fc3abd6823f264bd07123182908966381c22d8ecf8fa9c5315e0c822e49e9e55ec35b410170449d4933ced8bfd774d648544eaed5b146df2f997

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
72177675dc3781da47370e4b7a593968

SHA1
60f8efeb05451f8f1268000969280c96356278d1

SHA256
164c7eb23dcf5921f82b84d29a380be6f5a0a67c2484a03b84450074c3cfcaf5

SHA512
00c4aa96ae47158dd56002e56f8e234f58c951ee0c6e884e157337630a5dcc95c0558e0a636a7eaa710607339e8e139075286c76173543c7c6fe656e45ea9ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
01a42880750cbfe179e745b2b34d6008

SHA1
32b075a8e6eec1d97f344d467cb7d8767dc48213

SHA256
4448ccaab327fd8bb13b0e206a561dfbfe8ee5f923f9250cbefdb20b7664b1a4

SHA512
3c2affa94455ea0c9f92ece3bc87c157ac035889ac14350dcd218d14d39952a00456e22548d343518faabcf99238c770e4520c064bb1dc89481799d09518f65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3b862c402598885cb520b96e9356bbdf

SHA1
dbdf79698a5f0ef77a2862fcd4b9cbd7e736e5c6

SHA256
d44b15914c650946927a02b1586a552901f2e7aa3878adef7fe002eb89f16ad1

SHA512
d3d013bd839d247fddf52c9c2e6f56cc163f711e7c41f723a4eb76370fba2696920ee3f888b7021c1b8323d57f2799ff783aa6e5e50f97c82771f2e6283968db

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
40d518da29411b582eacfa12438614fd

SHA1
9336f7969c94f69b03f31fd6615bf7603f755c20

SHA256
6a8fe5ede94257add274ff3c22fd596527697e0eb7b6e89c617fe4da89c11704

SHA512
709719a28bbbbc306a20ae7b6596a436a775149e60499cee0a89f96a0450f14a6d1400ccff3ff69d7dc3e50a7e9729ff932494d2c48e08687825868eb1e5c581

Download Submit
memory/2480-22-0x00000000044F0000-0x00000000044F8000-memory.dmp

Filesize
32KB

Download
memory/2480-0-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2480-127-0x0000000004540000-0x0000000004548000-memory.dmp

Filesize
32KB

Download
memory/2480-128-0x00000000045E0000-0x00000000045E8000-memory.dmp

Filesize
32KB

Download
memory/2480-129-0x00000000045F0000-0x00000000045F8000-memory.dmp

Filesize
32KB

Download
memory/2480-130-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/2480-20-0x0000000004430000-0x0000000004438000-memory.dmp

Filesize
32KB

Download
memory/2480-143-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/2480-19-0x0000000004410000-0x0000000004418000-memory.dmp

Filesize
32KB

Download
memory/2480-151-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/2480-153-0x0000000004580000-0x0000000004588000-memory.dmp

Filesize
32KB

Download
memory/2480-12-0x0000000003960000-0x0000000003970000-memory.dmp

Filesize
64KB

Download
memory/2480-166-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/2480-6-0x00000000037C0000-0x00000000037D0000-memory.dmp

Filesize
64KB

Download
memory/2480-4-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2480-126-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/2480-123-0x00000000043B0000-0x00000000043B8000-memory.dmp

Filesize
32KB

Download
memory/2480-115-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/2480-114-0x00000000042F0000-0x00000000042F8000-memory.dmp

Filesize
32KB

Download
memory/2480-29-0x0000000004880000-0x0000000004888000-memory.dmp

Filesize
32KB

Download
memory/2480-25-0x00000000044B0000-0x00000000044B8000-memory.dmp

Filesize
32KB

Download
memory/2480-75-0x0000000004880000-0x0000000004888000-memory.dmp

Filesize
32KB

Download
memory/2480-73-0x00000000049B0000-0x00000000049B8000-memory.dmp

Filesize
32KB

Download
memory/2480-26-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/2480-65-0x0000000004430000-0x0000000004438000-memory.dmp

Filesize
32KB

Download
memory/2480-27-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/2480-52-0x00000000049B0000-0x00000000049B8000-memory.dmp

Filesize
32KB

Download
memory/2480-50-0x0000000004880000-0x0000000004888000-memory.dmp

Filesize
32KB

Download
memory/2480-28-0x0000000004A10000-0x0000000004A18000-memory.dmp

Filesize
32KB

Download
memory/2480-1-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2480-42-0x0000000004430000-0x0000000004438000-memory.dmp

Filesize
32KB

Download
memory/2480-504-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download