ffdroider | f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

md3_3kvm.exe
Size

924KB
MD5

53b01ccd65893036e6e73376605da1e2
SHA1

12c7162ea3ce90ec064ce61251897c8bec3fd115
SHA256

de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7
SHA512

e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067
SSDEEP

24576:pP7A681d48vGlldFtqFbDNaYaPCQFXVDXE4IfmDWQ:pzF8I8vGbdFtabDNUPCQFXVDXvdDWQ

Score

10^/10

ffdroider discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral26/memory/5008-5-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider
behavioral26/memory/5008-508-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md3_3kvm.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	md3_3kvm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	5008	md3_3kvm.exe
Token: SeManageVolumePrivilege	5008	md3_3kvm.exe
Token: SeManageVolumePrivilege	5008	md3_3kvm.exe
Token: SeManageVolumePrivilege	5008	md3_3kvm.exe
Token: SeManageVolumePrivilege	5008	md3_3kvm.exe

C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
"C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
3d3c92209f30201a94ba342630bfac95

SHA1
bf2f7618241cc84a76282fc62b70737fd04ef32b

SHA256
f3fbdf01b37d0350ef4f537e229b0ce5cb864d8b43d2c4d1bedf53b14439ebea

SHA512
d8e090030856b9830581d083d9fcaf7b53a577d676cb1d00097c6a6297eb64bf80d2c4a9332db8636e1dfe3bcb90186102d750318ce2830d0fc1ff43d15bf592

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
49KB

MD5
cf786aa79f52c2f08772c9706afcad5c

SHA1
04acdb997bc3dfc238c1d106896a01fe5a539595

SHA256
fc7a9e6406b5070737e2b54a84be750c52db11405ca8f3449b544d99bedca7b1

SHA512
d3c7336f9eed3c87b9f3273cb916ea0bb5bec1636ff669b8e0231ee4f60054a39752509226d60de529542e05031b96f90b42fd8edacd053868de8f3e8a687eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ac8885d93e2f8e6c9dc3d0224cde9b2f

SHA1
92df06228b955eecab243ca2280312fa2c8c36be

SHA256
86eadffb11f189b6c8e7c42783826c2ecb14db3faf62b40537bd02acd961e3c3

SHA512
da5a3e25ab4618b3cd61325cdd456357f22aedf4c93ca4057dad33f82bf7018e303a02fabcfe534c98e8d36b1b7b5a8fc2387c1446a80f7b00722dded4a8b64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4eef179d6cebb253583309014252509a

SHA1
4cc510d0552f4ad954b5f2522df35c39740ebd90

SHA256
40a03c7986e14dfa18eefb6fe00078bcdaee1f0663c8152beb9340580fdd6f39

SHA512
f6ab9a60d56f3ba63e8d93d7522e66c0a2f652b39bef9ba2ee2b98a94de5e79d5713121fd5a31e650be866422af8a37613cb5212081c1d4e04cb2340512d5392

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
64e1478794737018b6f808385135252c

SHA1
3538603ef569cad89a7593ab7b66bbfef54fe796

SHA256
e392121c5956167d8ca5fe2239156ce63fce60fbcce7b36b5cce5a910f9cf787

SHA512
f11afaa6b0262240e1ebdcd80928155534c69fa90ea882485eb3ddb2e525fa9613ea4ef7555540e78cf2a664407b759c65d61e1ddde1a4131faab207da1ed51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a871b40c5b59394bf043cdc01f5f3e9f

SHA1
ca3a79e0388742f9c8cd2640ec180833fbcd73ae

SHA256
972d0c60e4c1593f392d63dc2a5b16e0c7106a566714374db7bb0da7ea231b75

SHA512
f989ba46e63ad97ba75d584273b12ff037f44b830cf1b4d7ad80331095ec35e02c86f7e81964c8b381dada36c9c9eba577f9626f583f738cd95d4d5df8ba993c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
eb48a5bb5c881570ccc2b56fb3329ad8

SHA1
54c7186b563a15426e8387a00a7ee090332a10e9

SHA256
644d9ac4ad8fa476e7df7f78e7238ec8562c6e2a73afa23389db23c451935890

SHA512
84323f7352cd3ad9d3769be9b1c83832d2ac3ef327d370838b3f3be60f8b54829adebb858312c09d2d6ef95f643b5bd1912eb1fd542890b1f864e45685498278

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3a6bbc43ec7eb4c72a6a961c1b4f3903

SHA1
561604811dcde65f516e0259668ff4fad3278ed8

SHA256
09eb3982a46a0e6caaadb84174b4447b2e303ff9aae442b09f0ce1020101875a

SHA512
150fcfeb3ac714e02a55b70cfb9a5382271f587caba8a584ab666d8d538837f3197b52d62534966b8158dea1918f9a376c70850a7de9c787e97024f3faa33578

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7f9668716d2535eb5baeb7801585da34

SHA1
b71bf7b27caa96aeb8a44c4b0312d34d469a37bf

SHA256
1f6d7ec893eb981fc968886040fb4a694b69ff28e543e2a0771f7e4290cb88d8

SHA512
990dc575a6034644e3db9c05feac8afc8ccf863cce2a1a872af207d2254ee2b3a6c3e93a7fed5d11936a0af646d4288ead8a28e2b44b97f3bf524a89dd36ecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7744a8fe8584c6bcfd840af378c1bdd3

SHA1
d1ee0128619dea0f9b7b69a7b7f6fabf7fa30586

SHA256
e088b90f1fe74c1cf636de3b772859eb1a1e1878e102edcbe522909f27245e02

SHA512
8381188ab732fb9c43979b7a39d79db8726db6311532442f3ce51277efe5bcf14ac1a3ac1423a0fcd5895883a26f4ebb3b9f19f92bb32f5a7f923432da86b428

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
84fb887dc2aaa73773574097100339fb

SHA1
314d51cfc78d539dac4b4eabf376eb16223edf87

SHA256
1a70a06cd7dd2d9c3a961a1272aee671571f76b4ce73ce50055e25ff2713be46

SHA512
6bee65888c7d4a811f717cfc6d06c1d805a41fc08eaa39528e49088ebce7fa86eb7db58ed9c3db7d9046f0e588c16251ec6a7b7fd005e8feecab8f75b45157a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d3e7e4092b16c6f267cb1224ade0fcf7

SHA1
a54f2473a864476e7d4aceb6d825151237e88f91

SHA256
58f06b1be57bb1e5775c3d7f2a3107e851888f2b19f3d108c2b6ee8e56f56446

SHA512
4a77fd6d3c8d3c1d0c07c37a24705249fad04b5040b469dd67f31f3b2c594db0839a74ac6b6c8be2a93e029a7c8b1c78d26211c21fc9b53d5c9a89182e081f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ba94c7a9ca3b569144ad95ec70acf7b3

SHA1
3679c1661a698675c85fe27aafa8efe3330d4be6

SHA256
dc3e9d6fba1284f67e5fb574a6b042672c228a6299d911da18517496ac4b24f5

SHA512
42d4c66b385ae08150d9d5ce131a572f41d39b12181fab527f6e04a42947b26c98c2d9b85291c5b679a909ed840810787b506b63d3650265f36982397ba97f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3e63debfce158e194d8e5d9d5c1815a2

SHA1
4fde31990f074ead11dffc9e4dc127fe6985959b

SHA256
30a3ed4af685ddc8290c226e42fefbd5f4c6f0402264a7df5d2501242c001cee

SHA512
d4de9e8b989fb77ce6ed8b38a1288c35f327454c9b6c537e67597b48cfa39b3128dba450e471a2fa7e2eae9439f4bdbbb9fd438d95efa416cf38c80125b5cc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c8a665d20cd53d2d77757f15a72cca79

SHA1
6b1ee30cb2041661446bf742fa76f32798e10fcc

SHA256
9f1b1539002c38146dbee1ec00f405c8ec4674916dc5cdf029f8e211a5cbb5fe

SHA512
6d39a3351a6c8c5f57b1f4368f6350e35d7b014daf1d4b5e9fd18fbe12dac5a28b9d019afd47df5c62490eaced31d3c3206892084fd80fb99ac1c1f887b90dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
aac80233768475c4678741845a233ea9

SHA1
84adef834d151434361cf6fa4c682eb10d6c95a0

SHA256
9572c89fd04403fcfc9aa96b6efde9863f0885b8664893327c249fa04a338584

SHA512
a394cde5d0dfa644b3325941c990f691664557dad0f7619e957ed6a0e35dd424562c64917a02d072f24deda058a227383e9f6c1d44b54401fdf698a40cc260db

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b54cef283028c5e37e4c124ee734c062

SHA1
b5f90a603fd8726b5e7ec0740a2d63ad6103c25e

SHA256
59ffe41fdc70071858911fc41cb1fb0273c96f6b0d404d94e3ddf6b0251c6faa

SHA512
4f64299d5d70e3f59618f130aae9ca4bf21a66b0613c9c6d6ae909a8f26386debfad5fe4816832949b5c5b29665370d852cc4e9fe803c2abbf101664d4a3b029

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
46bfc7e3be538bc2d87ce1c51bbf40fe

SHA1
fd85f8e2d43b8b16364b2135d9ff81d3e0249610

SHA256
626a65d55e12caba8b7a2d1db830ebaebd321e05a036fcfb4e549eb139c370ba

SHA512
b69d76fe37697deecf0a48ce0ac4b06ee5056ad54512b39133a527dbef78aa66417552262f86d50a37a11b8313165733ee269fc10f7c4ef5401792403f38acaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
354f962de4e2d5d7ddff86f9df831085

SHA1
c4c5286a42ed1dc45b123cf1933ce3b476183cfd

SHA256
9a7d2f310320eb1a019f76b2d4b7d0336cff7bcaec05e9eb55a7219821af30be

SHA512
bec64ba55f83196af143da509593aefbbefb1cb9e09b18085cb8bfb374b0787aa79995af84d7281a470bcbe1a7f379f94086e6393603ce85268a82de11471fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
165d2a71cf465ef8fb523973df95e221

SHA1
e7ddcb2d08b013b785f71939b803bf00d726c1d6

SHA256
e03728fccc0f6b57046f014201b9707d6cdd7cb30f1170b6c623efcb54da316e

SHA512
97708c21a84eecf303e5645dbd38b10dad84dceea9023158fe10ca2cd4e921fb6a23d853f5949b21768de0f3b60000cca1d2dfd9bc676dd4ac49f94e3b249a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
eaeaabb1eee19f0277d1db2da027c4e0

SHA1
534c9349ba4d5a1faae5660787e007442eb3817c

SHA256
d2de6ad5e13f35d253f3b145e8104c8a19ae9d6c806a405dd519ffa50bb449b3

SHA512
0bd36c5941fd834d20a062865715606cec1d7c3099b8c72353d66793c4c54052cc67e0073ddca00f8a5dab2221d51f26c253dcf6742169d880651d75e5498df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
92a5276d578ef04eda4184f968b72440

SHA1
2e563e5ac75512974d2bc60542f58b75d41cd8c0

SHA256
09687e00fe116cee8a7e412412b6e20acec7f1d7e33ae9350a769b4ffed88154

SHA512
2e49ea9b6abe9fd63068279096be9f314a34f5a7612d3140a13042715545d210f4c9d94a378328b00235a44529056d2117af1aa5ed6b89f64e8f4207bb7e6fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5638226b2709c7af7f1961975bfabf60

SHA1
1c4d998d8182720c2feab64de5a84b2073a609cb

SHA256
f61b80cce435828bf374cf4636617e00594ff096d44c8c14dc815f46907d2d6c

SHA512
f7cea61d8b93ca0d6b1574aceeb999655cc5aafe45b62921d4c39893565461d0ec757302c408811f64ec0ef16aa8b28ef6e8722d0d4b6d516e3f2a59ed9c657b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ed2f9596bf43bd42717c4b1cbd87c9cd

SHA1
aaf29786c21a23adb5e24fe746a09442762a84d1

SHA256
de2f05510f896048c5e4df7499df91a86fa08b2c30351e63f3bebf89cb7a7d7c

SHA512
b34e3dcd80ddfc657237de191c6eba601bd571bf9e6be7eaa61ad85b14f91e1447c2360dd447014814a8592815c2534636299dd082fed04995587540efefc6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
71d016b8653670882488bd8cd75c2c5a

SHA1
be061ec4372503b0ad2ee9f2e0a8ae54c8eb2ed4

SHA256
bc874e4b1cc727e29a573d606cc60f53276c3fd38300d886ef16e06c6cf6188d

SHA512
0fd3a2d268ee5d73281ae666a2d24a976879a7c0e46f300130ff506a7d4dc090fe274e659f0761e6957aeb2fc501e568ea7c058bdb901f53b424906ae284c5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8c29c41fcc58d5426bf1e77a3e46d102

SHA1
40c5869fa13dc6f82db852fbaee34c20f616b561

SHA256
18350cf03d0d7d08795ab10c4a61db61ace5a861e390a1e1cb3a28208ee9e72d

SHA512
5e8a77fdb23beb31a0b4cb19bb008c834c8e4f1ca212227144eb7f57bcdab8f1d1b4608bd1f4446ccf5c5ef6c0f312bf61b36400f1aa92f0c13004c9766fcfce

Download Submit
memory/5008-28-0x0000000004840000-0x0000000004848000-memory.dmp

Filesize
32KB

Download
memory/5008-5-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/5008-129-0x0000000004750000-0x0000000004758000-memory.dmp

Filesize
32KB

Download
memory/5008-130-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/5008-131-0x0000000005170000-0x0000000005178000-memory.dmp

Filesize
32KB

Download
memory/5008-132-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/5008-133-0x00000000048E0000-0x00000000048E8000-memory.dmp

Filesize
32KB

Download
memory/5008-25-0x0000000004880000-0x0000000004888000-memory.dmp

Filesize
32KB

Download
memory/5008-146-0x00000000046A0000-0x00000000046A8000-memory.dmp

Filesize
32KB

Download
memory/5008-23-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/5008-154-0x00000000048E0000-0x00000000048E8000-memory.dmp

Filesize
32KB

Download
memory/5008-156-0x0000000004A10000-0x0000000004A18000-memory.dmp

Filesize
32KB

Download
memory/5008-22-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/5008-15-0x0000000003CF0000-0x0000000003D00000-memory.dmp

Filesize
64KB

Download
memory/5008-9-0x0000000003B90000-0x0000000003BA0000-memory.dmp

Filesize
64KB

Download
memory/5008-126-0x0000000004740000-0x0000000004748000-memory.dmp

Filesize
32KB

Download
memory/5008-0-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/5008-118-0x00000000046A0000-0x00000000046A8000-memory.dmp

Filesize
32KB

Download
memory/5008-117-0x0000000004680000-0x0000000004688000-memory.dmp

Filesize
32KB

Download
memory/5008-45-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/5008-29-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/5008-78-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/5008-76-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/5008-30-0x0000000004C60000-0x0000000004C68000-memory.dmp

Filesize
32KB

Download
memory/5008-68-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/5008-31-0x0000000004B60000-0x0000000004B68000-memory.dmp

Filesize
32KB

Download
memory/5008-55-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/5008-53-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/5008-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/5008-32-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/5008-508-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download