ffdroider | 75d167249768d3b15728389b25c65e97f6ad92610b26b7d65fe8e2db83c41e4d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

md3_3kvm.exe
Size

924KB
MD5

53b01ccd65893036e6e73376605da1e2
SHA1

12c7162ea3ce90ec064ce61251897c8bec3fd115
SHA256

de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7
SHA512

e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067
SSDEEP

24576:pP7A681d48vGlldFtqFbDNaYaPCQFXVDXE4IfmDWQ:pzF8I8vGbdFtabDNUPCQFXVDXvdDWQ

Score

10^/10

ffdroider discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

Processes:

resource	yara_rule
behavioral26/memory/1064-5-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider
behavioral26/memory/1064-508-0x0000000000400000-0x000000000062C000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md3_3kvm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md3_3kvm.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

md3_3kvm.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language md3_3kvm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md3_3kvm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	md3_3kvm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

md3_3kvm.exe

description	pid	process
Token: SeManageVolumePrivilege	1064	md3_3kvm.exe
Token: SeManageVolumePrivilege	1064	md3_3kvm.exe
Token: SeManageVolumePrivilege	1064	md3_3kvm.exe
Token: SeManageVolumePrivilege	1064	md3_3kvm.exe
Token: SeManageVolumePrivilege	1064	md3_3kvm.exe

C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
"C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
5c8960c089198fe07c80b49dcb0b116a

SHA1
3dfc71ed5414f85610e46510d5ec21620667e8ec

SHA256
74be8abed9d197055ecd12ea1d6529de38e8a3b79ace976322160b1ca17da158

SHA512
8c4abacf76cc636bbca78b5a78ebefd1748e0867305d57c8e7dccb796c119e7b99605249368fd338b7d5591421d69606daf2de2a3b9c9800552000c481b79d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
50KB

MD5
0492b21158b7ae66377cf21c154dac4f

SHA1
0867a4b2792e58320d8efb08513265d12be26538

SHA256
fb2cbfad64f99f0dbffba88cff3ddfbbb66fa48ce78bbedb409fa8398d95b0d4

SHA512
6fbb44883e1ff6b7cc6dd31888c32cb99ebdfe1f4962219e4f30a478790994ee2d3c61164c565832ec05f7f53d337b7005a86f8f49a51329de4b523d04b62503

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9df2bc5da98321e0f45f2845a0f14440

SHA1
74db5d55779c2a18b059a8984acf480268565605

SHA256
0de2bf694e91b528b03f873788df3ec8ea4494d69b2098af9ac8400886c6e09e

SHA512
270e0e166379c26791ff96e131f5a6305ba42626f0eef608f52de28f959c4150efb6a51c50c21c2e841707883983c9b62603fd581cff255e0afa4883aa336be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f18e8f0d733787058d87715c80967ebd

SHA1
e054374b2a731838c44621c5c695fd56e90f9ca6

SHA256
bf59d71eec1d2133db0b8d11db10624bb8e4f113d7387b34c6bd2eb461e1ea2e

SHA512
28105aa27478d97c522676c949241f258fa8c87e9a50feedfb411679d5be63977c63016e4837109bc061d8f01826f6e9073645875175ede7de0e6c40d7514abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
15f28b847dc4fd05064cf94fb10b7ed3

SHA1
11151a388fdad67f69fa321f398a779b52315fbb

SHA256
50b61ab501ee6fa7b74a6191a474e65c254cdf15eb0b10a526de2faf1130c84f

SHA512
948ab89e4612f3d406a00d02ea56a594d229d51bea3c434a3e62bc60c9e5d8f94dff50b82d6e7b62a4265f37031835d6f09c652a26d8f267b2f8d5717a16acc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e410a291a5689ab9238d0f2d761189da

SHA1
4a58810f94b33c24e88c0ec6b9a9b8b06f94c33e

SHA256
e78440188b4b100dc0927e533577bd7d120564d7ab383178fae528a427433d6f

SHA512
2633051f9b04807a62820ec7f75d0c7db399236d75d95e8d819405d6b46b658babc1a81bbbd6ebf3c83b3d0564b51a41393d37af34c2db291a3f656606a80fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3868e59a2ad6d0e769c919b68307a864

SHA1
6b9e08574d46dabc242a6097424de74b9c39a804

SHA256
c7e3a664c570eac14f727ae228d0af5d0f0ebfcbbc1f36f5b8ec7b04eadba1db

SHA512
7f4a86a16853be229bb953a485e7be60fd0b32a314317474ba5d943ea3f977bc8c438001562c14b8751428f4f92135ec0a6f1399ab510642c7bdb90302f10b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0ff5661a9a6f074f26e351c60339aa6d

SHA1
1b474321ca9c5e53ad2cd0b58ae4399861a2fc37

SHA256
b2572ea72407e26c242639ade66c5b66acbd48be0179b9881bdfbbdc450a1338

SHA512
c88396729fb3136c547e7c22ebbc15d698c971e227107e5d38b25bb8257945c07be2a9760b8faeb6341fd50ec1d7bd7883b6b40fba1e811d5236adb71dbeba4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
695cfcb07c96a1a0d3bbe313549ae144

SHA1
efcefe9b2552fe4693cce9fdd9f6927ecb259497

SHA256
cb2108cded22c5f15f40c35ae10eb9dc8fdc21a2c6cd36795764fd2fe0148d20

SHA512
db45b257e6c8d12eac6e2f58b74a88ef54197791546601258f067e1457b5988e57976c99ed753ea46c7a57eb274ff06b881618bb3d06824ac724656c5aae4226

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0a5ed76f1e08fb2f06608e01ecfcc252

SHA1
d3c4cf2973ee6cc385a4db837d51650281ff00d1

SHA256
9f235b5bad5838f11dcae3ab90face8cbef500447d3743694cb5ff0587818b07

SHA512
8d5563d66580e9c9e28e099de4528785c982d59aa285773bac149a9c8b7f3349f281cdb9e38b3d1f3481dce17390ea8fa2a5c5b1aca4b1fe7503e070eab515e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1f343cc581aee2dadfb578b9755441d8

SHA1
25d2c95a43888517e08a297cf2f905979197a668

SHA256
af80559bc0f7411d28b7f28d0398fd1a088a7b2f69a0991cbe0402b03764db48

SHA512
3a91e75de7627a092613b1c9331af139638e3c3334948a256b7168d5e55e278a605c257f24c3354f36f46755a08cde544bb0cf1752898e61b7a88f5a499038f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6cb9170cabe366491d918b837401102d

SHA1
217876e7ab2a21d7c3f95f451ce05fc64826f3d1

SHA256
994ada27fac9b49e83cbbb5c5c9ab2d43d9504a6a80d7e453761785f6a1805d1

SHA512
53a1499ee579388caacafcd97e5fc14caeffb53f39e4cadc9bcfd00641f35086dc823c9c51dfbad88462ca3ba8af3d354220d1db5c25f37727460c7f912b66b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6873da4b506bd7d63a607561c6a13f6d

SHA1
885cfd46a2ac682728cc9c34a26e528a913f4560

SHA256
ec091a249851245b2136309d9a79d0e39949893a0e0a81cee1c047c326d0a9a7

SHA512
1ca96f5d134ffaffdc1e4210d0a62942cc54daed3ade4b8c09fcc6b19695d6697c5500c8c37e5b65552b06e724797fd7309be74aec2c63ef38d68e759575c3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
14da33c528e52e52d88386ed8bf1599c

SHA1
a787c45270651df0e725dede311d7058709c1426

SHA256
7ceef7353fe68b28eca0cd5a5484ebcb8464ca89647f7dfb61df614491612a81

SHA512
b4f333520037468d2ec97313c072c157703f8d23c1ccce6bb6876263b1109cb8fac155940911e4673be511def607fa63a97c42e41b93f319228b78c1d0757470

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
52b3cb06b47219daa691dd9d94c64598

SHA1
55ee8b14eeb8c8a83bceaa35c8fca4dfe3691da1

SHA256
95446671e989795b734bff4a94af1b5adb9a5e92d3a1cd01c04c004f2543a307

SHA512
e8182908ba4fa3e0da420e9fa331fe00cdcf6cefb943d9f9eb4aff29578ccf79791ec8a2d4cc5543e44980bf6f007b519a1466b697ce3a5502e61e6377c675ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3180d978c7c66187f9766830106977d1

SHA1
0f9cc263b3be3cc41efd7ec907741249e8ff4e27

SHA256
eebd5c97c5086877c627cdcb8680b4e6254d6a920ad311a5f205fc432255ee61

SHA512
cbd6894ec9db4e239c94a918316ba6d8746c05569df9a8515ca51049814983703d81a17877ba4136fd741878406b639555e156c8e0b446b356d83ae254854156

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fca8fb5a562f486496123e809d4e500e

SHA1
b2b1a33736ee8c500c31e9745898bd2019ae2325

SHA256
0a1d71c82a945ac58342747153d3c5746a40565b0a6c135e391a2e48083136df

SHA512
c186be606129d8eb2bc49754c679015886924ba614b6d010d257197cb0da180987e90eba3e91733f915861c1976929e28e3df75d411aba6164b7c18a4992ac5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e0d445b55d0e585ab2198a0d5d76a579

SHA1
8a44e33ced036bf4b5332bfc5d2cf7b14864d4f0

SHA256
55d4ccebdf6a4180651c3cb12e8f90e8ca14f787386289beeb8881e49aacf4f0

SHA512
0f705d3560086bdea58628929a05a69c17e9b4bfab7207aef04a4a55586cdf0510130bbe9b527ce422746d5cfc65ba87addddce131e58abec4f14c4322438c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
07bc17ac73b011d9f40256e0fe4d2fa0

SHA1
7b1498488ff8cedecf18f29caf8ba3e70043df45

SHA256
ea963b63d2fa924b09f28d6ab2710e0fec3be512fb21d10d362b3ff9ff55f409

SHA512
3e221c2db9c19e75b0095bc5a2be0ea90778d8b1a5af884ea95fee83bbbaae6ffb28d85fe4f226794f2f594be97b0be0720b12afdd5993602a073ffde0f47578

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c67f6a5ef72dc36dd5f4a0294bdbdc08

SHA1
639c23c7acb5e8370378e796d2d1b0e732dd9be8

SHA256
6651c580690fe81411a4a7ac92627404a4acc223fc0232b4905fdc6c9a487457

SHA512
49eba8c443969562ed1c2631ab4f68c5cd948018410af34d0cbb4647e3243fd607ddfc141ad89f2f53725200f3848ea45b1adbccb2ecc95b7bcbf066ef5f7470

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
39bc62eb45cac930db21ae8a299f7793

SHA1
1d8d75b0d258ea2d74115e068edc687bd80bf9dd

SHA256
7b7073f7ac744336e2fa00947144c82b70db85c5733ef1c3964cadeba8baf0b2

SHA512
ed78594a01add31e631113af106fa02fa18783656f6bf78069fbd9d118e05311941f18361b54f046b6ea8d0030282463aa9b7036341d253135a0f256e8e1126a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a531b2d66f007add68e32aa4d562c026

SHA1
567a6bf8161adf82b840010a30219a18f015fc44

SHA256
bebb9934a50bd10d7ff1cd09d0239074c49263b09747f297ee8ff6bf44fd374b

SHA512
2d5dfa4c5a8011fa298de6e9ae17265619bc04ed36c8b54960fbbda396eaa5359e6e85b4ea71cd098d57b9f5175321f883410dfc095a5e9d4e0d84d19fac4fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d0f5d2243e262affbb8ee8e18ac9ec90

SHA1
ecf82a11d2297c01326e2ba7e2347654101f6e97

SHA256
5dc08b0adcad292b047bcb1c1c46722ed7965204c7e038f84303daf10ae07ca4

SHA512
31398c4a0c32ec16a28c65c0778c1a7126a3c0ba75997c750057dc0efb18f6521de0c034c63d73d8b4aabb2077c584dd78a4c49a9ddd4cce60c0a1c21a026168

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b73c03df83b560a93132a6ca43ba6359

SHA1
845a1cba8651b37ec155ec79955f2370d909efae

SHA256
f8e2b8cec53642ed71cd2173f98b9e66a1496c77d5a423d2da0efcea6dffcd88

SHA512
22ba723542923a016f2191b09db8de09cabe8851dd8a744323426dbea35f63a8b10ec64518eeab1537edf5e67093b0351f1c1bee464cf52bb5fc6601bd1dfb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ec36fc5a206ff5daa30d3d63e9fdbb51

SHA1
a6d1ef52a24c0b7db9af4440c4d89e193eb91e43

SHA256
0672001bcbf6740e8c77e4a9f6f31f74390a7a61eaf49d04c8c26908170fa531

SHA512
6524df7f675a7d62e2fa1427edbab745fd777f1e5683860c66e8a72ceb49b6e571e0f061da4a68574108dbbefc0a194997ba8631d455f166a0e2a542a2d07d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
daeb06d29eed0d39f61f704d35bd79e5

SHA1
7b00da039dd6952cbdb70d87909bd9425dbfdd7a

SHA256
1fd63942ecbaddfccf42a5e77c39646cd13861bd14e82f04b884abceaac9527f

SHA512
56b735e34e7965446752d9e94911f3728811ffaa020e3f5cbbebfc71acf602d242443997178baa0ec714512ba02c5e4df7af51b733f217ff79cead8bed17949d

Download Submit
memory/1064-129-0x0000000004610000-0x0000000004618000-memory.dmp

Filesize
32KB

Download
memory/1064-25-0x0000000004730000-0x0000000004738000-memory.dmp

Filesize
32KB

Download
memory/1064-68-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/1064-130-0x0000000004D90000-0x0000000004D98000-memory.dmp

Filesize
32KB

Download
memory/1064-131-0x0000000005040000-0x0000000005048000-memory.dmp

Filesize
32KB

Download
memory/1064-132-0x0000000004F40000-0x0000000004F48000-memory.dmp

Filesize
32KB

Download
memory/1064-133-0x0000000004DB0000-0x0000000004DB8000-memory.dmp

Filesize
32KB

Download
memory/1064-32-0x00000000048B0000-0x00000000048B8000-memory.dmp

Filesize
32KB

Download
memory/1064-146-0x0000000004570000-0x0000000004578000-memory.dmp

Filesize
32KB

Download
memory/1064-31-0x0000000004A40000-0x0000000004A48000-memory.dmp

Filesize
32KB

Download
memory/1064-154-0x0000000004DB0000-0x0000000004DB8000-memory.dmp

Filesize
32KB

Download
memory/1064-156-0x0000000004EE0000-0x0000000004EE8000-memory.dmp

Filesize
32KB

Download
memory/1064-30-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/1064-29-0x0000000004890000-0x0000000004898000-memory.dmp

Filesize
32KB

Download
memory/1064-28-0x0000000004870000-0x0000000004878000-memory.dmp

Filesize
32KB

Download
memory/1064-126-0x0000000004610000-0x0000000004618000-memory.dmp

Filesize
32KB

Download
memory/1064-0-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/1064-118-0x0000000004570000-0x0000000004578000-memory.dmp

Filesize
32KB

Download
memory/1064-117-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/1064-45-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/1064-53-0x00000000048B0000-0x00000000048B8000-memory.dmp

Filesize
32KB

Download
memory/1064-78-0x00000000048B0000-0x00000000048B8000-memory.dmp

Filesize
32KB

Download
memory/1064-76-0x00000000049E0000-0x00000000049E8000-memory.dmp

Filesize
32KB

Download
memory/1064-55-0x00000000049E0000-0x00000000049E8000-memory.dmp

Filesize
32KB

Download
memory/1064-23-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/1064-22-0x0000000004670000-0x0000000004678000-memory.dmp

Filesize
32KB

Download
memory/1064-15-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/1064-9-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/1064-5-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/1064-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1064-508-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download