ffdroider | 4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen-step-4/md1_1eaf.exe
Size

991KB
MD5

f250a9c692088cce4253332a205b1649
SHA1

109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256

0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512

80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e
SSDEEP

24576:Eg8uQXK+F/bExmg5L0OiWQfWUWhElcAcF4N78D:1tQXKCqBL0XN8ZrfD

Score

10^/10

ffdroider discovery spyware stealer

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

Processes:

resource	yara_rule
behavioral13/memory/2068-3-0x0000000000400000-0x0000000000667000-memory.dmp	family_ffdroider
behavioral13/memory/2068-6-0x0000000000400000-0x0000000000667000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

md1_1eaf.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language md1_1eaf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	md1_1eaf.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2068-0-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2068-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2068-3-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2068-6-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download