ffdroider | 4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen-step-4/md1_1eaf.exe
Size

991KB
MD5

f250a9c692088cce4253332a205b1649
SHA1

109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256

0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512

80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e
SSDEEP

24576:Eg8uQXK+F/bExmg5L0OiWQfWUWhElcAcF4N78D:1tQXKCqBL0XN8ZrfD

Score

10^/10

ffdroider discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

Processes:

resource	yara_rule
behavioral14/memory/4852-3-0x0000000000400000-0x0000000000667000-memory.dmp	family_ffdroider
behavioral14/memory/4852-505-0x0000000000400000-0x0000000000667000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md1_1eaf.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md1_1eaf.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

md1_1eaf.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language md1_1eaf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md1_1eaf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	md1_1eaf.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

md1_1eaf.exe

description	pid	process
Token: SeManageVolumePrivilege	4852	md1_1eaf.exe
Token: SeManageVolumePrivilege	4852	md1_1eaf.exe
Token: SeManageVolumePrivilege	4852	md1_1eaf.exe
Token: SeManageVolumePrivilege	4852	md1_1eaf.exe
Token: SeManageVolumePrivilege	4852	md1_1eaf.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d

Filesize
14.0MB

MD5
58f54e30eb6deca7ac60c29407f00cfd

SHA1
655b0427f848b3fdcdf73c4196fff2b6cf8d4f8a

SHA256
3fcec09c7824b369b34ad40c88df95bfa60d32db2e617bbcc47708bcdeb29673

SHA512
a5467e3cfd4e4ff754c7df33f10c522b827d875fa0d40bf0e92b031171af782e33725ef96b50b2e43d4610353d1364cd223dad052df866d86540a117e53a3959

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.INTEG.RAW

Filesize
49KB

MD5
3976333bf75bbe7b83207471faf22056

SHA1
31874cdfb8e8a54c9d20357fbdf73b5bc9784c6a

SHA256
c21272bb7a988bfdf4cf3864eb9da35f80c523877c464850d455a67f09745ef9

SHA512
a8e30e506e37ecfb9a905b5efe6f300d980ff40096ee66c51fc4f2317b98bdee7d3c1620a0c85aaa1bff73dfe84ca3eb4917e45234aedb3f42a2c50c729c55b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
926407224df15a10caf40fc9298ce828

SHA1
6f75fa8e1a65e959d62a464fcfc99f0050533c67

SHA256
702f8cf79dd9e9d67dde01190b0bb162aea279b3b70c74322808bc9c9d217633

SHA512
1e91df25d5d287d80ec04212e95ef2cb061eb7850f60968435326d58f8a129bc24090f868e8b70d99bd1c414aed0158cb7c449a1b30152a99c2f4fd43f97333c

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
52cc34948f5c135e341dd212713f5400

SHA1
cc032360546aad1c535b0998a9709f7851631a46

SHA256
a717251c2a877cb54c7b412a9462148ee8b122d23620351ae6f0328c6c9712c2

SHA512
7469714b7db68c88917e85516e129e0105f837b27d78d2f545761a6dec985e89fbe249f0ffbf685c33110139b85ca96287c27cfc396bc914afa7b4d823e81c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
ad58a866bf97e3aa3d9aa136587a5cc8

SHA1
534aacde8723eb76da963dda84607fe7439ccafa

SHA256
9e38a8344af814859c018dfb77eb724c743d08520962f22f95fbabe479670a70

SHA512
b6799227a196cd483e18adf621d407eb8aa04b39df97ad419624a2b70a5dadaf4c6ef84a2a87c4e7091269a8902ad56ea7f2c2041df1769a7e733303a4b25244

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
cdb328429acbc0efeaebfab4ee3eed2f

SHA1
a023d55c23c80842d268d0fd5de0d6ab251a9c56

SHA256
c10cbb8eace9c8ed2c101eed47be489afc6b02faa3de6e730c9d99b35c916e0a

SHA512
89446a66076db7f761deecbd47edfaeede34d80da07f697d2f745ed59a6054c8e855e58e32df50385e3845a204284db1c9b3a672a255b4e69d6fe39518ff0efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
5914297f621150d0bebf27bd8128c7eb

SHA1
ef38ea187d0c74be194ea4ac28d300cc3b7c6ec9

SHA256
dafcabfc6200521fc7ae8ef2fe202acb0fc3620e9908e3981c4d3e8bc916d4ac

SHA512
662153d29e01443b3c1e1cb00fa9508e668f2a16a11dd3cd2bec7ee3dd865a2d9a3dc1c8b935274df879e633820e587ba3af9783ca8dca6ce74f631187b913e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
c957fc9e6988f42276d56624338620df

SHA1
23eeb2cb741d65972a545cc9ae41af7fa51f1f7a

SHA256
fc515a708906060ebd048033f885b3c64c5a73a2e2cef8af7c5a9974f0fc2ef0

SHA512
b42ab56c07d4599f24845cd3d64f3ebf9b0bbd5ef2dc53c285a4b31d9d5053dda08b513a2a90f6e3db82cd6e2963a35b5831fea325eb43701ec51d844fb760ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
cb8194a410bddba0fafd4ec525a276f0

SHA1
eefb3ffc2193ebf20a93b86f56608d73ec71fd0e

SHA256
b291b9386ac190771b269519d4cc39f62f67c599a8395069207875658108a5fe

SHA512
7a2434eb70d6a9e12a5edac585118274e100929241fd2218afe82cbb22aecbc8beb420fcbd3c66697dc10b1f7a952d796e67f3ec6f08ae56fb873f5e03427b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
31a271b58938255b0e09bc9a8a09e4f9

SHA1
26082d035328da9f6cb5eba2f6d23dcfbe435de4

SHA256
084affe38efc8bdab6efd114b25a87bbeec3a2b1228b992229573a2dd916c80d

SHA512
000fe7c00b944950aacb0b96e4352879bfccc92481effc61e84beed9849bf2946b30574fa1003c8a10b997eeaaad6169f8daed7280e05b0bd138ea7bc10c4026

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
5eb4fbc613422f173ceab6222fb77668

SHA1
5212c3693f01398a9a46b8d87d84f434603e7c37

SHA256
e994e0640bb1d18ade56d54f67fd5bac0ef9d2c90a26391f07a89f1409bed93f

SHA512
e2f7e3123f1ea64c8bf4c0a520617750699647b867bfd812b80731c37f644d74fd0bb27d9b82524622b9598bedcab7ae795c803c2b2676e768ad1cbaa36b33f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
247bc2d143127033fd0e239696aa7e4d

SHA1
acd55dc758133c460a3a3a3bdc7382c01ef1ad15

SHA256
6161c72ba76fa6e1bf3df4370c998e87038143eb6b75d778865f352efd35f727

SHA512
24bcef61e62b968736aef10d968539de50e978b05cfe644bc6ac736df00e0fa9d6a1cc8dde631c1c4eb37bf51256bb0c00bee78d8649637ede6f6c7684197773

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
7f47a2f74490393a0e2be1606befa507

SHA1
b3bcb0ecd5253adc200744ac04b733c6e54c3d07

SHA256
f2dc48f6e3ddd6c44f0766df5c78c03a9b5f481aa9bfc59c12888162b2b30384

SHA512
6b2ef7c410c5092b2eb3820cf6ba6e1b8b62e39a7c3c6689d1e9632c810ede6ebe057508473da6cc7fff5c46cd61a7053a9302a2064170864a2845f20d4d991f

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
9c587692d84b0ddcc1517f5b1d9d3fee

SHA1
fea4316a842c0690d22b3427dbc90e1555be2b4f

SHA256
c752b6af13651bb4da039bf2f0c12ad8c940d0d7a0420e9d8db44ad4894cafaa

SHA512
7f54dce72438c12314e1a0aff392591378cef4b7f8a63a7dea073ccf337f901d593c3cabf2af297b6f1c403ec56cb04d90f02ae63f08ab2aac43b1a55c2cc139

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
3deba472e3a69e0743ebf3810e6a4810

SHA1
306971a845445a88acef46f4d395879ceb0c6b7c

SHA256
1d1e698568de105859227fc703439e1c7db758724b8db1441b43669bd617b8bb

SHA512
dd79abcc3b2bc8f47f7c0f6f6206c15faa988e9d37b0a2454dafb040a4be294cbd31cad6c0ce13842e8a38af29397a6749b3def9e3ba4751107df319b8bb5b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
a4f50f88bc64bfa23fd4761fd2a6100c

SHA1
5088b5bccd302613a9723958a25d3a49141679f4

SHA256
3bd289dcf9af37c5900242c7761a7064ed4fb66f22bfd5b5c1f7c14b2941ba89

SHA512
62a7af73e54725a6b8ff74e421824432bb6a3eb1f8688f25691b8360de76758f4d6bb18a7c8a6d66df0f0e9aeb00d4a301d281b6c2fd63e01928f317e985a0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
fa746b739da82d6bd0a0819819d34b35

SHA1
f0a519f9a3ae8f4cfee7ca4ed1ded8d660cbf44a

SHA256
76e626f247194925983d2bb363251aa45baecc3dd8ca1ec1251928e5ad2d4428

SHA512
6cab21ab75bd09c6dc11bb902bedfa2916689acd705f4c56c4c7cd29ccb215e9af2100075b588d341c377ca1f9a51f9691a94a0aef66a265abd888dd4c5abd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
63a03ba3064caf924be2c620567765c0

SHA1
7d7f328a47dce9fea412e455f7f638b98a5ec420

SHA256
9ca8dd42e233b7dae30d9b7634f26831a177c7d362e668c4c7404d10b4e93fb8

SHA512
58770ae35e81aaa6c87382c8f5be01a761274d569c6f9b1ccd6a869c3581b8e66f81a9c2be16374a5aa96e5f3ee67c2fb3159b14cb51790ff861b3b6e69756f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
1c106a7935fb8d24ea63f3be3a11bf1a

SHA1
59950ea6d6c8efe7dcd50e9406b00727e4d84fb8

SHA256
ffc10336ecc1636cdb7d4f59790f1870e1ebfaf7cc6c5e2430183016d9fde427

SHA512
24e13185997839ff830f54d8558d0b4e418f510e09d494a20bc6a555dc6f8a8f7a4840757defda2520789a1e80a9f402f5fd4efbb002b2bfc9c203ff7a1c1fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
7b6dab3730e624083fd0bdc439804d90

SHA1
91f0b46b2a6457a62bc489a4e250b05296d54798

SHA256
202815f0c793a6b616b6e6c7f839c77efe3a72d7b661362a4619c49a7679dd14

SHA512
84092ea02e60093c19b94b6f6491b9a08816c82490a39ac12891bafdcee581383dd7299dd72e504605297b462ee70f340043dd17e0c4b1ed9c5936835ec67ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
5010c8cf5d1d8c19942158cdaf17dc1a

SHA1
0578ddbcfe262e8d005aa252cfb958e6b9d3d92a

SHA256
35e010a1b8c12ec0b291c8c9ded940ebd31243be2f06972200a543e4a8fb78b5

SHA512
aaf7e29f98134337c4f906470c2668ca2dbdfb9790e09c84c6b5c771fb1477600cdc7a3da601af0b25d2b555669fcd644fe0578b4388b85d8d4f4ee6b19795a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
76ad364c071795e8b6fc0b3aff8269e1

SHA1
5b8fb20fa90bb888e391c7de497db1cf191cebcc

SHA256
51fdedfc60c1d3d2e35464730ab62687d4a60a61c50585c27f5d8e924b5a7dda

SHA512
62c70ace52e29e1acb16057b6793224f4323a681068df85c050158158f5ccdbfaeb4ec9949adca72847ab9a5bf4cb1bff105fc827cd2e4d2114c587f0d7ced12

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
3ef9e2341185bec0c8e28edb71cb99f4

SHA1
dfad98e3e8acf9ad118893d3df08bedfcf624ff0

SHA256
be4ad11d94fae014b130ab8920e6aa1721d7d0e14430ae37143c49e7aa432656

SHA512
5cecf5522dc3320fee47f3ec388b4c2b57679ad110388bed3f69e4598167d178e9f0de1ef39a3b414d9370f55144546b569c399d0e31d1e3792dc5638fecea08

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
52284ab79ce0eeb3c90042ab6855e970

SHA1
305bf99234fdd6eddbfe99f0442e4dea448ffbab

SHA256
23bb05ad23d4ffb49251d47033d9f7f2734fe9e7d242fa8e81328598d7c383e2

SHA512
92d79090e2d82d387a0ce08e9298d053b3679d850eb6cf9971c5c657a4c9eb9f8afacf930c48aa58a9f6a2aa04cedffb26c98607e07a42ee2a714a1a5eb46e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
57ea81cd632caed424a9e7e35f7fe0a7

SHA1
454a6d74e693adfc5b2d9ff25b555abb57df1043

SHA256
5ace4f7eb57f28349178e12b9b6342ac3113e085ef3ab3f0e4eab391845c0757

SHA512
3d0e7dc07f5e939d82eb25f6f142735ffac0e5234dfaffc594a52bc341e581f4ee4d18a322e814bbe6335a510e091a922d1c59547a3ed3650b3066d07565271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
16d8c395a5e54ff35e8950785af93112

SHA1
848ccd1cd1128538ad143ae55cbb6d48e3c91d64

SHA256
26160883b9326df451dd0abc8d6f47470cd6a3e350003b6d89147435728d6ea7

SHA512
0486d1bf14b9e58d6be21bdef09e98abc3d8e084eed4314025a4a59bfbc55fec3e13d94c54fa9c7dd2901c4aee07fa43209828dde64af58f0f07207396259318

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

Filesize
16KB

MD5
83a38a48f18c2fdef2bbc144bf4ef6d0

SHA1
6b94568f44a384eadf1daed3e8c1342f2651607b

SHA256
51d9cbbbc92be6caa5ca644ab97ff7e146ac1b5207cb32a82ee8d3c804d2ff73

SHA512
fb23f7e9624f9b42e523b50d6b4e5434faadea0d3f3da55411b56591bad7752efd33b5a02ed7d45a5711b8ea014020cf21a685d327a24bafb71b44ccf1c42989

Download Submit
memory/4852-22-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/4852-0-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-126-0x0000000004500000-0x0000000004508000-memory.dmp

Filesize
32KB

Download
memory/4852-128-0x0000000004730000-0x0000000004738000-memory.dmp

Filesize
32KB

Download
memory/4852-129-0x0000000004740000-0x0000000004748000-memory.dmp

Filesize
32KB

Download
memory/4852-130-0x00000000046A0000-0x00000000046A8000-memory.dmp

Filesize
32KB

Download
memory/4852-20-0x0000000004580000-0x0000000004588000-memory.dmp

Filesize
32KB

Download
memory/4852-143-0x0000000004460000-0x0000000004468000-memory.dmp

Filesize
32KB

Download
memory/4852-19-0x0000000004560000-0x0000000004568000-memory.dmp

Filesize
32KB

Download
memory/4852-151-0x00000000046A0000-0x00000000046A8000-memory.dmp

Filesize
32KB

Download
memory/4852-153-0x00000000046D0000-0x00000000046D8000-memory.dmp

Filesize
32KB

Download
memory/4852-12-0x0000000003AB0000-0x0000000003AC0000-memory.dmp

Filesize
64KB

Download
memory/4852-166-0x0000000004460000-0x0000000004468000-memory.dmp

Filesize
32KB

Download
memory/4852-6-0x0000000003910000-0x0000000003920000-memory.dmp

Filesize
64KB

Download
memory/4852-3-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-127-0x0000000004680000-0x0000000004688000-memory.dmp

Filesize
32KB

Download
memory/4852-123-0x0000000004500000-0x0000000004508000-memory.dmp

Filesize
32KB

Download
memory/4852-115-0x0000000004460000-0x0000000004468000-memory.dmp

Filesize
32KB

Download
memory/4852-114-0x0000000004440000-0x0000000004448000-memory.dmp

Filesize
32KB

Download
memory/4852-29-0x0000000004A10000-0x0000000004A18000-memory.dmp

Filesize
32KB

Download
memory/4852-25-0x0000000004600000-0x0000000004608000-memory.dmp

Filesize
32KB

Download
memory/4852-75-0x0000000004A10000-0x0000000004A18000-memory.dmp

Filesize
32KB

Download
memory/4852-73-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/4852-26-0x0000000004780000-0x0000000004788000-memory.dmp

Filesize
32KB

Download
memory/4852-65-0x0000000004580000-0x0000000004588000-memory.dmp

Filesize
32KB

Download
memory/4852-28-0x0000000004BB0000-0x0000000004BB8000-memory.dmp

Filesize
32KB

Download
memory/4852-52-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/4852-50-0x0000000004A10000-0x0000000004A18000-memory.dmp

Filesize
32KB

Download
memory/4852-27-0x0000000004CB0000-0x0000000004CB8000-memory.dmp

Filesize
32KB

Download
memory/4852-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4852-42-0x0000000004580000-0x0000000004588000-memory.dmp

Filesize
32KB

Download
memory/4852-505-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download