ffdroider | 07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41

Analysis

max time kernel
93s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe
Size

5.7MB
MD5

5f122b902a524ad2197a0074c29c9926
SHA1

384d649692718712e83685b166161f930472488b
SHA256

07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41
SHA512

2a91533024bea804f23da5dd50c481e422130d739c45eced2b4ffc9c79eb3f2bcaf6d7708db0ff796a5d4622714606c6670560fa4f55dfc3f4d548fdf3d9b49d
SSDEEP

98304:Y2b4nu+hxLKOmKpGkn+e0WUqAaYeebUvQ/qpyr0k9b+iHuNeRQhMUI+iZ7q1zPP7:Jfzd6pnG+iHuNKQbI+7NAjtVa/uG

Score

10^/10

ffdroider discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/2396-0-0x0000000000400000-0x00000000009B3000-memory.dmp	family_ffdroider
behavioral2/memory/2396-603-0x0000000000400000-0x00000000009B3000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2396	07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe
Token: SeManageVolumePrivilege	2396	07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe
Token: SeManageVolumePrivilege	2396	07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe
Token: SeManageVolumePrivilege	2396	07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe
Token: SeManageVolumePrivilege	2396	07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe
Token: SeManageVolumePrivilege	2396	07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe

C:\Users\Admin\AppData\Local\Temp\07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe
"C:\Users\Admin\AppData\Local\Temp\07d4233824e6ede37efc81c9acf66316f64d170802a47793de957acf9a664a41.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
3a1a2e8a466f83df14dfced45d29e40b

SHA1
aae1d9d607b77795d936a013473109a942e49051

SHA256
f4085f573fe85d93dd1b54b528acbf6c0516063dfffa8b870dd76d6988487883

SHA512
9d715758189e78aa385bf78871f984f2c355e04d319b1b6d6ac60316016cdaf6af7b451ca417f779d62d1b368c7df785f668fa9c38e655aedf0a7ce16050f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
51KB

MD5
50255e0052b5b17f22bf8d2dc0732228

SHA1
dc5f75b9b4a09c37c3405c305a47774494199235

SHA256
4ec4638cedc52b427eef57cedaf2e49656b1fb197ca19663fb6f33ccdbf41eff

SHA512
ecd25aafbc69144713f614f09dbacbd30f62cf5c7d7df8bb3346ce75427eaeab81ed38eae0645ce879707fd05a072cb2ec5cc9d0cc969fe8622c40a908bafd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a8cd200d60dcca224279bdd48b924b1d

SHA1
0439f86a4c8e8891c21c8700d920cfa32a5070ed

SHA256
6c444dc93dc47ea921e0f3d598f2c2c13fdfb19cbd228c676e230a9f1fcd4708

SHA512
a2ab0d74703716dcf4c97af39ca5920e515d712f24e99d534d584e8064db09ec4148781ff6b0345532fbde6418b6402fd9f947fb1651196d97b3ed2d5dead909

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
49d45a23051565e52a2a87fee053ae76

SHA1
c559a8e024da0bdba3927a56f605fdfc77b7c0d5

SHA256
c7152444c82630f8cf6ac834e30c2a419a3cc3ad4dec49296dfb07f98c28d50a

SHA512
511b22ac822084248aa9870d1dd7bf264b5e18a8008f6cd8f03eb322750af46dfb09a20d8886a89d8a9f5912510e278a65eed359c77850ea4a94ab1b99b235af

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
50ae169905a80708f7bbd5bdeec83067

SHA1
c31a7d43dfddaa751425bc615ade0d0aee20787a

SHA256
f521cec776361a0a87677cfdac41b7f6ed0e0bd2c23a11524b5483f54a617e90

SHA512
c30b772a2b0fc3faedbdd800d2111a3b360cf81b2c723fd62d6597c0486b4eccf5f58ecdb75c9ddcc9e980db8be4d0f124c8d999b74a5f0633fffe3d16c31a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
65ae57696cb566f87b4a7b4652e34449

SHA1
e6bf49216d8586930b9961d34343ede1ad0fbf8d

SHA256
2786f35a622501f28241fce6488c7e1c4666d024511db0026fde96d206cfaa4e

SHA512
3114c6a83eb8c03b4db7aad8a14ca9d044a86c585ddb288b02312b3e13389f54f88717e59198dad4f715ea0696154897d2c1202e58eee73f399a538c7557bf80

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1dad62e3b4372648c84d4afb191b8d52

SHA1
309558e94b9059f863459f53455a07f61f47a21e

SHA256
2ed9b43e154e8ece5e37d25e0031c6b6e8b9523a2e5539f3f1c163ec01e812e7

SHA512
3af2281977ae7f6b478f356cd7f899300968bc5ca60663ba36531caf8752c621f161ef0328398756d139ea97da929ba7cc05cdacd622e1ec4b4942275d276a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f62f0d5b20037e97c02823e5ab155e99

SHA1
657ddb3bcea2a7f2ded20d541c34558e8dd88094

SHA256
77109dba2d5fb3ac1438162ca0186dea57c9daf7f503a0495f3901733f97636b

SHA512
e24311cd2edf8c3ac17a20f0ec48d9bb3e192568d97d2831ae0004505d88167f7281e5544a1cd458cc8f70dcb70a7aaeb6b02bd0821d401a26b9046ca2c72d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
735da6e9b6af3ac6ea7bac97d64a918c

SHA1
19a3bfadebe02a6e095465b10abd6ce108f32e63

SHA256
e2d91a51e96b19a32e1de4aef23d0b9ca20c72c4f4b12a4e2b7db5b38aab522a

SHA512
b15ebd165c2611db16746ff8dda09ce14266485bcd7b5807f53704064c0922b89aab4b28d5747758e13cc2373ed4303df696f2c5bac38fb6c92f524d2b95fd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0eec06576697a6e8e426d96732312eb3

SHA1
177537ae930197c40cf0f731baa0688b7415db4f

SHA256
f8f9ef01e7dda4d070a1ef40b041534ccf0f8c8d442856f13488c2e5d9a42fe8

SHA512
87ba596c991d9ea019bd00b92105bdeb9332c64cb109d641f2ec15549d6a78ae4091d1eac032834c0830b76a3a2e1fa4c3e9a52f015a349c7ee09f10f1bbcd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8f25074eda31dd51d045d270474c373b

SHA1
96a816dc01233a6f83af8b5d1155a9e93ff6a11f

SHA256
ffe9a90e9b692aa1ae957ffb03339876bbde4d24544256c40ead3578c4fb4baa

SHA512
e8c304574027fb2d51b391e8c9cc7048b91291570d37cbe7f5a23263d4ec814c0104b8d9e314a5e499600f10cdebbe22bfb6b614873c7c18ae2fe380a92d5003

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
71957eb03cc162d5d6e3923846336a17

SHA1
9dfd10db60c7cedac96cf28142bf73a9784dd854

SHA256
c6dadf6efac0a9e4e146ec645e799666dcf3b53d9c424e8d1a3bca8da4916e9e

SHA512
a72cf33e93411cd5457cf26c7fb6c68f0f34280567db1cca25ed134695e649c16248e373ab0a4d225653c6a0550cd602657ac65f3037d38904610be8b8cc29d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4849610701fcf181ab15cfd5997f67f1

SHA1
d09b3512043bdcfbcacb4d5a543aeaa771e73ef4

SHA256
ba16c4210111bef56c67587d465e952ddaee99e094afe95a6a3587dd3ff50dcb

SHA512
bf4b96f3dafa209e21654e44859ba625f75c66cee2a50b2fe123708cca9e59dc042dcb51dde4391f3e91d49c3cb26f739a63be1bb44a827d475b41618ed77854

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
68d3e4936aa6bd6630bc370b0ed9db7b

SHA1
2da5e2ce709649614f0ce53d38445ab78a82c536

SHA256
fb414bf8f8d681a11fa53def6a7f505260433c12b30e910e15c096f8d9a767ef

SHA512
a24f5d7fd26c554c0dce7af47895f5e16734b69a8dbd3696a8e53470ca782a2cf022d7d119df7ddf9ce73442557bc4737f3390f6d6309e42c3adb50680afc717

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f981b497104a5f274ae1412f55f4b2f5

SHA1
3dee1788d3733c312e38f063dc371308ab8259cb

SHA256
4ffe925a8031f1fc262f964d5e71e77ff605e6253faa319f8d7831c395e4bbe8

SHA512
553f5a048928fb37b55195e42a204c1b9a5774d19d6157c429c15e552846b1f21cf707027d63ed43d18561230a292cd3d87e4e27fb2c9c5a2a6ec5e630003e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
37a310efd65ee642f5bc771c61263b64

SHA1
44df0c5121d4c0bfbada42fd33c40eceecb17b03

SHA256
492357214b992c81bc87b802ad1cd25e8cfc69027ba5c2b32c913693828ea84f

SHA512
211c73e7d7941fbad12be4390d8cedb5581a95ea8b72f66229051eeb60592444edcafecd34ec54c9c4423b2dd1c4a5e7f8d76c977a7ee22f4c534735c1832009

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d338be43c56cb40f729c4e16c6a8fc18

SHA1
0f250efc2e7feab893f11ca7b7794a5feef2765c

SHA256
59d6244d641efb3ee4ca9a19fe643e5355dac59c6b459d10adb6787c4a532786

SHA512
09729958902bd3e94fbb40a55c7b08c989c53c219e7c5bb8cfc8186df2225025a147648ae686a63346afbff8ba4f87ea338d9c4089ad88253a2cdc7a04e6daa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b898d3d04c1658ae08723a9bd68646b7

SHA1
a64d2ae026b4a2ce0ea14130a1f5bef1b5831441

SHA256
9bcbca9684ce8c890bfbb2672f75de945dc89d721863e238b6694bdd9601fb4b

SHA512
1caf4825868fdfe9f51dc4e5c49f2f5fdae6a7dd974f4e76c446b74c90dea58ad1510554f8b8164345caa4d5501c57f813edb37127f388c001b8c62831418dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2f6f03d23276e6724e49f2c928c21c7a

SHA1
4388a4fd6665baa01e8731c51b09c9ad89784470

SHA256
48f0ea1df690e0987652de6d7310e608fbc3e2e1da4db75c9605855989353b8a

SHA512
6bb4a970383fe5f7ed3c356195627b2a0cbec0b0939064e6f224c547be17de236460e99273ed42539831e01954f6681a90e958eecbc0cafb5bc5dca9446510c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d242ea6cb08b80b62d359a9bdaf8f5e3

SHA1
53116220d2e62de2b2c0529164cf33644d86bcb7

SHA256
932ece524e055eacc3c91fb0712324dcb8eada0f39490eee858a954541794683

SHA512
7a3afa2199cc09fa817606830a6a56e746f13df4726780afd568fc2152f061c4f44b668423069e7274b94702879ca5d41709e1f853f979595973a75daa2f46f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
911f039f11c1631d3531ffe1532cd362

SHA1
44822f0c52d32acd9a76abd1bec489724a079099

SHA256
978840d1453935ad611667cb0a1923a845eaea925ef367000aabddfc4e25d22c

SHA512
6ae794571a75c30a06dcd0d8d76b14cb3cd7ba6a260f6e9266e84c1caf5580df2ab06d3f780781bbf0a12f1cb7888d7ba582654f25d82f34b2d0d2bf197cb9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5c2caebb0e1354392411ab3f5e080917

SHA1
d40f4630292466d71366398ed86a84e5284c495c

SHA256
45fdb67b96f0e45a7338d0eb5d2b0476b9ead54570d472a1874fc7ed240fd2ba

SHA512
0c6ddf77509f4b8aae01077a3ddae4b57b4dadacf75111ae17119fcd7bbf39c10215acd5b1cecff37ecd6c9072f18c19b08707a1c7a940b1a3d0ca92933827df

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
332cc996df365c3258dd5e6731b593e4

SHA1
18c552d03a7e99c5b06aa0b46c5813176dfc3b2f

SHA256
36c8759ca9828ed3ef8b2517148ffc5738435a876a7fac09fc825a1551bc6324

SHA512
330aa965c91a8a29a3932b69a102bd2b00e259d3b4743e49f62069904b2710f907cecb1bd376632b84e1105f388209eb71b04361bd042b0265208fec6685e885

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
593c477707c65ea1d7cfa55da44b8146

SHA1
f03b6534e183ebea95534884a6671a186a14f658

SHA256
c75fdf2c2b363878552ce4d38bc6d7e6a5a82a719559a2166558bed41d675a15

SHA512
a03297ab32000d1b91ebe5c1adfe569d9c71a13ea578ede9da8cedc41911578fdd711a950c2d05fa0e8e2697ff1361fa16c5222787b3c1b1157d4a6710483af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
93c92ba3f13f68ccd13c168662d04caa

SHA1
ea05e0c383e881009a6292542e66f54aea678d35

SHA256
3820d2e6e18df19171a7d0c6c911d5ae4639bd17f903dc1d5abee52f66cf5706

SHA512
f4eff08b5360628adcb6303b314dab5b0c6bc791770875826f21bd4a4027ae66a1c909048fa26a09625ad0bd7619273a728fe63c206a6026f3f5ec7a6f4ff2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fc29fbe3633b4cf8ae0f25143cef82ca

SHA1
489d4dbeedbda49baa471863045f6af797973f61

SHA256
3d4e79986bfd4051ea71f9d85b5cb55a66ab2f38bb1df791d970fafe9d9713b7

SHA512
fe2d05018db2d549764e7c4c352426a45f77aab89770189f85e4615d4cd0bc1fab7a0782b00efa41ecab95a8d3b95fd752b8fd614a55c8b5b1c01593be854fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b169f2dfa642c2253bf485d8da21060c

SHA1
18727e93810bf8018404a14ba261e17c492b220a

SHA256
b081180aecb3910a831a416bc77d401a1c5a7048eb3f7d316f36fcd6f8d3c824

SHA512
8e661536b9883ce98fe68ebfe0066e25efb5165cd1895bcef5e6711f78f469f0ea7846c1a471f4839a26c27bc85c13c90c7b554b29bcb24d8c122eaddbeed38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fbc116362fdc40dcc7bc5c7d32e1fc47

SHA1
29b0321eb4d37fce66ed55070376f550e07168d5

SHA256
c9d9efac3fb0605387e5a0c73ee1f27ccbad23c5eac640541067fd1a9d1fdc88

SHA512
2c4147d339b99b2046f1a144267c9309fb583fd5e427fb2d40bca800bcdcba7afb93e0a72c7a275d87e0b6fc13e154c3b1565a724f4d7e5f1b8332f83156832c

Download Submit
memory/2396-49-0x0000000005500000-0x0000000005508000-memory.dmp

Filesize
32KB

Download
memory/2396-74-0x0000000005500000-0x0000000005508000-memory.dmp

Filesize
32KB

Download
memory/2396-129-0x0000000005810000-0x0000000005818000-memory.dmp

Filesize
32KB

Download
memory/2396-127-0x0000000005AA0000-0x0000000005AA8000-memory.dmp

Filesize
32KB

Download
memory/2396-142-0x00000000051D0000-0x00000000051D8000-memory.dmp

Filesize
32KB

Download
memory/2396-126-0x0000000005800000-0x0000000005808000-memory.dmp

Filesize
32KB

Download
memory/2396-150-0x0000000005810000-0x0000000005818000-memory.dmp

Filesize
32KB

Download
memory/2396-152-0x0000000005940000-0x0000000005948000-memory.dmp

Filesize
32KB

Download
memory/2396-125-0x0000000005280000-0x0000000005288000-memory.dmp

Filesize
32KB

Download
memory/2396-165-0x00000000051D0000-0x00000000051D8000-memory.dmp

Filesize
32KB

Download
memory/2396-122-0x0000000005270000-0x0000000005278000-memory.dmp

Filesize
32KB

Download
memory/2396-173-0x0000000005940000-0x0000000005948000-memory.dmp

Filesize
32KB

Download
memory/2396-175-0x0000000005810000-0x0000000005818000-memory.dmp

Filesize
32KB

Download
memory/2396-114-0x00000000051D0000-0x00000000051D8000-memory.dmp

Filesize
32KB

Download
memory/2396-113-0x00000000051B0000-0x00000000051B8000-memory.dmp

Filesize
32KB

Download
memory/2396-128-0x00000000059A0000-0x00000000059A8000-memory.dmp

Filesize
32KB

Download
memory/2396-72-0x0000000005630000-0x0000000005638000-memory.dmp

Filesize
32KB

Download
memory/2396-64-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/2396-51-0x0000000005630000-0x0000000005638000-memory.dmp

Filesize
32KB

Download
memory/2396-0-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/2396-41-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/2396-28-0x0000000005500000-0x0000000005508000-memory.dmp

Filesize
32KB

Download
memory/2396-27-0x00000000056A0000-0x00000000056A8000-memory.dmp

Filesize
32KB

Download
memory/2396-26-0x00000000057A0000-0x00000000057A8000-memory.dmp

Filesize
32KB

Download
memory/2396-25-0x00000000054F0000-0x00000000054F8000-memory.dmp

Filesize
32KB

Download
memory/2396-24-0x0000000005370000-0x0000000005378000-memory.dmp

Filesize
32KB

Download
memory/2396-21-0x00000000053B0000-0x00000000053B8000-memory.dmp

Filesize
32KB

Download
memory/2396-19-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/2396-18-0x00000000052D0000-0x00000000052D8000-memory.dmp

Filesize
32KB

Download
memory/2396-11-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/2396-5-0x00000000046C0000-0x00000000046D0000-memory.dmp

Filesize
64KB

Download
memory/2396-603-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download