ffdroider | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

Analysis

max time kernel
94s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe
Size

1.2MB
MD5

9b55bffb97ebd2c51834c415982957b4
SHA1

728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256

a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512

4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2
SSDEEP

24576:0G9h7lhNYhemeqcCLtbvL8iNJqzM3cITaF3+pJiP8LXloL5113GrfhM59ta:0G93SemeqcCZvL8i/qQ3ccJiPiXOL51C

Score

10^/10

ffdroider discovery evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/1808-1-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral2/memory/1808-505-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1808-0-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/memory/1808-1-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/memory/1808-505-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1808	9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1808	9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1808	9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1808	9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1808	9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
534d10b23759bf033c06290996225779

SHA1
e42d289e99d19887cd7fddfd74a03c28f1b3423c

SHA256
c05818eac34fc04781c2664040d9910562a972d66f8c720f8ec081962b86233c

SHA512
b720ef41da05c4daf5be890226a3c50f3a9ebb68dc40357d03f5d2b277d14cef380366a16c4b772de0b360052165daf2d058cc40bc77c1ad181487b68e9fe0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
49KB

MD5
e7f6610e84289a048bf523f1493ebe4d

SHA1
30ecd3c3fa788069b2b1de9e3a4a5eab988ef56d

SHA256
04dc0791cad8670485e560be6a9c8e03198ebd26cc33901815e6e0295b79ba83

SHA512
87f8a9fe3288e17d01cad54c19baff94de0b47186437a2957351525d6cf198b2070b1b6aba891455260233249bbc23ea9c40223e98f67490f57b33b30ff4af3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
54890b304003af6c00c4b1be0689068d

SHA1
1459e0b746988f1166918e7a283b4477ab009024

SHA256
399539102e89d5eaa8a12a5abea85591787e4ceaffb9c8cd0c65cb9d935d3586

SHA512
91a6c2a7a1e59441830514aebcfbc826b0d76ca5c3b07cc94a38c76c051443dfe765359215d02f5a81c9c4edc567120a6edce5d664c13e2690bfc7a775673121

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a2f394a108f08452ade3bb46d4f4b3ab

SHA1
163cba4b72a06edba974c808f9380a965783c2f3

SHA256
55c31b1cceeaaca7fb04da06aa9ab6cd3a7ad7e3b851a5420347022edd702c19

SHA512
69dc86779cd2057debfc2aef2a7a0149c8de0a1f2521127fef6d42780d27deaa44f9e4d059e8478f186187bd830e363ee52f63ef14ac7d778ca9e07b792ddf70

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
18d0aeb9f2ddf60cd90f689569e032cf

SHA1
87a3ee174aaa715eeef608f82ec06b6fc9f36873

SHA256
274ff773b1142c339f2be94821b06586518e5310b8704ebfce315348a4c0b570

SHA512
50aa428b0868f51f037fe0afe9af0e004398d4e7dc423baeb563cbe56ea09e56b3ae260ccdb5f755a008f847812b6978d6b41f2dfc8d801d26db22cff2a95bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2a80f52aad5f7cfc9a27a505d83d3a76

SHA1
9a8c05c8f525fe9c54a4dc92b6f7797a2e6f390f

SHA256
f2e3a3fbf44b5a018230736c8e6bf1f8818927de1226136bc436158e274001da

SHA512
1643b7d1a93a8af7d571def42f4a4c884d343f36b22cea5bbdd2edd7afb842204d4c43ad46a0f4547a9235315fed6553f59e5267849fc32436b2b7a33540ee08

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6ec42423ea570b4010582dc6bf7cf38b

SHA1
d04151197c0fc5959de9230bd58c477108cdaf18

SHA256
f894d3515077013379ce56a0549bfeffe36166c1c36214df69504e0f1b8566f5

SHA512
2cbccd525b24035bf0e2a7efe22b2247385e27fe442c524a466d5bb2e00201a22a2187fe7b717bcddf46d299e388edf59e6f7b16099957450496acd68776fbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
853291c0aa2d00d3b8f5df4ca5acb31b

SHA1
45afd8d24cf572fcdaf9dff4e5b07c1f8b8f7937

SHA256
440a1fc796320dbc7b7e9f28131bda353c1b5f3adfd20a71f462e4afa3537fe7

SHA512
b1fdb186c8ef303da855db80f6eca0a50c7b6d3dfee945c12a800e7484eacc154dc575ae0b7f791ecb7cee27a62b0c603af850f729437c88da696996bf35c1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
41fc58c752416baa9c1c0f513965bf81

SHA1
4abff7c644c792fda0e1130b6a8ef76427ba2a60

SHA256
fc0949635f1c67136f6bd3efe9d21e239b19156518197b8a448a098c96d80c58

SHA512
ecad31d4742f8696ce66c76c8ac702ddd7504eea738cf075a076c300fce8fb9b0e6a54842a262591763ee80a6005aa905fde1bed4bec649a0087d6c2b122421f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0da345ff548f2138ed5c29994eb220f9

SHA1
4f435bf91d4f747ede722f8df3c8a92ddcde9394

SHA256
a038ca2b6dc625b6a5babbe51d77e4e545b6d2f608a595d71660994082353756

SHA512
3ace22f81c248f9892986e1d36e24e68e853c66af100c9b2d4022f47dc8a980ce0febf1e10dd1e58ab24bf92a18c6b5d6406a1c32962a9c72aae2bccaa63670e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
cff22a2b9ee1c8892ad443d4daf893f4

SHA1
1139c5f368624c25756307dd319223ea5cf41cb1

SHA256
f09c1c3b95c4be379f0b15d5e6f849b4af14d4a3d23fc5ff8f0e6c5930ad3982

SHA512
b492eae2301e4584871bc5456a4d4e10938c378386f8aa6e1c20a4a4cb97da786358fb3c241bb40cc9328ec90d0b7bb7b823fe454d28a7d953ad0935f3c6e147

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d1c7e909e692573a58b0e75b07c7c458

SHA1
b09ccb0de520f49eb5d0907a6a103084a8f17067

SHA256
d2f0c9fcefbf01e52be23907b63e8f42df72c5017e684c10e600e043d1d501df

SHA512
25ae4c992a09b540f7b0428778905e81f6a32dbfe571679a8b5b7daeae322b51d7204fc1a795063dda8f2e1a0c9c0a2f779ec20edc32b25326228271b3789fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e4ab27eb0b1d6204313dd1b4bab773f7

SHA1
361e5fee61ae53803fcb9fedd8c17c9ff3d38110

SHA256
ef9d9dc98a260fa5b888a78dcc478cd2bf6a66518cb15a3909bbe67bfa789c35

SHA512
ffdfe98e147bd5db44584f87e91d2c8c43586b48ebd3fe5fc638316bc02e77ab0d1ec051bec52a4c9bf6487b869129470ff74d1cfb285f59629d4accc4eb6660

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
64027799f6da9b74777b1a6cf47f4d09

SHA1
262683f9c79cdc9a5e3b512257001adbd39e96c4

SHA256
623417564f277b43ff56d6aacd2cdfede43abf8162170fa3026b710bd6247b80

SHA512
bc6ef6d038c93b12e948b46c0c3ad0663930142e9e6b6a4d3d1886781acf5810668bc1145524edaabafe44f7796b9c654ea2532aca5a5270f101180df4c0df0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1d06da831b06db0b2107db40fecc170c

SHA1
9e4ec4ea1237fe267f71ef5bf70868bc9e6c70b9

SHA256
67a3bef64f43b0e6d96dcdfb5adc9dc16c58ffd8a528f832506ccc55432f5b77

SHA512
56ef26c0cac18575f1d9e7d5486ed74188bd710c0591aaf42670c90029eb4fba0f5676f60befc5c3310ecd230139ef295c8b5b120cdad2a289efb8a584201f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5d6734e830279856de605cb89bbc10f5

SHA1
919bcdc4a6de63b0a4400aac02b0d5d052ea1ab8

SHA256
4eefb47f3add20248716515c3495205879eb10a582e181c07d0421181f30efcb

SHA512
b3148739c263de6c7f521beda00da9b86f390a5c2aa7524952c2b7ccfab08f12ee992cdb4f5fa7437c8334c9e92d0877366565fe6f32fb4dfbaa44c4842b2098

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ea8091a1de4fb209d485b5daa43ba415

SHA1
9568215162971b84e1904de1e30f5421d6bba694

SHA256
3febb90f4295d548dd66457b39035d489ae0ae5782cdcf13f4e7f7b7409fdacc

SHA512
c4c39ee2d671f4bf30d47daf4fb9cffa4f912f73ebbd63ac392f2c40a2c7f4fd15756e537a0ac76e221fcc59e42b8e986587594c2bf80b47aea2a292a3c5f762

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
86adb51f81a1e3360e93755ff5796bd0

SHA1
94a1aef2cfd664018741303323293832b6b994c4

SHA256
ab931d6dabcaa4236b3e4935c047e7071c0368d5be688df5fb1eb5c0cb882c1d

SHA512
6afbedf506f2f24e12ba68662e4369385b1e29f8a82e201464f0de72fdb036ab10055cb056dc2b95882cce11ca290ab034dc46831e151a3b53a5dc58d4f7481f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2c9bbdf80306f46b3ad824d643cf0ccc

SHA1
574b56ee00472ef19b53d212b23d70c9ffd01786

SHA256
1ed5aae93f796ccae1f1160142fbaea0b4356474e2fe4e5c6ed08d7f51a695fb

SHA512
f37c1d2f7746715bb7bf41a10c3c1ba81f619d86d01b159426e65fd2ea0b3c06a471156a695986bbc82f484b20f2812d2f3d6a41d4016ced6b69f521677a922c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1e3504e3f4627b6ba8d9a71c887f85cf

SHA1
17896b3ba1fce3675d16278abee91bda5cfc4f90

SHA256
748c52034534e30655ff29e22fa05fb24ba8589e028d40afecf2a17c8ef214db

SHA512
df504fe4ed4909f661e90485499d61a535e7e82ee4733a201d94e7fdfbd8e259f607b876666b73b795c66f6a9dbefcb20441fcb512f253c0cf7fddc9ebff5b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
199439bd7a897c425c9186ed27653810

SHA1
05120bde847e2febda0d56b67aca9033c7ba93aa

SHA256
df58c9cdc981f7680c210a6b7c592beb8c2f2a5ee0066e3d17dfa2284f3d2fbe

SHA512
800ad3805bc1b6dc3e7b3f0a7595a4a6bb5ee8de807bc273d8a94eb89a3e6934ee71e62c975732fed1790db0de897e9d06e2254c6c877bd2800a8425ee05e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0cc5201e15c594cdda2d76b8133acc78

SHA1
ca7e254ecdb50802b7b95a6406542fc50e90e1a6

SHA256
288b4625a23424060fde4662e769bb5f61475cca2e26e3e9e40408023d3b383a

SHA512
dd9837fd0d6d2f3715e91033a103c3b37d663d25e8ac7d88a31f9bd9ce7c6389805850b386dda50d246c63b3cd11ee34f4733c4d3c9d5c12350f953494596271

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b8d32f99a4f53e7e70a43fb54dd13a13

SHA1
310842abbc4c7613c8f8a8a1b46a9011ed1efb60

SHA256
687c272cf043f432fddf7270cb037bce4e8c58109a93cbdd580a8584786221a1

SHA512
cd689c805d47587b3c0325dead19bb946d4637860dc1f87894757c9a4359ee77e3e6c1896abac4bd91857a8c827c63f1337e82c560935263ab2db3a3b5e659eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1324ae2dc5e25fe2c9ad09aaa4556445

SHA1
b3a4ce159c0fb15969e58bf4553aaae1b14f2c3d

SHA256
7c314fd9b99b9eb50e04df651d57a6f3e273e2a5f963956927d1087983187d95

SHA512
8b4ee0d3d1f8f002f553302e288d35ea4d9eb5c5cb10235e3ed415b59ef1b88b600d9a719e59ff0f7008659eadd2e44362c32f55c8353df77c3d4dac7de75083

Download Submit
memory/1808-43-0x0000000004900000-0x0000000004908000-memory.dmp

Filesize
32KB

Download
memory/1808-66-0x0000000004900000-0x0000000004908000-memory.dmp

Filesize
32KB

Download
memory/1808-152-0x0000000005020000-0x0000000005028000-memory.dmp

Filesize
32KB

Download
memory/1808-124-0x0000000004880000-0x0000000004888000-memory.dmp

Filesize
32KB

Download
memory/1808-167-0x00000000047E0000-0x00000000047E8000-memory.dmp

Filesize
32KB

Download
memory/1808-130-0x00000000051B0000-0x00000000051B8000-memory.dmp

Filesize
32KB

Download
memory/1808-129-0x00000000052B0000-0x00000000052B8000-memory.dmp

Filesize
32KB

Download
memory/1808-127-0x0000000004880000-0x0000000004888000-memory.dmp

Filesize
32KB

Download
memory/1808-154-0x0000000005150000-0x0000000005158000-memory.dmp

Filesize
32KB

Download
memory/1808-128-0x0000000005000000-0x0000000005008000-memory.dmp

Filesize
32KB

Download
memory/1808-131-0x0000000005020000-0x0000000005028000-memory.dmp

Filesize
32KB

Download
memory/1808-116-0x00000000047E0000-0x00000000047E8000-memory.dmp

Filesize
32KB

Download
memory/1808-115-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/1808-74-0x0000000004C40000-0x0000000004C48000-memory.dmp

Filesize
32KB

Download
memory/1808-76-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/1808-144-0x00000000047E0000-0x00000000047E8000-memory.dmp

Filesize
32KB

Download
memory/1808-30-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/1808-0-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/1808-51-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/1808-53-0x0000000004C40000-0x0000000004C48000-memory.dmp

Filesize
32KB

Download
memory/1808-21-0x0000000004900000-0x0000000004908000-memory.dmp

Filesize
32KB

Download
memory/1808-28-0x0000000004DB0000-0x0000000004DB8000-memory.dmp

Filesize
32KB

Download
memory/1808-29-0x0000000004CB0000-0x0000000004CB8000-memory.dmp

Filesize
32KB

Download
memory/1808-26-0x0000000004980000-0x0000000004988000-memory.dmp

Filesize
32KB

Download
memory/1808-27-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/1808-23-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/1808-20-0x00000000048E0000-0x00000000048E8000-memory.dmp

Filesize
32KB

Download
memory/1808-13-0x0000000003E30000-0x0000000003E40000-memory.dmp

Filesize
64KB

Download
memory/1808-7-0x0000000003CD0000-0x0000000003CE0000-memory.dmp

Filesize
64KB

Download
memory/1808-505-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/1808-1-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download