ffdroider | 0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Size

3.4MB
MD5

99ca4fb276c60eb9c9a57c168d36d9fd
SHA1

2f1451025754967e328337bd21498fc991bdeed7
SHA256

0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442
SHA512

1469cd4714ef8afa9293f77e61207f0ec0a65e947f1182fce6f7557529fe517de20fe7ff2ab049b74c56de2d82eb9edae5fece7a87a67e0ccfa86f86ef757aca
SSDEEP

98304:qaKslt88xE2TXCzBA8intj5IVySsKmj+OO8u3:93t8+UFAvjCiMV

Score

10^/10

ffdroider raccoon discovery evasion spyware stealer trojan upx

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Ffdroider family
ffdroider
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

resource	yara_rule
behavioral2/memory/4996-76-0x0000000000400000-0x0000000004801000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	proz.exe

Executes dropped EXE 4 IoCs

pid	Process
1376	KRSetp.exe
4616	jg7_7wjg.exe
452	proz.exe
4996	Pas.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg7_7wjg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	iplogger.org
13	iplogger.org

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023b86-63.dat	upx
behavioral2/memory/4996-71-0x0000000000400000-0x0000000004801000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jg7_7wjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pas.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	KRSetp.exe
Token: SeManageVolumePrivilege	4616	jg7_7wjg.exe
Token: SeManageVolumePrivilege	4616	jg7_7wjg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1376	2808	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	87
PID 2808 wrote to memory of 1376	2808	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	87
PID 2808 wrote to memory of 4616	2808	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	89
PID 2808 wrote to memory of 4616	2808	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	89
PID 2808 wrote to memory of 4616	2808	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	89
PID 2808 wrote to memory of 452	2808	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	90
PID 2808 wrote to memory of 452	2808	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	90
PID 2808 wrote to memory of 452	2808	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	90
PID 452 wrote to memory of 4996	452	proz.exe	91
PID 452 wrote to memory of 4996	452	proz.exe	91
PID 452 wrote to memory of 4996	452	proz.exe	91

C:\Users\Admin\AppData\Local\Temp\0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
"C:\Users\Admin\AppData\Local\Temp\0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
  "C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\proz.exe
  "C:\Users\Admin\AppData\Local\Temp\proz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
207KB

MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe

Filesize
534KB

MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
e3edf698087730b436e020723c1c27af

SHA1
b22d4556e86379d44dc3884dd75b0f59fbdcebe4

SHA256
15a66fe7af56f8e19a832ef5cfb6908669e8cf1d2c35f54fb11b130013908d8b

SHA512
e3209cdc8a34a92f1d2540ae711424c2033de39b503929c338359980eab9d94fa42f2260ecf4efc778d00cd1ab4e2b3677c747f5a4a2ac60fc4670a4d355f505

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e88cb4373e9defbf9af629b1e1945b81

SHA1
5c74830edeb963145bff15650bd9b01487b3d45d

SHA256
4e2d68eb5d9dbb722ecd64ce7b68b0b8f7a9278da011b6d9733e845717af5796

SHA512
d0da649881f16531a22db88c2ddb295b243716842fe04e798fbf165e1020881e5efc8d72f13a0b4e8dede2a71b452a4bb54e3f5bd38fa99050a98074cb5da670

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1d86f19b7d2e46cd8d667e743524d640

SHA1
0e9dc662c86bef811dd001184bc46f6e68dac15d

SHA256
9cd90b7225dd94b362858c53f3fd01faa9cca48975dc21ab237468534b3fa963

SHA512
45d01b18476d12939f7c68b8e0d341ba0438d0e4e0c5b9d6d0d3e4725ae208c4edf1d860297f772fca60eaee038fbb4b8bacf4a4fca618077803f0e11b6c977f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7dfbf902a752868c8ff183c3b20aa897

SHA1
7a8ff02afeae2ff4ae6df9266795122f9cd5ca65

SHA256
0da72a97c0babf03401cb5befc48bf3fd60922793e85c01793f5b3014d44132e

SHA512
62324a94f9a64b81403d0cf78cd32ad1e7858b4c504720e7ad49052ffd1272dd2dc902c3e678f4b00042dcb612bbadec145cb097a62e24bbfee7f653d26aea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1bb8b9566b7646378027b70b06788a60

SHA1
a5ffae5e844f176c1eae4d5fc9ef16c9d0449425

SHA256
517960b6390dfb52ea81883f98ec500dd9a59e452546d8c81983f17eb1f4a205

SHA512
7b39e2beb88911542b730714f9c6bc452ba6b33406fdd45d2346d35eb6aa0dad0ff9a20f7cf14b9c34ef15ffdc72ab579479a73e0f9b8f330e71c85917ae29bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fde9886979ce30e0ccdac4784aacf0d4

SHA1
1b4813632aed6923d17729b316535e7d3fbaa3ab

SHA256
4545b6eb1684835f8d6c85bdf2841f4908d613c7f346da3a68261b1fa94a461f

SHA512
33ea34b0b3491131981db1a7775c1442a2a933d8c1c8d7d1476772644633e7686270e4725c56dda32d6f52e6702e74e0a89c99744f2b5803e7596a943c6951da

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
db8ce8ff976cdcfa4be51735f716ce9d

SHA1
14dc235a3f3ceed0b1960135c16486065a6618c8

SHA256
af03a07c09e57fc1daa6522069c47d0fc5623588ac768014c245cd63c76df203

SHA512
b30e4199fc90b55a8ad8b80f29d7358532ffea03048469d4e503ccc31c0e68b7961933c0ed4c3f34b28abad184f18eef8611a390b5caac4438d3f18c1817a34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ddc4dc2fd4bceb4afd340132b90541c7

SHA1
714f49040b9d69c333d65e10d81900b45a89108a

SHA256
4d53dff75b9715a9eb9030d7ecc1bb2bafc5c0e001f7a0123276998acff570c5

SHA512
04312ec95be3e58e522e7e782b4d832a41f06c72997074bf5a20ea43cf1f0061657cd34b53d41347a546f89bc27bc07a06e3ebf8807fd9924677cc4ac5bdaf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
24dc3c2f4ecc102ab28c9c620d549fc4

SHA1
74beeb5946078ee69f107763b206dc593457d746

SHA256
65884ad234393ec3277c7b9497f277265abc38bf00e17a116c85ad18ba40232d

SHA512
ea12a73c142f9f106bf87c41f000a33f0486bc0de4bc1cd7670d03d7bcd70af8e9fa6e5acb688c0dd096e0b95ecbd3d8e802ef655998791e5e5e015b91eac047

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fba64309d651ebe6c9faa3ebf5b4f9f9

SHA1
d6626946dc851e58f1d6ca8268f6398dfb66c45e

SHA256
602c88e90fc7e0bd6dc9869e757e1bd81aa7874c8e856a75cf1de817e60b28f8

SHA512
8cbdf7fcda587a433b2353a8c43efc4a0cb168556c311cdffe59d4ec65cd138dbf3bcf1ade86f5fbe261b5101a7a39298b1b3343d3f28741f5879cdfd78a685d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe

Filesize
545KB

MD5
2a6699d3b8c242efc377879d41b7d8fe

SHA1
8c158d6f7ebd3a4db2f287efb4fe85914ad0ddf4

SHA256
ed9774db908e75850dbf85f665f1fc6a7ccf3c8a1ff8e22375860581fe9b8f75

SHA512
038f0311b8150b33bd6a5851c3ff06b8b6723b519ea83c1f5c46bffc61ab7f459b5d15717a461f5489d0f63a1644336778cdc7ba22e0e3dc51ef019e87ab39eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\proz.exe

Filesize
669KB

MD5
87930a2af638eab739a4925e5efb66be

SHA1
faa3701185a42c844020947407aec0c642fb96db

SHA256
5ea59c6498dd18d506f324a8b61f1a7c9008380f37ea6af60c308c05dfa0c371

SHA512
764928f88b53a5ccae09a1dee134fadcea6105c036dd6a53b97b57e7ef0577782ea569bcf8dfc6371fbb6ec9f1569c28fa3602de3ca669134febb0f039341ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe

Filesize
95KB

MD5
b67329b80bfd63ade39502ed2bb40461

SHA1
938241aa090691a8ad760daeaedceb1fdad25060

SHA256
30836e6af2e56811bcf49cf312182a570a0be7a2c7bbcf09f444ec88d13758fe

SHA512
3af16cc8642dddf768890f6aedc699afdacf3ff0bbfb94cf2d8013cf36f9ef6c766bfd9bac890e3c903d7f1ae15facb6e4d611f509a736bcb93898b2ce4f3395

Download Submit
memory/1376-56-0x0000000002780000-0x0000000002786000-memory.dmp

Filesize
24KB

Download
memory/1376-55-0x0000000002750000-0x0000000002778000-memory.dmp

Filesize
160KB

Download
memory/1376-52-0x0000000002630000-0x0000000002636000-memory.dmp

Filesize
24KB

Download
memory/1376-54-0x000000001B310000-0x000000001B320000-memory.dmp

Filesize
64KB

Download
memory/1376-43-0x00007FFB67DF3000-0x00007FFB67DF5000-memory.dmp

Filesize
8KB

Download
memory/1376-49-0x00000000005B0000-0x00000000005EA000-memory.dmp

Filesize
232KB

Download
memory/4616-102-0x00000000046B0000-0x00000000046B8000-memory.dmp

Filesize
32KB

Download
memory/4616-73-0x000000000056A000-0x000000000056B000-memory.dmp

Filesize
4KB

Download
memory/4616-100-0x0000000004410000-0x0000000004418000-memory.dmp

Filesize
32KB

Download
memory/4616-101-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/4616-96-0x0000000004170000-0x0000000004178000-memory.dmp

Filesize
32KB

Download
memory/4616-103-0x0000000004520000-0x0000000004528000-memory.dmp

Filesize
32KB

Download
memory/4616-94-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4616-116-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4616-93-0x00000000040B0000-0x00000000040B8000-memory.dmp

Filesize
32KB

Download
memory/4616-124-0x0000000004520000-0x0000000004528000-memory.dmp

Filesize
32KB

Download
memory/4616-126-0x0000000004650000-0x0000000004658000-memory.dmp

Filesize
32KB

Download
memory/4616-86-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/4616-139-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4616-80-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/4616-147-0x0000000004650000-0x0000000004658000-memory.dmp

Filesize
32KB

Download
memory/4616-149-0x0000000004520000-0x0000000004528000-memory.dmp

Filesize
32KB

Download
memory/4616-280-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4616-99-0x00000000043F0000-0x00000000043F8000-memory.dmp

Filesize
32KB

Download
memory/4616-189-0x0000000003FB0000-0x0000000003FB8000-memory.dmp

Filesize
32KB

Download
memory/4616-188-0x0000000003F90000-0x0000000003F98000-memory.dmp

Filesize
32KB

Download
memory/4616-197-0x0000000004050000-0x0000000004058000-memory.dmp

Filesize
32KB

Download
memory/4616-201-0x00000000041E0000-0x00000000041E8000-memory.dmp

Filesize
32KB

Download
memory/4616-200-0x0000000004060000-0x0000000004068000-memory.dmp

Filesize
32KB

Download
memory/4616-202-0x0000000004280000-0x0000000004288000-memory.dmp

Filesize
32KB

Download
memory/4616-203-0x0000000004290000-0x0000000004298000-memory.dmp

Filesize
32KB

Download
memory/4616-204-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/4616-217-0x0000000003FB0000-0x0000000003FB8000-memory.dmp

Filesize
32KB

Download
memory/4616-72-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4616-225-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/4616-42-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4616-50-0x000000000056A000-0x000000000056B000-memory.dmp

Filesize
4KB

Download
memory/4996-71-0x0000000000400000-0x0000000004801000-memory.dmp

Filesize
68.0MB

Download
memory/4996-76-0x0000000000400000-0x0000000004801000-memory.dmp

Filesize
68.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads