ffdroider | 0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Size

3.4MB
MD5

99ca4fb276c60eb9c9a57c168d36d9fd
SHA1

2f1451025754967e328337bd21498fc991bdeed7
SHA256

0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442
SHA512

1469cd4714ef8afa9293f77e61207f0ec0a65e947f1182fce6f7557529fe517de20fe7ff2ab049b74c56de2d82eb9edae5fece7a87a67e0ccfa86f86ef757aca
SSDEEP

98304:qaKslt88xE2TXCzBA8intj5IVySsKmj+OO8u3:93t8+UFAvjCiMV

Score

10^/10

ffdroider raccoon discovery evasion spyware stealer trojan upx

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Ffdroider family
ffdroider
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

resource	yara_rule
behavioral2/memory/3748-74-0x0000000000400000-0x0000000004801000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	proz.exe

Executes dropped EXE 4 IoCs

pid	Process
2384	KRSetp.exe
4876	jg7_7wjg.exe
4232	proz.exe
3748	Pas.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg7_7wjg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	iplogger.org
12	iplogger.org

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000023b7b-62.dat	upx
behavioral2/memory/3748-71-0x0000000000400000-0x0000000004801000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jg7_7wjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	KRSetp.exe
Token: SeManageVolumePrivilege	4876	jg7_7wjg.exe
Token: SeManageVolumePrivilege	4876	jg7_7wjg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4180	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 2384	4180	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	84
PID 4180 wrote to memory of 2384	4180	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	84
PID 4180 wrote to memory of 4876	4180	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	86
PID 4180 wrote to memory of 4876	4180	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	86
PID 4180 wrote to memory of 4876	4180	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	86
PID 4180 wrote to memory of 4232	4180	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	87
PID 4180 wrote to memory of 4232	4180	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	87
PID 4180 wrote to memory of 4232	4180	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	87
PID 4232 wrote to memory of 3748	4232	proz.exe	88
PID 4232 wrote to memory of 3748	4232	proz.exe	88
PID 4232 wrote to memory of 3748	4232	proz.exe	88

C:\Users\Admin\AppData\Local\Temp\0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
"C:\Users\Admin\AppData\Local\Temp\0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
  "C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\proz.exe
  "C:\Users\Admin\AppData\Local\Temp\proz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
207KB

MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe

Filesize
534KB

MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
c6f888b0f5ba7bb3fa9841aab90a7c02

SHA1
ab273b1929ddd632b4da1f2356f7bf6765983b21

SHA256
fba8ae71be0632616dfb80f20c6e92960373f8bef8c41b1676e6b929d3149a8b

SHA512
42fd4d3d9c6fa2e055d4578bdd0a22abfd5252df39049105f3164a57d0b0497b84f481997fe4aaa416643cf01b71d28c1a36d630d7f5ba8bfc8eac3d1c369594

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5ce11b417e70ebc6ee6ed1feb00dcf41

SHA1
8b239fb2a726a7fbd653ab13091b7ffdef576b02

SHA256
6307ea7b238da7991b12cfb5a607155f1ee3ce72ccbfb67fffb16f8f56c1fd96

SHA512
f3c35ac7b8edbc932973ad00e3174c8147d43bdc6261711ae75d6b98dae0f061f2448175550fac73f34a3066210b587d25ffa0b5329f192fe376402a8fd39ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0be0bb244a9ebf0fa0fe0b88c727aa87

SHA1
ee1d7bf23e506651998dad8d42ffda89c8bbdd48

SHA256
bae85c0462681ee9f175f1f8f7aa00fc344a5b175179e1b972ada4dbdd0edd56

SHA512
77bfb920f5490c6e55058435de70b79b6d70ec3c25bfb56ebb6b388d0ac950badc999936f678b53dcfe57c708a0ca47b67903bb2092065a8c6a3b5b1e57758aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5b5e9945d327577632a5e9772aac3c64

SHA1
b519a77f2226d0ff1725842d3514b6634d88a2f9

SHA256
bcf5278acf2bc327454884f5a5926cd1d864108a043c420ee8604614b4a6b187

SHA512
b6db5c80450b032bb22814c7956ef5c68567a31bd22ccfba8a0cb364c3c773b95b77f85af0f7da0725b8acea56385dca912197301429963a57fa8759b03ff5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4d2b68c0d54681231968937ab7905c15

SHA1
7f3c08e92a97e4cc92a95eec2235ddb41f156653

SHA256
baf31bed8ac6da1e63ec74804566849502979385ac2130994365524d9c0e5fe3

SHA512
2240ad3a1317b2c5fc3ab587a64456ecdfb6a09c9d5eabdc2952cf8bfc97b6d7c122d9a60161ed4dde49f0ef3003fe88759283e72eb941a05da2db06e2f9aa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ddb27746bacb4ffe795a4235d979e671

SHA1
3cd42689855f6e1ff6fabae6923275af8b9f0594

SHA256
fa9a2b1a75a89900a27b0b29b215abb84587a9a49697bbe42278197ea035d3f3

SHA512
a8124e8e984204e577db6852ecb7ebbd8ca2bfe710d93fbce75ba86ca73575040112642505a8091098b241d90b9aee7aeef77ef420afcba9c2d79f668bf48133

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
10709c849111f4c8c99ff12bbd24f2af

SHA1
0fc11911297c508cb3570e860a6f07ca44232e96

SHA256
241f53f51f29327d3c72ad2632cfc30de3563ee39ff87f872e15b7b5460018a4

SHA512
08f5232502d80e64f20052dec0a5f438cbaff48218cc3644ce098be019b3a5078ba377e9f6e25dccfd4f7f192baaefc525bd2893fcbf1640332f23eb825f844f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
76a41d7c83721a1f6950a2f4b19897e3

SHA1
e562b95d9490c09991352ac38d66e491a0ad7b3c

SHA256
276f20670c3686a19f070ff83361f919d93c746828b0223e95cadfd6c137aa4c

SHA512
03d8d87501fde17803c820cf9c6a90165b2f2b310896581878b8b49a3301ac048413646b4a506209970046ddaa9d88dd046379fe72ed773c81bc1b73f295583f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f95e8351220d760950ba107d51a115df

SHA1
33885cf96f2c5438fea0b37eea1a83dd29ed99f9

SHA256
0b740d6e485b7b9340e9ae67f5631da52153557a8135cd454f2aed9ed22c4847

SHA512
46fb44710b22332e2d31f2df0c3cc421a538a0818a027edd07ff49169641253154d929c658bc1360163d42b32b32b32d3ebc3178418b25bef6fb16896afee921

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe

Filesize
545KB

MD5
2a6699d3b8c242efc377879d41b7d8fe

SHA1
8c158d6f7ebd3a4db2f287efb4fe85914ad0ddf4

SHA256
ed9774db908e75850dbf85f665f1fc6a7ccf3c8a1ff8e22375860581fe9b8f75

SHA512
038f0311b8150b33bd6a5851c3ff06b8b6723b519ea83c1f5c46bffc61ab7f459b5d15717a461f5489d0f63a1644336778cdc7ba22e0e3dc51ef019e87ab39eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\proz.exe

Filesize
669KB

MD5
87930a2af638eab739a4925e5efb66be

SHA1
faa3701185a42c844020947407aec0c642fb96db

SHA256
5ea59c6498dd18d506f324a8b61f1a7c9008380f37ea6af60c308c05dfa0c371

SHA512
764928f88b53a5ccae09a1dee134fadcea6105c036dd6a53b97b57e7ef0577782ea569bcf8dfc6371fbb6ec9f1569c28fa3602de3ca669134febb0f039341ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe

Filesize
95KB

MD5
b67329b80bfd63ade39502ed2bb40461

SHA1
938241aa090691a8ad760daeaedceb1fdad25060

SHA256
30836e6af2e56811bcf49cf312182a570a0be7a2c7bbcf09f444ec88d13758fe

SHA512
3af16cc8642dddf768890f6aedc699afdacf3ff0bbfb94cf2d8013cf36f9ef6c766bfd9bac890e3c903d7f1ae15facb6e4d611f509a736bcb93898b2ce4f3395

Download Submit
memory/2384-59-0x0000000000BF0000-0x0000000000C18000-memory.dmp

Filesize
160KB

Download
memory/2384-67-0x0000000000C20000-0x0000000000C26000-memory.dmp

Filesize
24KB

Download
memory/2384-54-0x000000001B210000-0x000000001B220000-memory.dmp

Filesize
64KB

Download
memory/2384-50-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download
memory/2384-45-0x0000000000410000-0x000000000044A000-memory.dmp

Filesize
232KB

Download
memory/2384-39-0x00007FFEF09F3000-0x00007FFEF09F5000-memory.dmp

Filesize
8KB

Download
memory/3748-74-0x0000000000400000-0x0000000004801000-memory.dmp

Filesize
68.0MB

Download
memory/3748-71-0x0000000000400000-0x0000000004801000-memory.dmp

Filesize
68.0MB

Download
memory/4876-101-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/4876-186-0x0000000003F90000-0x0000000003F98000-memory.dmp

Filesize
32KB

Download
memory/4876-100-0x00000000046C0000-0x00000000046C8000-memory.dmp

Filesize
32KB

Download
memory/4876-98-0x0000000004410000-0x0000000004418000-memory.dmp

Filesize
32KB

Download
memory/4876-97-0x00000000043F0000-0x00000000043F8000-memory.dmp

Filesize
32KB

Download
memory/4876-114-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4876-122-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/4876-124-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/4876-94-0x0000000004170000-0x0000000004178000-memory.dmp

Filesize
32KB

Download
memory/4876-137-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4876-92-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4876-145-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/4876-147-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/4876-91-0x00000000040B0000-0x00000000040B8000-memory.dmp

Filesize
32KB

Download
memory/4876-84-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/4876-99-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/4876-187-0x0000000003FB0000-0x0000000003FB8000-memory.dmp

Filesize
32KB

Download
memory/4876-195-0x0000000004050000-0x0000000004058000-memory.dmp

Filesize
32KB

Download
memory/4876-199-0x00000000041D0000-0x00000000041D8000-memory.dmp

Filesize
32KB

Download
memory/4876-198-0x0000000004050000-0x0000000004058000-memory.dmp

Filesize
32KB

Download
memory/4876-200-0x0000000004400000-0x0000000004408000-memory.dmp

Filesize
32KB

Download
memory/4876-201-0x0000000004410000-0x0000000004418000-memory.dmp

Filesize
32KB

Download
memory/4876-202-0x0000000004230000-0x0000000004238000-memory.dmp

Filesize
32KB

Download
memory/4876-78-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/4876-215-0x0000000003FB0000-0x0000000003FB8000-memory.dmp

Filesize
32KB

Download
memory/4876-223-0x0000000004230000-0x0000000004238000-memory.dmp

Filesize
32KB

Download
memory/4876-72-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4876-52-0x000000000056A000-0x000000000056B000-memory.dmp

Filesize
4KB

Download
memory/4876-40-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4876-278-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads