ffdroider | c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2

Analysis

max time kernel
103s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe
Size

1.6MB
MD5

58b9e8f3a550dbffe1a25baa5baf27b3
SHA1

36b90f851318a90c2ad881a1c2529ff4dfcb99a1
SHA256

c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2
SHA512

b500981c548c766b5507d4ca8fdca9e88dfc01389e289e2860ff29dc30458184ac00f19dab2c781e744218cd315cb7101e5be214f42fe325ddf3989ddca608b6
SSDEEP

24576:oEl3CiZjrmmDzA+uWtcqa4J1Fy529Esn9bsO4nTb3sAnhr2vA:3D2mQWcqnbsjf3Hhr2vA

Score

10^/10

ffdroider defense_evasion discovery spyware stealer trojan upx

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3304-0-0x0000000000400000-0x00000000005A7000-memory.dmp	upx
behavioral1/memory/3304-2-0x0000000000400000-0x00000000005A7000-memory.dmp	upx
behavioral1/memory/3304-300-0x0000000000400000-0x00000000005A7000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3304	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe
Token: SeManageVolumePrivilege	3304	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe
Token: SeManageVolumePrivilege	3304	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe

C:\Users\Admin\AppData\Local\Temp\c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe
"C:\Users\Admin\AppData\Local\Temp\c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3304

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
69fb830c7103d35b43f3773dcfdf0fc7

SHA1
5d105265d7070b9b0a7fb32e84f5b5c5a14454a7

SHA256
f615c34d03bca09b2cefe785544b5a4331c69fd0fa81952212d2175c9983639a

SHA512
8f7223bd053519f1beac92ef736d3672a68767212f14517e0e89df5f95a38d7d1b183af723510d569776da0b63311246568bc9e5ce3b9912edd6cabff8b56a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4024231e5e6c8e4f58e7c7f5fe47eb1a

SHA1
b9cca577b24ef88bd0a5808b5f8b9475ae8adadf

SHA256
3ea63c47f3170fc2e4ec79ce0f633cf5da92c3e3f62b30fd368f167e05c88b49

SHA512
3a861a7f8f8a2f4078a638b07226f61cbef06f39850d74c04b780ee9de58a1cb3873ccde0d50a808790ff65c894ba5aed3189aa6eec47f8ab640f2ea8714c19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8642bc1e0729f708f7c1284dfc1924ae

SHA1
0ef0eefb364742f8f4814dab7f18e7ab62493d3e

SHA256
c4aaa45e8c9bec85a1d4551b2196f3a8cb2d15c885baadfafa5e7ad79767ab0e

SHA512
bbc4331e9a48b6de7823c11c874e8e6f14ae52fe9bbf50f2ad83e1eb45291e2b25cbbe082052870a0079b7d60e231e27f79b3924be27b006bc71fbed6a1c822b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
817cac161fb379f859b4e88c0ac5fcab

SHA1
adf0d133f7d5b7c9af0603383c0b1b33eb63bbd5

SHA256
db87a591b677b0f7806fa21c01ee1cb3e72593a4e0c966a0b49718f07a9be100

SHA512
70371735190bbd677a0f201d7ccbf807eb2b277c860d3eea7039de9ef553f98359bb6e2aaab0b247e5cae09014530affa9a1a3c988de37007370bab61aa9e736

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6653bb55451f35803e69327164c0e283

SHA1
3f23f86ab3bb11e929a3059e1841a6f9313b2e88

SHA256
fe578ee3b95eabc2a3feb1186071cc3f32023650a2ff452a01ad12c359d73f0f

SHA512
3b1d630f6d8d764cdaa147384100eb197b1107327da4516334d75de94df70d41cc59ff8a485ddf7aeec283a174ffc5987b0ceb072ff134ff1f0bb5cc5b9423d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2095d4a5c036483f307e358860a390f2

SHA1
0b15dd89c75b026e92c014f7ff44c3f51cbb0fc9

SHA256
68cc42b6ec8a6e11e3261a139737ed0eb6e147a26794d2c2119022d90b0dd71a

SHA512
302e84312b8f7ebe7aa4f4e274c3117a30d8c8295c4566d5e07e0dbbdee7a470d53d66850d6307fa336d3c7c5e16c963b209a83c7a2d783693d002c4cb4b1183

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8d04ea4b02514cd994692573a0186330

SHA1
27ec794a5fc8bfdb14c8eb4e2f29323d5ea5d3d4

SHA256
fc854b0270a9bcdef98cb35f99ad49f924d1270212e79eba708b1a739133693c

SHA512
9d79851dd407f968379bc729a4f2f3c7b429ae2f43eefdc1d7bd37ed545d4dfc12c6e8a3399d0646b5d6467a7ab13d759b0498f9b8e1f404d6776d90fa62d392

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
aac8c06ab2533caafc32f37313bc57ad

SHA1
a5392413940de9969fe3131ff7f6416b019cf18a

SHA256
387918900f8d6e43ed3f0ba3d5bcd7ae8725c8489274a9e82e1a1a31f57b1db1

SHA512
250f50ad67995fe4fcb805915c20d3dd53d48dc5d0c503fd1be6f568e923df5dedabfbda6294e2ffb2a99a71b564c428a2176972f312d856ed7d41abc4098745

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
dcb312708a899d383a4af057878d8fc1

SHA1
c4d4b782b40aa5cc2ac8e9d19fcae5911c4dbcce

SHA256
a65cda106f9064b2aea897f2fbec2dd7ff303b438875cb7951de48011832119b

SHA512
fc5db5773d58e82cdec0c098e5f7f1569a7b4702105198bea7b2e1a467e9ae3ce124b24985a61d578d194f0294beeea230184bcafc4d4376cd9993ab9061cb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7a66aa01fe817623aba678b7ef62bb67

SHA1
db67ef76d1b388688771b3ed03003502d5e275d3

SHA256
20f4a5ee5744c256b0a8c4e84ec085eb53adb1dc30be186d2dca909a6cfa99a8

SHA512
41f62da7decc73e2333ddee4ef63611b86a85d6baafbe12f1094b14ce280efeafc76162bd95252196dc4d38e250e511d9d93f7e7d220f728dc13bce8c7d552b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a999f626ccb23eaf5417245f0c7ff27e

SHA1
30f6b96f025986129c7380136e2f4c8e72ade47d

SHA256
812065c2794ab06b044975fc22d65f394f1a5eb26005ddd0ca68d833de358e47

SHA512
97539420255b656671488ecf4b49e6360048229b65802714f683f092eed92cf43143161827a82a06c800048a5dfb440539a5789ed3da02711e8836980749f188

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
37aeb133ad946ac47c800da73e1dcb4a

SHA1
77785fe519fab68c6d7e429656b5c9c5446a3988

SHA256
da51b154e3d1cf5d88b4f54e299e6a6f9fd4e254b0debe5261eb23d2999eccad

SHA512
eb61e141687be44d34b93d6cae4a5789cfe03a4f194640c856084631a382ab8a7cda832570ec2b414c4bd771250e4909524f336e0b9eaae0031af0174e9805db

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fb160d4bc066fc6f6d63cca206928b7b

SHA1
b86a5b136b8ef31da8322a1e5a69a74612a0e531

SHA256
c448f5aa423fd76a21264e1798eb7d903e515b733210ed3368892325046a8883

SHA512
60afff0499be20f43227dcc8414b2c3b407d57d55ed8c49c5710648fb94c3b86e187fb07e6e4d652bfbf062a932ae776e1e52a6d47dcf43f066e2266115c1d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
cc5f80b4bb3c3884bcffccfb2848604c

SHA1
ca9110daa8335799ba141cdfab88692a53b2cbfe

SHA256
45e92316bc9ba136d032bc4e0418cae5eb9c8a3b4c357b8383b028dafb14e915

SHA512
9273de197d430cd97ad58e4121dc129f01dae3183ee30d707f1717320c2f2db8517d717b0b5716b90f17d10b9cc12275ffc43a7c155c657ebc7b0928df719a7e

Download Submit
memory/3304-73-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/3304-18-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/3304-50-0x0000000004950000-0x0000000004958000-memory.dmp

Filesize
32KB

Download
memory/3304-63-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/3304-24-0x0000000004710000-0x0000000004718000-memory.dmp

Filesize
32KB

Download
memory/3304-71-0x0000000004950000-0x0000000004958000-memory.dmp

Filesize
32KB

Download
memory/3304-27-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/3304-23-0x0000000004450000-0x0000000004458000-memory.dmp

Filesize
32KB

Download
memory/3304-20-0x0000000004480000-0x0000000004488000-memory.dmp

Filesize
32KB

Download
memory/3304-112-0x0000000004280000-0x0000000004288000-memory.dmp

Filesize
32KB

Download
memory/3304-113-0x00000000042A0000-0x00000000042A8000-memory.dmp

Filesize
32KB

Download
memory/3304-121-0x0000000004340000-0x0000000004348000-memory.dmp

Filesize
32KB

Download
memory/3304-125-0x00000000044C0000-0x00000000044C8000-memory.dmp

Filesize
32KB

Download
memory/3304-124-0x0000000004340000-0x0000000004348000-memory.dmp

Filesize
32KB

Download
memory/3304-126-0x0000000004570000-0x0000000004578000-memory.dmp

Filesize
32KB

Download
memory/3304-127-0x0000000004580000-0x0000000004588000-memory.dmp

Filesize
32KB

Download
memory/3304-48-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/3304-141-0x00000000042A0000-0x00000000042A8000-memory.dmp

Filesize
32KB

Download
memory/3304-128-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/3304-0-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/3304-149-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/3304-151-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/3304-25-0x0000000004AB0000-0x0000000004AB8000-memory.dmp

Filesize
32KB

Download
memory/3304-164-0x00000000042A0000-0x00000000042A8000-memory.dmp

Filesize
32KB

Download
memory/3304-40-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/3304-172-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/3304-174-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/3304-26-0x00000000049B0000-0x00000000049B8000-memory.dmp

Filesize
32KB

Download
memory/3304-17-0x00000000043A0000-0x00000000043A8000-memory.dmp

Filesize
32KB

Download
memory/3304-10-0x00000000038C0000-0x00000000038D0000-memory.dmp

Filesize
64KB

Download
memory/3304-4-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/3304-2-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/3304-300-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download