ffdroider | c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2

Analysis

max time kernel
102s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe
Size

1.6MB
MD5

58b9e8f3a550dbffe1a25baa5baf27b3
SHA1

36b90f851318a90c2ad881a1c2529ff4dfcb99a1
SHA256

c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2
SHA512

b500981c548c766b5507d4ca8fdca9e88dfc01389e289e2860ff29dc30458184ac00f19dab2c781e744218cd315cb7101e5be214f42fe325ddf3989ddca608b6
SSDEEP

24576:oEl3CiZjrmmDzA+uWtcqa4J1Fy529Esn9bsO4nTb3sAnhr2vA:3D2mQWcqnbsjf3Hhr2vA

Score

10^/10

ffdroider defense_evasion discovery spyware stealer trojan upx

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/324-0-0x0000000000400000-0x00000000005A7000-memory.dmp	upx
behavioral1/memory/324-2-0x0000000000400000-0x00000000005A7000-memory.dmp	upx
behavioral1/memory/324-300-0x0000000000400000-0x00000000005A7000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	324	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe
Token: SeManageVolumePrivilege	324	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe
Token: SeManageVolumePrivilege	324	c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe

C:\Users\Admin\AppData\Local\Temp\c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe
"C:\Users\Admin\AppData\Local\Temp\c8fe613b782feb822e9088b29139deb2002f20169667f85144321c35aaac46f2.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:324

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
9cf2785886ee8c7bacca5eaa6958ebc0

SHA1
27726e999cfa7cd018838cca9f6b98b316330e7e

SHA256
bb5437bfffad25250c7df9360f610e4ddec4de02b4b7a28dd8ef28b3c17899a8

SHA512
03cf9eb2060e7141ef7eff32e642555a5570e26ef86bd176ac82c3b5d8189ab38af5f7ff333f725d7ddf1d0720042d67687652dcd1cc48dec0346e47dc32cb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6ac4ff3062838e59fccabfc53414b922

SHA1
89fe9c7a1ee8cb3765ed1b7234d867b68d09fc6f

SHA256
7733ae31a565d7d4907fc6f854e96db6346120ed2a6d16c983d9c6c76c26765f

SHA512
f80f4e6b57723d9027aac2848a79932ac9b30a13247d6898eab0f5aefe6667329a0bd3b109c020d01057a13c2edc28cf6b3b520fc1f4683b63d5d4fc92802420

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8ac4f60d8b9bd73ac30ac1ff0f2055c6

SHA1
e9baa824a6b64fb88bb4c9ce105077da690c5062

SHA256
532660e3091a77f6d0b822fd36dae03740d70f4c84375dabbae2cc4160fa85b3

SHA512
b7e41bf80b7327ecd76fd76bcfb5eecd6cc6888183949bdd21763384619d00a21ccc5ccebb8cf3ee32fa86c627e91706a7090a50125e6481b8bbe29bdf75781a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5ebcba5943fbc745b383b1d7a3556007

SHA1
daf2444262c320afe95cd77d963570405e6b6955

SHA256
a769bc18ec1b814c10d172240e4197773e80bde205340c983bd91067c29a6598

SHA512
0060b2f69d7157513d4240ba384ab4813e3f14e40408c717939ae80606dbe6d5b80142e04d653a5d778724489e2c65c57cdeb64ff3e2ec445c68eab7cb57403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
03588aad3ba612f3c28b29ef51dd5c42

SHA1
1d01b08fc02c296035b9640ba9f793a1627defa6

SHA256
bdad6727cfce2aafca1a3b2303a77691a9f8ef39fd4d691319ed9c3a68fbb727

SHA512
2cec311953698d4d06bfdb25bfc71e87b7e6d90339466f30f5193c9c30343b5f50ae322520d0b0884a9e7f1ecbf0785aea2a79ae2661d587d573746db2e0b511

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a4e48fc3ec8ae0054313868bcf0427d9

SHA1
d249ef943fc12adf2e6d308faad398f1119aea20

SHA256
11eed81fcc3ca7166ec5742e52ff4557c36a6452ca552e15d68b86ab4c74b9b6

SHA512
242e1d6d2481cfeeeb011821ec3e4416f66c4d80b978cf5bcc681582ab8c1a8370428f93acce609fec76018419289d4279d3406d5dc064e28000c9c4995416ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e0b7e064d2453d5af4b7c5fec9f8112d

SHA1
b68af6cb8b4482ae708739312723415643e4ee1e

SHA256
7731a37860df1a31f2ea837e0b0ddc872c93006f2712a04ccd2ae7f0ce3842a1

SHA512
6d70b93f2d9bdec8938df262d35c55e67ebacf2f859cc308b01e1fa44845ecc5c350687a9c3c3b230821db8dea68b2ac92c22b378d788f01bbed6f0c9b4695f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
192d566987635eb9f2e4466e71e9da8c

SHA1
a41953f9a1264bee4a9def0a9a8dae3d5559a86c

SHA256
259294db145d6a1de79801f3ed676d80ee70db7d3e501c647073fda3025e0abb

SHA512
572913e8c9e9c8dbf09eea78444f2794e050e07929f5376e5b8bea0a15be083e914f60433f09d5d35a202314f38e56d92dcafa2fd27ff9be1564da19a95e9395

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c80b0b1380e07d1689b30420a995d994

SHA1
cb52d4104cee1ed568a9601f1f10b95d67762657

SHA256
022fca06274209a410c8879ac795cb0eaa9625c64b2d896a34e0749d6898e967

SHA512
080e69748f4a31186902492d35110de1266d6811f842159f5b9f605fe9f0244ad73057e67748616668282afbafb758d3f362d9e30531350a49a1025bb2f3fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
18c652d59083af8c985b1311922221dc

SHA1
7470272c7bf936d45ec02b97caad9393c23574e1

SHA256
58fcee4f9eec1e8d130e902f68028202901fb33036b79054e1908b2d7298f80d

SHA512
e63adf2586e18c0c86563d32d207474423146bc2bf039a2b95ed39e84645be27c430d4b644e2474fc12dca206ebbfe3168be9ed6524cc4abf01a9203cbccab53

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9ebcd6cb28dd2aece279e074d42f180f

SHA1
6363f260d4b9193a140fbb7f0145b14d509f1783

SHA256
087994b48a8f4e5777dfb4604a42e70fb69052bd00568b385d7f11eab9fe649b

SHA512
04241829faeb7592aaa6555c6b219bba5983d07ac146d7b2bb43d7980689dd1ba28b8792bced430ee6de8cb140e835bdf3cf02b209ff8ecbafb7d244a5c8a470

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c0d7cb62eb54af1d4fb64feefc5caeb4

SHA1
e194cbc51d5f54d0d551a04b48858a9feff34465

SHA256
bc359aea9b98a59a2bfdab1d14c99b55d7b1a9b1f31b94ce98c23d47f95c5fa9

SHA512
c56350ac6851c6987e664fc377055453138a5c193196adfd4b800e54aeedd9fa4840434a9685cff9b7ff6ebeeef448a16278bc111f28754ca64dc9a54880510f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e31a7172b745320ded653cdee0dbd4bd

SHA1
34e7e1200e894b9c2cd827a90056d64bbf0ff259

SHA256
55223cf4ea5ea106a845014051b711ebff83d86087ee86066a5b9fd430637a87

SHA512
3602a29aadbfff66d5955a5595e63d6d1067dd110a8ac5f29e71d3c2ffcfe73023570a5dbb3c38b117abf52c450f67235b7d146ae6c8b18aaac88ea03e129b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2f257c87887e0d110a99286873c66341

SHA1
7ce3c2f9c534ce4a90dd3d9cadb0f6925a90b799

SHA256
3c93582ffc883703961d30fc5b3d590dd217fea3e4bfac76e55512f1959ac60e

SHA512
dc5600519ecccc62dd4f5bd7a2cf7bc247bd957ccf072d77723aaa68115a2e82b22c9254a9d7440abf4fd40ed3b9ccac31ab6af8ed2f103c2834ebe13b91bef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
bdae872f2ccd3ec85206428a6a5a668a

SHA1
7e19443cf204dce9ad7fd46df81ec14cb14d4288

SHA256
aee22d0432d48ca89b0db016e525d8beea848b46b0edd9c5473970875d2ef6a6

SHA512
0b98828bfb7f333720de36b54001383f6486145b94f8ec4c09a61ff826ad550d4b8cfaf96df4519be28a16f380689efa902ed1191a3e514e647c5875e4cb8456

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2c6b24719ecacca30bcc6336e8ae2d62

SHA1
e2ae2dd10f26ac6893b714a0f3efb25efeac2b57

SHA256
ec0295299434e2e7d226be5ff046ff22c4d986da45f82bd80bdbf80c625e95ba

SHA512
a1daa903fa407bf4e0130a5581779488a5d89c48157851981ee10a86060535ff90482a6c14e0ca9f0f778bb0bb39dc153f47aaff90f4ec00301a6301aa31486e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
edfb446a5ec1d5258e70edf7fcb2bbf7

SHA1
7763c3443750a3b68a02c52661209d74bba788e1

SHA256
e12febb6ad9c0fac98304a4bb7d06d906e50a5e98467940a4be5b8f884c3adba

SHA512
e666be3f5807d28eced9b7f5362bf73fbbcd781a1db5ad472a9ed0883f0b38220aa13d313f7d5cea8c00b3e38eb3bda2b52876105378249d7d788c580a658ca3

Download Submit
memory/324-112-0x0000000004130000-0x0000000004138000-memory.dmp

Filesize
32KB

Download
memory/324-26-0x0000000004850000-0x0000000004858000-memory.dmp

Filesize
32KB

Download
memory/324-50-0x00000000047F0000-0x00000000047F8000-memory.dmp

Filesize
32KB

Download
memory/324-71-0x00000000047F0000-0x00000000047F8000-memory.dmp

Filesize
32KB

Download
memory/324-73-0x00000000046C0000-0x00000000046C8000-memory.dmp

Filesize
32KB

Download
memory/324-48-0x00000000046C0000-0x00000000046C8000-memory.dmp

Filesize
32KB

Download
memory/324-40-0x0000000004270000-0x0000000004278000-memory.dmp

Filesize
32KB

Download
memory/324-0-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/324-113-0x0000000004150000-0x0000000004158000-memory.dmp

Filesize
32KB

Download
memory/324-121-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/324-124-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/324-125-0x0000000004370000-0x0000000004378000-memory.dmp

Filesize
32KB

Download
memory/324-126-0x0000000004420000-0x0000000004428000-memory.dmp

Filesize
32KB

Download
memory/324-127-0x0000000004430000-0x0000000004438000-memory.dmp

Filesize
32KB

Download
memory/324-128-0x0000000004390000-0x0000000004398000-memory.dmp

Filesize
32KB

Download
memory/324-27-0x00000000046C0000-0x00000000046C8000-memory.dmp

Filesize
32KB

Download
memory/324-141-0x0000000004150000-0x0000000004158000-memory.dmp

Filesize
32KB

Download
memory/324-63-0x0000000004270000-0x0000000004278000-memory.dmp

Filesize
32KB

Download
memory/324-149-0x0000000004390000-0x0000000004398000-memory.dmp

Filesize
32KB

Download
memory/324-151-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/324-25-0x0000000004950000-0x0000000004958000-memory.dmp

Filesize
32KB

Download
memory/324-164-0x0000000004150000-0x0000000004158000-memory.dmp

Filesize
32KB

Download
memory/324-24-0x00000000045B0000-0x00000000045B8000-memory.dmp

Filesize
32KB

Download
memory/324-172-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/324-174-0x0000000004390000-0x0000000004398000-memory.dmp

Filesize
32KB

Download
memory/324-23-0x00000000042F0000-0x00000000042F8000-memory.dmp

Filesize
32KB

Download
memory/324-20-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/324-18-0x0000000004270000-0x0000000004278000-memory.dmp

Filesize
32KB

Download
memory/324-17-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download
memory/324-10-0x00000000037A0000-0x00000000037B0000-memory.dmp

Filesize
64KB

Download
memory/324-4-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/324-2-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/324-300-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download