Malware Analysis [#2] — FFDroider
This is malware analysis write-up for FFDroider stealer malware which is a new malware that was first spotted in April 2022.
Our sample of today: md5(b1d856afe8ffd2649843d64affe9d4c3)
Static Analysis:
Looking at our sample in PEStudio we can see it is a 32-bit sample with high entropy and recently compiled date and the file was compiled in debug mode, it also has original name of “FbRobot.exe” and there is a lot of URL patterns and a big list of resources :
It has a lot of resources but nothing worth to mention except “string.txt” file which is written in Chinese so I translated it, in figures below is some part of the file and it’s translation:
Looking at the functions imported we have a lot of web connectivity functions:
And from “detect it easy” it looks like that the “.text” section is packed:
Dynamic Analysis:
When running the sample it create a directory named “VcpVideoV1.0.1” and create a copy of itself in it
Next we can see that it create a a registry key with the name “ffdroider\FFDROIDER” under the “HKCU\Software” :
It also create a SQLite database file named “d”in the same directory the sample was executed from, then start to read cookies from Chrome directory and write to the “d” file, then start querying:
- WebCache.
- User Pinned application.
- Start Menu.
- Libraries.
- Links.
- Temp directory.
- Temporary Internet Files.
and the list keep going on, what I found is that the “d” file was a copy of the “Cookies” file:
Checking the “d” file with “sqlite browser” I found 2 tables one for “Cookies” and the other for “meta” :
The malware start a loop that do:
- Read from “Cookie” file and write to “d” file.
- Query files and directories.
- Start new process for “iElowutil.exe” with argument “-PID:123” to do it’s job then exit.
The “iElowutil.exe” is - a broker process that handles operations that require processing at a Low integrity level. This happens because Internet Explorer and a suite of other native Windows applications need check feeds and web slices for updates and this is handled by ielowutil.exe-,
Tha Sample creates 2 internet connection to a C2 server with the name of the file:
Reversing:
At the beginning, the malware start by “CreateMutex” fucntion with object name “37238328–1324242–5456786–8fdff0–67547552436675” and if the function did not fail it will use “GetLastError” and compare the result with “183 (0xB7) = Error_already_Exists” according to microsoft docs see link :
and if it was not already exists it will move on with execution, but if the function failed or the Error message was “Error_already_Exists” it will proceed to “OutputDebugStringA” function with “<<< Exit with same app>>>” string.
After that it creates a directory called “VlcpVideosV1.0.1" in Documents folder by calling “SHGetSpecialFolderPathW” function which will Retrieves the path of a special folder, identified by its CSIDL. The argument used is “CSIDL_MYDOCUMENTS” to get the path of the Documents folder, then it append “//VlcpVideosV1.0.1” to the path and call “PathFileExistW” to determines whether the path to the folder is valid or not, and if it’s not it will create the directory using “CreateDirectoryW” function, then copy itself to the new created directory with “CopyFileW”:
Next the malware start dynamically load some libraries and import an encrypted functions, the decryption function is actually simple it start by XOR’ing the first letter with number “5” and this number increases by “1” after each loop, which mean that string[0] XOR’ed with “5”, string[1] XOR’ed with “6" and keeps going until the end of the string. The decrypted strings are:
- LoadLibraryA.
- Wininet.dll.
- InternetGetCookieExW.
- Ieframe.dll.
- IEGetProtectedModeCookie.
- netapi32.dll.
- NetWkstaGetInfo.
- NetApiBufferFree.
- advapi32.dll.
- RegCreateKeyW.
- iphlpapi.dll
- GetAdaptersInfo.
After that the malware start preparing for connection with C2 server by setting up HTTP request to “152.32.193.91/seemorebty/il.php?e=<filename>”:
After that the malware start decrypting the path to Chrome directory with the same decrypting function mentioned before, and opens the Cookies file:
Then the malware try check if the SQLite file named “d” exist if it’s not it will create it, after that it try to open 2 other files named “d-journal” “d-wal” but it did not create them even when it was not able to find them, then the process of reading, querying and writing start in a loop:
Next it start setting up the top level domains to add it for “amazon” domain and then append the “https://www.” to the domain:
After that it will start to set up a new HTTP get request, then it try to open file named “install.exe” which could be the second phase installed from the C2 I tried to mimic the malware requests to install the second phase but did not get any response from the C2 server(newest sample IP adresses):
Also it try to execute a file named “tmp.exe” with “ShellExecuteExW” , and then delete the file named “install.exe”:
C2 Infrastructure:
This sample’s C2 server IP was down so I looked up for the newest sample that was reported to “MalwareBazaar” and got the IP addresses of the C2 servers and I went to check the infrastructure, below is what I found:
Indicator of Compromise:
Network Indicators:
- https://152.32.193.91/seemorebty/
Host Indicators:
- FFdroider
- VlcpVideoV1.0.1
- FbRobot
Yara Rule and Signature:
Anti-Reversing techniques:
- IsDebuggerPresent.
- OutputDebugString.
- Encrypting some import and strings.