Overview

overview

10

Static

static

7

f1e64d25c6...18.exe

windows7-x64

10

f1e64d25c6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1e64d25c6a87b83b62fe6513100b24c_JaffaCakes118.exe

  • Size

    160KB

  • MD5

    f1e64d25c6a87b83b62fe6513100b24c

  • SHA1

    b908f972ea5a81e9976b65c14b134c700cb1f4fb

  • SHA256

    685dab2ff06839a9585ce8b0aede037364a4ac1c284d4aa1bbc3b462d69343cc

  • SHA512

    8915978e9b09326cbe2a3145cc9662c06c360c5f46714e46c47784009a0c8488ac8104880fc8353929a3c39412c4a434e560ef308075e119f19b74870470bd06

  • SSDEEP

    1536:yEY+mFM2HXKZgi0Iksu+XM5/HtAQ9J6xph:5Y+4MiIkLZJNAQ9J6v

Score
10/10
tinbabankerpersistencetrojanupx

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1060
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1088
        • C:\Users\Admin\AppData\Local\Temp\f1e64d25c6a87b83b62fe6513100b24c_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\f1e64d25c6a87b83b62fe6513100b24c_JaffaCakes118.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1920
          • C:\Windows\SysWOW64\winver.exe
            winver
            3⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2900
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1128

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1060-24-0x00000000775F1000-0x00000000775F2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1060-23-0x0000000001EA0000-0x0000000001EA6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1088-20-0x0000000002550000-0x0000000002556000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1088-11-0x00000000775F1000-0x00000000775F2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1088-2-0x0000000003040000-0x0000000003046000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1088-25-0x0000000002550000-0x0000000002556000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1088-9-0x0000000003040000-0x0000000003046000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1128-26-0x00000000003D0000-0x00000000003D6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1128-22-0x00000000003D0000-0x00000000003D6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1920-3-0x0000000001D90000-0x0000000002790000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/1920-0-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

          Download
        • memory/1920-12-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

          Download
        • memory/1920-13-0x0000000001D90000-0x0000000002790000-memory.dmp
          Filesize

          10.0MB

          Download
        • memory/1920-1-0x0000000000020000-0x0000000000021000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2900-15-0x0000000000120000-0x0000000000126000-memory.dmp
          Filesize

          24KB

          Download
        • memory/2900-16-0x00000000001A0000-0x00000000001A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2900-4-0x0000000000120000-0x0000000000126000-memory.dmp
          Filesize

          24KB

          Download
        • memory/2900-6-0x000000007779F000-0x00000000777A0000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2900-7-0x000000007779F000-0x00000000777A1000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2900-10-0x0000000000CA0000-0x0000000000CB6000-memory.dmp
          Filesize

          88KB

          Download
        • memory/2900-8-0x00000000777A0000-0x00000000777A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2900-30-0x0000000000120000-0x0000000000126000-memory.dmp
          Filesize

          24KB

          Download
        • memory/2900-31-0x00000000001B0000-0x00000000001B1000-memory.dmp
          Filesize

          4KB

          Download