tinba | 9b87a8a3a18dd12d483f223b697ae0096bf523808411f0d52efabc0ab579094c

General

Target

164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe
Size

49KB
MD5

164da67e2e120ddaa60def20c03c1455
SHA1

a4348201141e3635ba0667d3de179794f087b526
SHA256

9b87a8a3a18dd12d483f223b697ae0096bf523808411f0d52efabc0ab579094c
SHA512

3602b3591529702f5304bab2cef08a9c6e73c943b1681356ebb302bcacb3fae075a2b3196e87f5d3a26216a3042500290074a40179f3d3fee152f0b65e1178b9
SSDEEP

768:FCCCFlkbwAYbFshpyiB9L9Mx2BWseUCHGAwk5R9Jw:dbw/6plBTFBYNNR9Jw

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\0D02A53F = "C:\\Users\\Admin\\AppData\\Roaming\\0D02A53F\\bin.exe"	winver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winver.exe

pid	process
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe
2328	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2328 winver.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exewinver.exe

description	pid	process	target process
PID 2392 wrote to memory of 2328	2392	164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe	winver.exe
PID 2392 wrote to memory of 2328	2392	164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe	winver.exe
PID 2392 wrote to memory of 2328	2392	164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe	winver.exe
PID 2392 wrote to memory of 2328	2392	164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe	winver.exe
PID 2392 wrote to memory of 2328	2392	164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe	winver.exe
PID 2328 wrote to memory of 1380	2328	winver.exe	Explorer.EXE
PID 2328 wrote to memory of 1240	2328	winver.exe	taskhost.exe
PID 2328 wrote to memory of 1324	2328	winver.exe	Dwm.exe
PID 2328 wrote to memory of 1380	2328	winver.exe	Explorer.EXE

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1240

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1324

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\winver.exe
winver
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-22-0x0000000077BB1000-0x0000000077BB2000-memory.dmp

Filesize
4KB

Download
memory/1240-21-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1324-18-0x0000000001AC0000-0x0000000001AC6000-memory.dmp

Filesize
24KB

Download
memory/1324-23-0x0000000001AC0000-0x0000000001AC6000-memory.dmp

Filesize
24KB

Download
memory/1380-3-0x00000000027D0000-0x00000000027D6000-memory.dmp

Filesize
24KB

Download
memory/1380-2-0x00000000027D0000-0x00000000027D6000-memory.dmp

Filesize
24KB

Download
memory/1380-1-0x00000000027D0000-0x00000000027D6000-memory.dmp

Filesize
24KB

Download
memory/1380-9-0x0000000077BB1000-0x0000000077BB2000-memory.dmp

Filesize
4KB

Download
memory/1380-24-0x0000000002780000-0x0000000002786000-memory.dmp

Filesize
24KB

Download
memory/1380-20-0x0000000002780000-0x0000000002786000-memory.dmp

Filesize
24KB

Download
memory/2328-10-0x0000000077B60000-0x0000000077D09000-memory.dmp

Filesize
1.7MB

Download
memory/2328-5-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/2328-6-0x0000000077D60000-0x0000000077D61000-memory.dmp

Filesize
4KB

Download
memory/2328-7-0x0000000077D5F000-0x0000000077D60000-memory.dmp

Filesize
4KB

Download
memory/2328-8-0x0000000077D5F000-0x0000000077D61000-memory.dmp

Filesize
8KB

Download
memory/2328-28-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2328-29-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/2392-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2392-12-0x00000000020B0000-0x0000000002AB0000-memory.dmp

Filesize
10.0MB

Download
memory/2392-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2392-4-0x00000000020B0000-0x0000000002AB0000-memory.dmp

Filesize
10.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads