tinba | 9b87a8a3a18dd12d483f223b697ae0096bf523808411f0d52efabc0ab579094c

General

Target

164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe
Size

49KB
MD5

164da67e2e120ddaa60def20c03c1455
SHA1

a4348201141e3635ba0667d3de179794f087b526
SHA256

9b87a8a3a18dd12d483f223b697ae0096bf523808411f0d52efabc0ab579094c
SHA512

3602b3591529702f5304bab2cef08a9c6e73c943b1681356ebb302bcacb3fae075a2b3196e87f5d3a26216a3042500290074a40179f3d3fee152f0b65e1178b9
SSDEEP

768:FCCCFlkbwAYbFshpyiB9L9Mx2BWseUCHGAwk5R9Jw:dbw/6plBTFBYNNR9Jw

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C1D5945F = "C:\\Users\\Admin\\AppData\\Roaming\\C1D5945F\\bin.exe"	winver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winver.exe

pid	process
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe
4088	winver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RuntimeBroker.exe

description pid process

Token: SeShutdownPrivilege 3928 RuntimeBroker.exe
Token: SeShutdownPrivilege 3928 RuntimeBroker.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

4088 winver.exe

description	pid	process
Token: SeShutdownPrivilege	3928	RuntimeBroker.exe
Token: SeShutdownPrivilege	3928	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exewinver.exemsedge.exe

description	pid	process	target process
PID 824 wrote to memory of 4088	824	164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe	winver.exe
PID 824 wrote to memory of 4088	824	164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe	winver.exe
PID 824 wrote to memory of 4088	824	164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe	winver.exe
PID 824 wrote to memory of 4088	824	164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe	winver.exe
PID 4088 wrote to memory of 3188	4088	winver.exe	Explorer.EXE
PID 4088 wrote to memory of 2392	4088	winver.exe	sihost.exe
PID 4088 wrote to memory of 2408	4088	winver.exe	svchost.exe
PID 4088 wrote to memory of 2488	4088	winver.exe	taskhostw.exe
PID 4088 wrote to memory of 3188	4088	winver.exe	Explorer.EXE
PID 4088 wrote to memory of 3496	4088	winver.exe	svchost.exe
PID 4088 wrote to memory of 3720	4088	winver.exe	DllHost.exe
PID 4088 wrote to memory of 3820	4088	winver.exe	StartMenuExperienceHost.exe
PID 4088 wrote to memory of 3928	4088	winver.exe	RuntimeBroker.exe
PID 4088 wrote to memory of 4036	4088	winver.exe	SearchApp.exe
PID 4088 wrote to memory of 3456	4088	winver.exe	RuntimeBroker.exe
PID 4088 wrote to memory of 4512	4088	winver.exe	RuntimeBroker.exe
PID 4088 wrote to memory of 4944	4088	winver.exe	TextInputHost.exe
PID 4088 wrote to memory of 2456	4088	winver.exe	msedge.exe
PID 4088 wrote to memory of 3988	4088	winver.exe	msedge.exe
PID 4088 wrote to memory of 2448	4088	winver.exe	msedge.exe
PID 4088 wrote to memory of 2120	4088	winver.exe	msedge.exe
PID 4088 wrote to memory of 2824	4088	winver.exe	msedge.exe
PID 4088 wrote to memory of 3568	4088	winver.exe	msedge.exe
PID 4088 wrote to memory of 4912	4088	winver.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4360	2456	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2408

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\164da67e2e120ddaa60def20c03c1455_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\winver.exe
winver
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4512

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x258,0x7ffe66152e98,0x7ffe66152ea4,0x7ffe66152eb0
2⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2272 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:2
2⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2312 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:3
2⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2588 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
2⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5308 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
2⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5572 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
2⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
2⤵
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-1-0x0000000002220000-0x0000000002C20000-memory.dmp

Filesize
10.0MB

Download
memory/824-0-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/824-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/824-9-0x0000000002220000-0x0000000002C20000-memory.dmp

Filesize
10.0MB

Download
memory/2392-25-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/2408-13-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download
memory/2408-27-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download
memory/2488-14-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

Filesize
24KB

Download
memory/2488-26-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

Filesize
24KB

Download
memory/3188-15-0x0000000001270000-0x0000000001276000-memory.dmp

Filesize
24KB

Download
memory/3188-6-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

Filesize
24KB

Download
memory/3188-2-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

Filesize
24KB

Download
memory/3188-7-0x00007FFE8D56D000-0x00007FFE8D56E000-memory.dmp

Filesize
4KB

Download
memory/3188-24-0x0000000001270000-0x0000000001276000-memory.dmp

Filesize
24KB

Download
memory/3456-21-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/3456-31-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/3496-16-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/3496-28-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/3720-17-0x0000000000F40000-0x0000000000F46000-memory.dmp

Filesize
24KB

Download
memory/3820-29-0x0000000000EA0000-0x0000000000EA6000-memory.dmp

Filesize
24KB

Download
memory/3820-18-0x0000000000EA0000-0x0000000000EA6000-memory.dmp

Filesize
24KB

Download
memory/3928-19-0x0000000000050000-0x0000000000056000-memory.dmp

Filesize
24KB

Download
memory/3928-30-0x0000000000050000-0x0000000000056000-memory.dmp

Filesize
24KB

Download
memory/4036-20-0x0000000000710000-0x0000000000716000-memory.dmp

Filesize
24KB

Download
memory/4088-4-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/4088-5-0x0000000077722000-0x0000000077723000-memory.dmp

Filesize
4KB

Download
memory/4088-44-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/4512-32-0x0000000000040000-0x0000000000046000-memory.dmp

Filesize
24KB

Download
memory/4512-22-0x0000000000040000-0x0000000000046000-memory.dmp

Filesize
24KB

Download
memory/4512-41-0x0000000000040000-0x0000000000046000-memory.dmp

Filesize
24KB

Download
memory/4944-33-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/4944-23-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads