tinba | 4ad406b6e4bb89e3f8e3778aac25abd6ba02330480aa5769d689c87737083f71

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe
Size

167KB
MD5

cfc25902697dc254bd83fc9c75722270
SHA1

9a7657ad5c6d4b8d4e8f8b33d0532906af23325c
SHA256

4ad406b6e4bb89e3f8e3778aac25abd6ba02330480aa5769d689c87737083f71
SHA512

b2294cc83c6d06f10a431678e72d32201be5bbc970473ab6afb6f7e2b5fec4b594d840500764a73556286aabd18ec37076ddba99ab634ab4efedcc94fadb78db
SSDEEP

3072:neva8lOsLXBuwOJKPy9tknHrtU5pT5lEauFOc6AqauLyRK5PKGVB4MzeL:Sll2kHrtWPEhOcVRo

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\31BACD36 = "C:\\Users\\Admin\\AppData\\Roaming\\31BACD36\\bin.exe"	EXPLORER.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 2732	2680	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPLORER.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe
2812	EXPLORER.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2732	2680	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2732	2680	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2732	2680	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2732	2680	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2732	2680	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2732	2680	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2732	2680	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2732	2680	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2812	2732	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2812	2732	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2812	2732	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2812	2732	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2812	2732	cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe	31
PID 2812 wrote to memory of 1116	2812	EXPLORER.exe	19
PID 2812 wrote to memory of 1168	2812	EXPLORER.exe	20
PID 2812 wrote to memory of 1204	2812	EXPLORER.exe	21
PID 2812 wrote to memory of 1636	2812	EXPLORER.exe	25

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cfc25902697dc254bd83fc9c75722270_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\EXPLORER.exe
      EXPLORER
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-21-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/1116-30-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/1116-31-0x0000000076FC1000-0x0000000076FC2000-memory.dmp

Filesize
4KB

Download
memory/1116-22-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/1168-35-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1168-24-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1204-36-0x0000000002560000-0x0000000002567000-memory.dmp

Filesize
28KB

Download
memory/1204-27-0x0000000002560000-0x0000000002567000-memory.dmp

Filesize
28KB

Download
memory/1204-37-0x0000000076FC1000-0x0000000076FC2000-memory.dmp

Filesize
4KB

Download
memory/1636-29-0x0000000001D30000-0x0000000001D37000-memory.dmp

Filesize
28KB

Download
memory/1636-32-0x0000000001D30000-0x0000000001D37000-memory.dmp

Filesize
28KB

Download
memory/1636-33-0x0000000076FC1000-0x0000000076FC2000-memory.dmp

Filesize
4KB

Download
memory/2680-13-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-11-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-0-0x00000000742B1000-0x00000000742B2000-memory.dmp

Filesize
4KB

Download
memory/2680-1-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-2-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2732-16-0x0000000000E40000-0x0000000001840000-memory.dmp

Filesize
10.0MB

Download
memory/2732-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2732-14-0x0000000000E40000-0x0000000001840000-memory.dmp

Filesize
10.0MB

Download
memory/2732-3-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2812-34-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2812-15-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download