tinba | e5765a32f7dd21f9652abfd2434ba0f1ab66db6a1630b5667618dd8f6bea4c52

Analysis

max time kernel
136s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc37d18cb38d0fa17fd174be1ac31497_JaffaCakes118.exe
Size

49KB
MD5

dc37d18cb38d0fa17fd174be1ac31497
SHA1

77f58115fb8c4ad25a4b450a277d8c8d1501c718
SHA256

e5765a32f7dd21f9652abfd2434ba0f1ab66db6a1630b5667618dd8f6bea4c52
SHA512

70ce8c0133f7328dbbe4961893bd44dd93cab5674043f338b6e56784c001a85bc9b7b2b0c0a16a72edda525127779603d7d5559d23511984370fa64cb7363897
SSDEEP

768:MCCCFlkbwAYbFshpyiB9L9Mx2BWseUCHGAwk5R9Jw:Qbw/6plBTFBYNNR9Jw

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D8A7D4FF = "C:\\Users\\Admin\\AppData\\Roaming\\D8A7D4FF\\bin.exe"	winver.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2972	1672	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc37d18cb38d0fa17fd174be1ac31497_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	winver.exe
1672	winver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1672	winver.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1672	2000	dc37d18cb38d0fa17fd174be1ac31497_JaffaCakes118.exe	83
PID 2000 wrote to memory of 1672	2000	dc37d18cb38d0fa17fd174be1ac31497_JaffaCakes118.exe	83
PID 2000 wrote to memory of 1672	2000	dc37d18cb38d0fa17fd174be1ac31497_JaffaCakes118.exe	83
PID 2000 wrote to memory of 1672	2000	dc37d18cb38d0fa17fd174be1ac31497_JaffaCakes118.exe	83
PID 1672 wrote to memory of 3448	1672	winver.exe	56
PID 1672 wrote to memory of 2664	1672	winver.exe	44

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2664

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448
- C:\Users\Admin\AppData\Local\Temp\dc37d18cb38d0fa17fd174be1ac31497_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc37d18cb38d0fa17fd174be1ac31497_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 352
      4⤵
      Program crash
      PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1672 -ip 1672
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-10-0x0000000002C90000-0x0000000002C96000-memory.dmp

Filesize
24KB

Download
memory/1672-4-0x0000000077932000-0x0000000077933000-memory.dmp

Filesize
4KB

Download
memory/1672-6-0x00007FFF33470000-0x00007FFF33665000-memory.dmp

Filesize
2.0MB

Download
memory/1672-13-0x0000000002C90000-0x0000000002C96000-memory.dmp

Filesize
24KB

Download
memory/2000-3-0x0000000002230000-0x0000000002C30000-memory.dmp

Filesize
10.0MB

Download
memory/2000-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2000-8-0x0000000002230000-0x0000000002C30000-memory.dmp

Filesize
10.0MB

Download
memory/2000-0-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2664-12-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/2664-14-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/3448-2-0x0000000000D90000-0x0000000000D96000-memory.dmp

Filesize
24KB

Download
memory/3448-1-0x0000000000D90000-0x0000000000D96000-memory.dmp

Filesize
24KB

Download
memory/3448-5-0x00007FFF3350D000-0x00007FFF3350E000-memory.dmp

Filesize
4KB

Download