tinba | 6a8a98aad7b06c8eb2fedb56c5426c77192cf5af3a1b463596c6a8c24c272dde

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fb8f8d6b6e14fa95d3e8f0c80669d03d.exe
Size

160KB
MD5

fb8f8d6b6e14fa95d3e8f0c80669d03d
SHA1

f5356eac207b43219c2109892539a9fad539ae30
SHA256

6a8a98aad7b06c8eb2fedb56c5426c77192cf5af3a1b463596c6a8c24c272dde
SHA512

e2fc885e8e56bc4f70c170abcc8f93a6c2a361ecd27cd75e54cd0c1e7c0e49011455dd47f938eaecb9e502f2ff5baa0f5cf50acbc50830ccff75bbb40c8afab7
SSDEEP

1536:HEY+mFM2HXKZgi0Iksu+XM5/HtAQ9J6xph:kY+4MiIkLZJNAQ9J6v

Score

10^/10

tinba banker discovery persistence trojan upx

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FB4F2EBD = "C:\\Users\\Admin\\AppData\\Roaming\\FB4F2EBD\\bin.exe"	winver.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1908-0-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1656	2436	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fb8f8d6b6e14fa95d3e8f0c80669d03d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2436	winver.exe
2436	winver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2436	winver.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2436	1908	JaffaCakes118_fb8f8d6b6e14fa95d3e8f0c80669d03d.exe	83
PID 1908 wrote to memory of 2436	1908	JaffaCakes118_fb8f8d6b6e14fa95d3e8f0c80669d03d.exe	83
PID 1908 wrote to memory of 2436	1908	JaffaCakes118_fb8f8d6b6e14fa95d3e8f0c80669d03d.exe	83
PID 1908 wrote to memory of 2436	1908	JaffaCakes118_fb8f8d6b6e14fa95d3e8f0c80669d03d.exe	83
PID 2436 wrote to memory of 3432	2436	winver.exe	56
PID 2436 wrote to memory of 2644	2436	winver.exe	44

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2644

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb8f8d6b6e14fa95d3e8f0c80669d03d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb8f8d6b6e14fa95d3e8f0c80669d03d.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 356
      4⤵
      Program crash
      PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2436 -ip 2436
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1908-1-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1908-4-0x00000000022C0000-0x0000000002CC0000-memory.dmp

Filesize
10.0MB

Download
memory/1908-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1908-8-0x00000000022C0000-0x0000000002CC0000-memory.dmp

Filesize
10.0MB

Download
memory/2436-6-0x00007FFE0FC50000-0x00007FFE0FE45000-memory.dmp

Filesize
2.0MB

Download
memory/2436-10-0x00000000029A0000-0x00000000029A6000-memory.dmp

Filesize
24KB

Download
memory/2436-13-0x00000000029A0000-0x00000000029A6000-memory.dmp

Filesize
24KB

Download
memory/2644-12-0x0000000000B60000-0x0000000000B66000-memory.dmp

Filesize
24KB

Download
memory/3432-2-0x0000000000EC0000-0x0000000000EC6000-memory.dmp

Filesize
24KB

Download
memory/3432-3-0x0000000000EC0000-0x0000000000EC6000-memory.dmp

Filesize
24KB

Download
memory/3432-5-0x00007FFE0FCED000-0x00007FFE0FCEE000-memory.dmp

Filesize
4KB

Download