T oday we’ll have a look at Tinba (Tiny Banker), the smallest banker in the world. Without the use of a packer or crypter Tinba is around 20 KB, default configuration and web injects included. A few days ago the source code of Tinba 1 was released on a closed underground forum. oday we’ll have a look at(Tiny Banker), the smallest banker in the world. Without the use of a packer or crypter Tinba is around 20 KB, default configuration and web injects included. A few days ago the source code of Tinba 1 was released on a closed underground forum. Reference Tinba uses MiTB (Man in The Browser) tricks and web injects to change the appearance of certain webpages. Objective: circumvent two factor Authentication and/or trick the victim in giving up additional sensitive data. Tinba uses RC4 encryption to communicate with its C&C servers. The key and the servers are hardcoded into the binary. Before downloading updates from the C&C server, Tinba sends out an RC4 encrypted string. I accidentally found this sample of Tinba because the author used the same crypter as ZeuS GameOver Reloaded. The sample was submitted to VirusTotal the same day as the new ZeuS GameOver and seems to be the payload of a spam email targeting mainly users from Poland and the Czech Republic. We can find back traces of the crypter in the memory space of Tinba: 0x987041 (17): OU___Enemy %d , 0x987053 (13): OU___Bomb %d Along with the following strings: 0x14562a8 (11): LoadBitmapA 0x14562d0 (13): IntersectRect 0x1456342 (18): CreateCompatibleDC 0x1456358 (22): CreateCompatibleBitmap 0x145637c (14): ImageList_Draw 0x145638e (19): ImageList_AddMasked The executable is 88.0 KB (90,112 bytes) and contains an RCData resource with the ID 56. The size (9479176 bytes) is fake; it’s bigger than the size of the executable. This will cause a warning in Olly and makes it harder to extract the resource. The resource with the ID 56 contains a fake JPG header. JPEGsnoop, a free windows application able to examine and decode the inner details of JPEG images, reports an unknown marker at the offset 0x000004B1 and notifies of existing data after EOF. Hiding an executable in a resource is a method to evade anti-virus detections. Upon execution TINBA.EXE [PID 2724] launches an instance of itself [PID 3004]. Note the size of the executable: 20KB. After approximately 1 minute (I noticed the SLEEP command in the code but didn’t time it) TINBA.EXE will launch an instance of TASKMGR.EXE (Windows Task Manager), inject code into the newly created process and exit. Before terminating its process, TINBA.EXE contained the following Section: \BaseNamedObjects\redhot

The same Section is found back in the TASKMGR.EXE process. TASKMGR.EXE: Reads the Volume Name and Serial Number

Creates a directory named "AdobeChk" in the %APPDATA% folder

Renames TINBA.exe to %APPDATA%\AdobeChk\chk.exe c:\Documents and Settings\[User Name]\Application Data\AdobeChk\chk.exe

Date: 7/14/2014 4:36 PM

Size: 90,112 bytes



Creates the following Registry entry so that CHK.EXE runs each time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AdobeChk"

Type: REG_SZ

Data: C:\Documents and Settings\[User Name]\Application Data\AdobeChk\chk.exe



Sets tabs and frames to run within the same process in IE: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "TabProcGrowth"

Type: REG_DWORD

Data: 01, 00, 00, 00

TASKMGR.EXE will establish a little routine in case the file or the Registry keys are deleted but the procedure looks a bit flawed to me. The injected process attempts to create a folder that already exists (resulting in a name collision) and checks for a file called "empty" in the folder where TINBA.EXE was located. Tinba sends out an RC4 encrypted string to the C&C located at plsecdirect.ru and receives a 403 Forbidden. The decrypted string is EHLO. Hardcoded User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

RC4 key: wer8c7ygbw485ghw

Hardcoded C&C: plsecdirect.ru - 91.237.198.54

framesoutchk.ru - 91.237.198.54

Targeted Browsers: iexplore.exe | firefox.exe | maxthon.exe | chrome.exe

Path to configuration and web injects: C:\Documents and Settings\[User Name]\Application Data\AdobeChk\cof.dat

C:\Documents and Settings\[User Name]\Application Data\AdobeChk\cot.dat

Memory Strings: 0x3b170e (20): POST /re/ HTTP/1.1 0x3b1739 (71): Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US 0x3b1791 (75): User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0x3b17ed (57): Content-Type: application/x-www-form-urlencoded Host: 0x3b1842 (18): Content-Length: 0x3b1875 (48): Connection: Close Cache-Control: no-cache 0x3b215d (13): [urlfilter] 0x3b22c4 (13): data_before 0x3b22f5 (10): data_end 0x3b2329 (13): data_inject 0x3b235e (10): data_end 0x3b2392 (12): data_after 0x3b23c6 (10): data_end 0x3b25e3 (14): %SAVEDATA_*=*% 0x3b26aa (11): %BOTDATA_*% 0x3b28e8 (15): X-Frame-Options 0x3b2aab (27): Accept-Encoding: identity 0x3b2adc (50): If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT 0x3b2e78 (18): Content-Length: 0x3b2ed8 (20): Transfer-Encoding: 0x3b3038 (19): X-Frame-Options: 0x3b306c (29): X-Content-Security-Policy:

VirusTotal Results tinba.exe Additional information MD5: faba9ee82dfa2629098c8ef884395d5a SHA1: c0e40cb29a1e6b5a4174727f49ef871aafb684d5 SHA256: cbb16b01a8dcf3747a597ceb4176939f83083a6293b60aaca00e040970d63379 File size: 88.0 KB ( 90112 bytes ) Detection ratio: 34 / 54 Analysis date: 2014-07-12 16:31:02 Antivirus Result Update Ad-Aware Trojan.GenericKD.1750488 20140712 AegisLab 20140712 Agnitum 20140712 AhnLab-V3 Trojan/Win32.Zbot 20140712 AntiVir TR/Crypt.Xpack.71693 20140712 Antiy-AVL Trojan/Win32.Inject 20140712 Avast Win32:Malware-gen 20140712 AVG Generic_r.DYS 20140712 Baidu-International Trojan.Win32.Tinba.BAX 20140712 BitDefender Trojan.GenericKD.1750488 20140712 Bkav 20140711 ByteHero 20140712 CAT-QuickHeal 20140712 ClamAV 20140712 CMC 20140711 Commtouch W32/Zbot.IWEE-4148 20140712 Comodo 20140712 DrWeb Trojan.Encoder.682 20140712 Emsisoft Trojan.GenericKD.1750488 (B) 20140712 ESET-NOD32 Win32/Tinba.AX 20140712 F-Prot W32/Zbot.BZY 20140712 F-Secure Trojan.GenericKD.1750488 20140712 Fortinet W32/Tinba.AX!tr 20140712 GData Trojan.GenericKD.1750488 20140712 Ikarus Trojan-Spy.Zbot 20140712 Jiangmin 20140712 K7AntiVirus 20140711 K7GW 20140711 Kaspersky Trojan.Win32.Tinba.bl 20140712 Kingsoft 20140712 Malwarebytes Trojan.Zbot 20140712 McAfee RDN/Generic.dx!ddw 20140712 McAfee-GW-Edition RDN/Generic.dx!ddw 20140711 Microsoft Trojan:Win32/Tinba.A 20140712 MicroWorld-eScan Trojan.GenericKD.1750488 20140712 NANO-Antivirus Trojan.Win32.Encoder.dcdrmp 20140712 Norman Troj_Generic.UXHBG 20140712 nProtect 20140711 Panda Trj/CI.A 20140712 Qihoo-360 Win32/Trojan.Multi.daf 20140712 Rising 20140712 Sophos Troj/HkMain-AQ 20140712 SUPERAntiSpyware 20140712 Symantec Trojan.Zbot 20140712 Tencent Win32.Trojan.Tinba.Egek 20140712 TheHacker 20140711 TotalDefense 20140711 TrendMicro TROJ_TINBA.TFB 20140712 TrendMicro-HouseCall TROJ_TINBA.TFB 20140712 VBA32 20140712 VIPRE Trojan.Win32.Generic!BT 20140712 ViRobot Trojan.Win32.Agent.324096 20140712 Zillya 20140710 Zoner 20140711

Tinba

Tinybanker Tags: If our research has helped you, please consider making a donation through PayPal