Home / malwarePDF  

Trojan.Tinba.B


First posted on 25 September 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Tinba.B.

Explanation :

When the Trojan is executed, it copies itself to the following location:
%UserProfile%\Application Data\[HEXADECIMAL VALUE]\bin.exe
It then creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[HEXADECIMAL VALUE]" = "%UserProfile%\Application Data\[HEXADECIMAL VALUE]\bin.exe"
Next, the Trojan modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1609" = "0"
It may download a configuration file to the following locations:
%UserProfile%\Application Data\[HEXADECIMAL VALUE]\cfg.dat%UserProfile%\Application Data\[HEXADECIMAL VALUE]\web.dat
It then injects itself into following processes:
winver.exe explorer.exe
The Trojan then hooks the following APIs:
NtCreateUserProcessNtCreateProcessExNtCreateThread NtResumeThread NtEnumerateValueKeyNtQueryDirectoryFile
The Trojan may inject code into running processes. If the injected process is a browser, it hooks APIs to monitor network traffic and log information for domains specified in the configuration file.

The Trojan hooks the following APIs for Internet Explorer:
HttpSendRequestAHttpSendRequestW InternetCloseHandleInternetReadFileExA InternetReadFile InternetQueryDataAvailable HttpQueryInfoA
For other browsers, the Trojan hooks the following APIs:
PR_ClosePR_WritePR_Read
The Trojan stores the gathered information in the following locations:
%UserProfile%\Application Data\[HEXADECIMAL VALUE]\log.dat%UserProfile%\Application Data\[HEXADECIMAL VALUE]\ntf.dat
The Trojan sends the gathered information to a command-and-control (C&C) server specified in the configuration file, which may include the following:
newstatinru.rujustforyou0987.pwphpsitegooddecoder.com
If none of the C&C servers listed in the configuration file are responsive, the Trojan uses a domain generation algorithm (DGA) to generate approximately 1,000 domains. It then attempts to contact them one at a time until it is successful.

The Trojan may also download and execute the following file:
%UserProfile%\Application Data\[HEXADECIMAL VALUE].exe

Last update 25 September 2014

 

TOP