SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tinynuke (Back to overview)

TinyNuke

aka: NukeBot, Nuclear Bot, MicroBankingTrojan, Xbot
URLhaus      

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

References
2019-12-17Brian Krebs
@online{krebs:20191217:nuclear:88151cd, author = {Brian Krebs}, title = {{Nuclear Bot Author Arrested in Sextortion Case}}, date = {2019-12-17}, url = {https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/}, language = {English}, urldate = {2020-01-07} } Nuclear Bot Author Arrested in Sextortion Case
TinyNuke Varenyky
2018-05-21JuniperPaul Kimayong
@online{kimayong:20180521:nukebot:dcd8985, author = {Paul Kimayong}, title = {{Nukebot Banking Trojan targeting people in France}}, date = {2018-05-21}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702}, language = {English}, urldate = {2019-11-22} } Nukebot Banking Trojan targeting people in France
TinyNuke
2018-02-02BitSightTiago Pereira
@online{pereira:20180202:break:b0556dc, author = {Tiago Pereira}, title = {{Break Out Of The Tinynuke Malware}}, date = {2018-02-02}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet}, language = {English}, urldate = {2020-01-06} } Break Out Of The Tinynuke Malware
TinyNuke
2017-07-19Kaspersky LabsSergey Yunakovsky
@online{yunakovsky:20170719:nukebot:cba3e87, author = {Sergey Yunakovsky}, title = {{The NukeBot banking Trojan: from rough drafts to real threats}}, date = {2017-07-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/}, language = {English}, urldate = {2019-12-20} } The NukeBot banking Trojan: from rough drafts to real threats
TinyNuke
2017-04-06KrebsOnSecurityBrian Krebs
@online{krebs:20170406:selfproclaimed:542e91e, author = {Brian Krebs}, title = {{Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer}}, date = {2017-04-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nuclear-bot/}, language = {English}, urldate = {2019-07-27} } Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer
TinyNuke
2017-03-28SecurityIntelligenceLimor Kessem, Ilya Kolmanovich
@online{kessem:20170328:nukebot:2b33bbb, author = {Limor Kessem and Ilya Kolmanovich}, title = {{The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak}}, date = {2017-03-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/}, language = {English}, urldate = {2020-01-05} } The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak
TinyNuke
2016-12-19NetScoutDennis Schwarz
@online{schwarz:20161219:dismantling:b7af8dd, author = {Dennis Schwarz}, title = {{Dismantling a Nuclear Bot}}, date = {2016-12-19}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/}, language = {English}, urldate = {2020-01-09} } Dismantling a Nuclear Bot
TinyNuke
Yara Rules
[TLP:WHITE] win_tinynuke_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_tinynuke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a3???????? 6a0a 68???????? 68???????? e8???????? }
            // n = 5, score = 1500
            //   a3????????           |                     
            //   6a0a                 | push                0xa
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_1 = { 8d8530f6ffff 50 6802020000 ff15???????? 85c0 }
            // n = 5, score = 1400
            //   8d8530f6ffff         | lea                 eax, [ebp - 0x9d0]
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_2 = { 8945f4 8d85d4feffff 50 ff15???????? }
            // n = 4, score = 1400
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8d85d4feffff         | lea                 eax, [ebp - 0x12c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { ff35???????? 50 ff15???????? eb14 57 }
            // n = 5, score = 1400
            //   ff35????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   eb14                 | jmp                 0x16
            //   57                   | push                edi

        $sequence_4 = { 85c0 7526 56 8d45f8 50 56 57 }
            // n = 7, score = 1400
            //   85c0                 | test                eax, eax
            //   7526                 | jne                 0x28
            //   56                   | push                esi
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_5 = { 7416 57 53 6aff }
            // n = 4, score = 1400
            //   7416                 | je                  0x18
            //   57                   | push                edi
            //   53                   | push                ebx
            //   6aff                 | push                -1

        $sequence_6 = { 8d45dc 50 e8???????? 8b750c 8bf8 }
            // n = 5, score = 1400
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8bf8                 | mov                 edi, eax

        $sequence_7 = { ff75ec ff75fc e8???????? 83c40c 5f }
            // n = 5, score = 1300
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5f                   | pop                 edi

        $sequence_8 = { ff15???????? ff35???????? 8d85a4feffff 50 ff15???????? ff35???????? }
            // n = 6, score = 1300
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8d85a4feffff         | lea                 eax, [ebp - 0x15c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff35????????         |                     

        $sequence_9 = { 50 ff15???????? ff35???????? 8d85a8feffff 50 ff15???????? }
            // n = 6, score = 900
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8d85a8feffff         | lea                 eax, [ebp - 0x158]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_10 = { c70604000000 e8???????? eb18 83f803 }
            // n = 4, score = 800
            //   c70604000000         | mov                 dword ptr [esi], 4
            //   e8????????           |                     
            //   eb18                 | jmp                 0x1a
            //   83f803               | cmp                 eax, 3

        $sequence_11 = { 8b02 8a00 3c0a 7409 }
            // n = 4, score = 800
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8a00                 | mov                 al, byte ptr [eax]
            //   3c0a                 | cmp                 al, 0xa
            //   7409                 | je                  0xb

        $sequence_12 = { ff7508 ff15???????? ff35???????? ff7508 }
            // n = 4, score = 800
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_13 = { a3???????? ff35???????? ff75f8 ff15???????? }
            // n = 4, score = 800
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     

        $sequence_14 = { 59 a3???????? c9 c3 55 8bec }
            // n = 6, score = 800
            //   59                   | pop                 ecx
            //   a3????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_15 = { 6a2a 50 8945fc ff15???????? }
            // n = 4, score = 800
            //   6a2a                 | push                0x2a
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     

        $sequence_16 = { ff15???????? a3???????? ff35???????? ff75ec }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]

        $sequence_17 = { 3c0a 7409 3c0d 740f }
            // n = 4, score = 800
            //   3c0a                 | cmp                 al, 0xa
            //   7409                 | je                  0xb
            //   3c0d                 | cmp                 al, 0xd
            //   740f                 | je                  0x11

        $sequence_18 = { eb18 83f803 7519 ff7608 }
            // n = 4, score = 800
            //   eb18                 | jmp                 0x1a
            //   83f803               | cmp                 eax, 3
            //   7519                 | jne                 0x1b
            //   ff7608               | push                dword ptr [esi + 8]

        $sequence_19 = { ff35???????? ff7508 ff15???????? 68???????? }
            // n = 4, score = 800
            //   ff35????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_20 = { ff15???????? 8b35???????? 8d430c 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   8d430c               | lea                 eax, [ebx + 0xc]
            //   50                   | push                eax

        $sequence_21 = { 55 8bec 83ec0c 33c0 53 56 57 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   33c0                 | xor                 eax, eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_22 = { 75d6 8344241814 8b442418 8b400c 85c0 }
            // n = 5, score = 100
            //   75d6                 | jne                 0xffffffd8
            //   8344241814           | add                 dword ptr [esp + 0x18], 0x14
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   85c0                 | test                eax, eax

        $sequence_23 = { 75a4 8b7c241c 8b4728 891c24 }
            // n = 4, score = 100
            //   75a4                 | jne                 0xffffffa6
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]
            //   8b4728               | mov                 eax, dword ptr [edi + 0x28]
            //   891c24               | mov                 dword ptr [esp], ebx

        $sequence_24 = { 0fb65308 8b7304 8b0b 83fa10 8d860000e06e 8bb90000e06e 0f848e000000 }
            // n = 7, score = 100
            //   0fb65308             | movzx               edx, byte ptr [ebx + 8]
            //   8b7304               | mov                 esi, dword ptr [ebx + 4]
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   83fa10               | cmp                 edx, 0x10
            //   8d860000e06e         | lea                 eax, [esi + 0x6ee00000]
            //   8bb90000e06e         | mov                 edi, dword ptr [ecx + 0x6ee00000]
            //   0f848e000000         | je                  0x94

        $sequence_25 = { c70424???????? 0fb6b30020e06e e8???????? 31d2 89c1 89d8 f7f1 }
            // n = 7, score = 100
            //   c70424????????       |                     
            //   0fb6b30020e06e       | movzx               esi, byte ptr [ebx + 0x6ee02000]
            //   e8????????           |                     
            //   31d2                 | xor                 edx, edx
            //   89c1                 | mov                 ecx, eax
            //   89d8                 | mov                 eax, ebx
            //   f7f1                 | div                 ecx

        $sequence_26 = { 8944240c 8b442418 89442404 e8???????? 83ec10 8b44241c 8bb0a0000000 }
            // n = 7, score = 100
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     
            //   83ec10               | sub                 esp, 0x10
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8bb0a0000000         | mov                 esi, dword ptr [eax + 0xa0]

        $sequence_27 = { 83ec2c 837c243401 7537 c744241400000000 }
            // n = 4, score = 100
            //   83ec2c               | sub                 esp, 0x2c
            //   837c243401           | cmp                 dword ptr [esp + 0x34], 1
            //   7537                 | jne                 0x39
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0

        $sequence_28 = { 732e 8b5304 b904000000 8d820000e06e 8b920000e06e 0313 83c308 }
            // n = 7, score = 100
            //   732e                 | jae                 0x30
            //   8b5304               | mov                 edx, dword ptr [ebx + 4]
            //   b904000000           | mov                 ecx, 4
            //   8d820000e06e         | lea                 eax, [edx + 0x6ee00000]
            //   8b920000e06e         | mov                 edx, dword ptr [edx + 0x6ee00000]
            //   0313                 | add                 edx, dword ptr [ebx]
            //   83c308               | add                 ebx, 8

        $sequence_29 = { 890c24 e8???????? 39ef 75d2 8d44242c c744240840000000 891c24 }
            // n = 7, score = 100
            //   890c24               | mov                 dword ptr [esp], ecx
            //   e8????????           |                     
            //   39ef                 | cmp                 edi, ebp
            //   75d2                 | jne                 0xffffffd4
            //   8d44242c             | lea                 eax, [esp + 0x2c]
            //   c744240840000000     | mov                 dword ptr [esp + 8], 0x40
            //   891c24               | mov                 dword ptr [esp], ebx

    condition:
        7 of them and filesize < 1196032
}
Download all Yara Rules