{
  "name": "A hard look at BBTok",
  "slug": "a-hard-look-at-bbtok",
  "description": "This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection.",
  "published": "2024-09-26T10:55:12+00:00",
  "created_at": "2024-09-26T10:55:12+00:00",
  "modified_at": "2024-09-26T11:10:32+00:00",
  "created_at_opencti": "2024-09-26T10:55:12+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-09-26",
    "bbtok"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "contador.danfajuda.com"
      },
      {
        "id": "",
        "name": "fileondemandd.site"
      },
      {
        "id": "",
        "name": "ddf84fdc080bd55f6f2b409e596b6f7a040c4ab1eb4b965b3f709a0f7faa4e02"
      },
      {
        "id": "",
        "name": "dc03070d50fdd31c89491d139adfb211daf171d03e9e6d88aac43e7ff44e4fef"
      },
      {
        "id": "",
        "name": "cb1d2659508a4f50060997ee0e60604598cb38bd2bb90962c6a51d8b798a03b6"
      },
      {
        "id": "",
        "name": "b60eb62f6c24d4a495a0dab95cc49624ac5099a2cc21f8bd010a410401ab8cc3"
      },
      {
        "id": "",
        "name": "ac044dd9ae8f18d928cf39d24525e2474930faf8e83c6e3ad52496ecab11f510"
      },
      {
        "id": "",
        "name": "a3afed0dabefde9bb8f8f905ab24fc2f554aa77e3a94b05ed35cffc20c201e15"
      },
      {
        "id": "",
        "name": "8e7f0a51d7593cf76576b767ab03ed331d822c09f6812015550dbd6843853ce7"
      },
      {
        "id": "",
        "name": "7566131ce0ecba1710c1a7552491120751b58d6d55f867e61a886b8e5606afc3"
      },
      {
        "id": "",
        "name": "7559c440245aeeca28e67b7f13d198ba8add343e8d48df92b7116a337c98b763"
      },
      {
        "id": "",
        "name": "5e5a58bfabd96f0c78c1e12fa2625aba9c84aa3bd4c9bb99d079d6ccb6e46650"
      },
      {
        "id": "",
        "name": "35db2b34412ad7a1644a8ee82925a88369bc58f6effc11d8ec6d5f81650d897e"
      },
      {
        "id": "",
        "name": "2ff420e3d01893868a50162df57e8463d1746d3965b76025ed88db9bb13388af"
      },
      {
        "id": "",
        "name": "2d2c2ba0f0d155233cdcbf41a9cf166a6ce9b80a6ab4395821ce658afe04aaba"
      },
      {
        "id": "",
        "name": "27914c36fd422528d8370cbbc0e45af1ba2c3aeedca1579d92968649b3f562f7"
      },
      {
        "id": "",
        "name": "276a1e9f62e21c675fdad9c7bf0a489560cbd959ac617839aeb9a0bc3cd41366"
      },
      {
        "id": "",
        "name": "24fac4ef193014e34fc30f7a4b7ccc0b1232ab02f164f105888aabe06efbacc3"
      },
      {
        "id": "",
        "name": "09027fa9653bdf2b4a291071f7e8a72f14d1ba5d0912ed188708f9edd6a084fe"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:0e6827311d2e2701",
        "name": "BBTok",
        "slug": "bbtok"
      }
    ],
    "intrusion_sets": [
      {
        "id": "8e99945a-f81d-4401-8192-73350acc3be2",
        "name": "BBTok",
        "slug": "bbtok"
      }
    ],
    "attack_patterns": [
      {
        "id": "1318097c-0016-4111-9ea9-d2c033aabc39",
        "name": "T1547.006"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "42414354-718a-4603-8b00-52fa7d6fe061",
        "name": "T1497.002"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "cf746a02-00ea-419e-912d-7b03f969c491",
        "name": "T1518.001"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "7abb6e8c-d357-49ef-9244-017043055224",
        "name": "T1205"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Brazil"
      }
    ]
  },
  "external_refs": [
    "https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader",
    "https://www.gdatasoftware.com/fileadmin/_processed_/6/4/G_DATA_Blog_Brazil_Malware_Assy_Preview_1f58acec09.jpg",
    "https://feeds.feedblitz.com/~/905243510/0/gdatasecurityblog-en~BBTok-Targeting-Brazil-Deobfuscating-the-NET-Loader-with-dnlib-and-PowerShell",
    "https://otx.alienvault.com/pulse/66f559b0764408b3e69464ed"
  ]
}