{
  "name": "BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell",
  "slug": "bbtok-targeting-brazil-deobfuscating-the-net-loader-with-dnlib-and-powershell",
  "description": "This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection.",
  "published": "2024-09-26T10:55:12+00:00",
  "created_at": "2024-09-26T10:55:12+00:00",
  "modified_at": "2024-09-27T15:47:13+00:00",
  "created_at_opencti": "2024-09-26T10:55:12+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-09-26",
    "bbtok"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:0e6827311d2e2701",
        "name": "BBTok",
        "slug": "bbtok"
      }
    ],
    "intrusion_sets": [
      {
        "id": "8e99945a-f81d-4401-8192-73350acc3be2",
        "name": "BBTok",
        "slug": "bbtok"
      }
    ],
    "attack_patterns": [
      {
        "id": "1318097c-0016-4111-9ea9-d2c033aabc39",
        "name": "T1547.006"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "42414354-718a-4603-8b00-52fa7d6fe061",
        "name": "T1497.002"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "cf746a02-00ea-419e-912d-7b03f969c491",
        "name": "T1518.001"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "7abb6e8c-d357-49ef-9244-017043055224",
        "name": "T1205"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Brazil"
      }
    ]
  },
  "external_refs": [
    "https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader",
    "https://otx.alienvault.com/pulse/66f559b0764408b3e69464ed"
  ]
}