Back

A hard look at BBTok

Sept. 26, 2024, 1:10 p.m.

Tags

bbtok
2024-09-26

External References

https://www.gdatasoftware.com/

https://www.gdatasoftware.com/

https://feeds.feedblitz.com/

https://otx.alienvault.com/

Description

This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection.

Date

Published Created Modified
Sept. 26, 2024, 12:55 p.m. Sept. 26, 2024, 12:55 p.m. Sept. 26, 2024, 1:10 p.m.

Indicators

ddf84fdc080bd55f6f2b409e596b6f7a040c4ab1eb4b965b3f709a0f7faa4e02

dc03070d50fdd31c89491d139adfb211daf171d03e9e6d88aac43e7ff44e4fef

cb1d2659508a4f50060997ee0e60604598cb38bd2bb90962c6a51d8b798a03b6

b60eb62f6c24d4a495a0dab95cc49624ac5099a2cc21f8bd010a410401ab8cc3

ac044dd9ae8f18d928cf39d24525e2474930faf8e83c6e3ad52496ecab11f510

a3afed0dabefde9bb8f8f905ab24fc2f554aa77e3a94b05ed35cffc20c201e15

8e7f0a51d7593cf76576b767ab03ed331d822c09f6812015550dbd6843853ce7

7566131ce0ecba1710c1a7552491120751b58d6d55f867e61a886b8e5606afc3

7559c440245aeeca28e67b7f13d198ba8add343e8d48df92b7116a337c98b763

5e5a58bfabd96f0c78c1e12fa2625aba9c84aa3bd4c9bb99d079d6ccb6e46650

35db2b34412ad7a1644a8ee82925a88369bc58f6effc11d8ec6d5f81650d897e

2ff420e3d01893868a50162df57e8463d1746d3965b76025ed88db9bb13388af

2d2c2ba0f0d155233cdcbf41a9cf166a6ce9b80a6ab4395821ce658afe04aaba

27914c36fd422528d8370cbbc0e45af1ba2c3aeedca1579d92968649b3f562f7

276a1e9f62e21c675fdad9c7bf0a489560cbd959ac617839aeb9a0bc3cd41366

24fac4ef193014e34fc30f7a4b7ccc0b1232ab02f164f105888aabe06efbacc3

09027fa9653bdf2b4a291071f7e8a72f14d1ba5d0912ed188708f9edd6a084fe

Attack Patterns

BBTok

BBTok

T1547.006

T1543.003

T1497.002

T1053.005

T1027.002

T1497.001

T1059.003

T1059.001

T1012

T1518.001

T1562.001

T1204.002

T1082

T1105

T1205

T1055

T1140

T1027

T1112

Additional Informations

Brazil