Today > 1 Critical | 1 High | 3 Medium vulnerabilities   -   You can now download lists of IOCs here!

A hard look at BBTok

Sept. 26, 2024, 1:10 p.m.

Tags
bbtok
2024-09-26
External References
Description

This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection.

Date

Published: Sept. 26, 2024, 12:55 p.m.

Created: Sept. 26, 2024, 12:55 p.m.

Modified: Sept. 26, 2024, 1:10 p.m.

Indicators

ddf84fdc080bd55f6f2b409e596b6f7a040c4ab1eb4b965b3f709a0f7faa4e02

dc03070d50fdd31c89491d139adfb211daf171d03e9e6d88aac43e7ff44e4fef

cb1d2659508a4f50060997ee0e60604598cb38bd2bb90962c6a51d8b798a03b6

b60eb62f6c24d4a495a0dab95cc49624ac5099a2cc21f8bd010a410401ab8cc3

ac044dd9ae8f18d928cf39d24525e2474930faf8e83c6e3ad52496ecab11f510

a3afed0dabefde9bb8f8f905ab24fc2f554aa77e3a94b05ed35cffc20c201e15

8e7f0a51d7593cf76576b767ab03ed331d822c09f6812015550dbd6843853ce7

7566131ce0ecba1710c1a7552491120751b58d6d55f867e61a886b8e5606afc3

7559c440245aeeca28e67b7f13d198ba8add343e8d48df92b7116a337c98b763

5e5a58bfabd96f0c78c1e12fa2625aba9c84aa3bd4c9bb99d079d6ccb6e46650

35db2b34412ad7a1644a8ee82925a88369bc58f6effc11d8ec6d5f81650d897e

2ff420e3d01893868a50162df57e8463d1746d3965b76025ed88db9bb13388af

2d2c2ba0f0d155233cdcbf41a9cf166a6ce9b80a6ab4395821ce658afe04aaba

27914c36fd422528d8370cbbc0e45af1ba2c3aeedca1579d92968649b3f562f7

276a1e9f62e21c675fdad9c7bf0a489560cbd959ac617839aeb9a0bc3cd41366

24fac4ef193014e34fc30f7a4b7ccc0b1232ab02f164f105888aabe06efbacc3

09027fa9653bdf2b4a291071f7e8a72f14d1ba5d0912ed188708f9edd6a084fe

contador.danfajuda.com

fileondemandd.site

Download all indicators here!

Attack Patterns

BBTok

BBTok

T1547.006

T1543.003

T1497.002

T1053.005

T1027.002

T1497.001

T1059.003

T1059.001

T1012

T1518.001

T1562.001

T1204.002

T1082

T1105

T1205

T1055

T1140

T1027

T1112

Additional Informations

Brazil