A hard look at BBTok

Sept. 26, 2024, 1:10 p.m.

Description

This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection.

External References

https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader
https://www.gdatasoftware.com/fileadmin/_processed_/6/4/G_DATA_Blog_Brazil_Malware_Assy_Preview_1f58acec09.jpg
https://feeds.feedblitz.com/~/905243510/0/gdatasecurityblog-en~BBTok-Targeting-Brazil-Deobfuscating-the-NET-Loader-with-dnlib-and-PowerShell
https://otx.alienvault.com/pulse/66f559b0764408b3e69464ed
Tags
bbtok
2024-09-26

Date

  • Created: Sept. 26, 2024, 12:55 p.m.
  • Published: Sept. 26, 2024, 12:55 p.m.
  • Modified: Sept. 26, 2024, 1:10 p.m.

Indicators

  • ddf84fdc080bd55f6f2b409e596b6f7a040c4ab1eb4b965b3f709a0f7faa4e02
  • dc03070d50fdd31c89491d139adfb211daf171d03e9e6d88aac43e7ff44e4fef
  • cb1d2659508a4f50060997ee0e60604598cb38bd2bb90962c6a51d8b798a03b6
  • b60eb62f6c24d4a495a0dab95cc49624ac5099a2cc21f8bd010a410401ab8cc3
  • ac044dd9ae8f18d928cf39d24525e2474930faf8e83c6e3ad52496ecab11f510
  • a3afed0dabefde9bb8f8f905ab24fc2f554aa77e3a94b05ed35cffc20c201e15
  • 8e7f0a51d7593cf76576b767ab03ed331d822c09f6812015550dbd6843853ce7
  • 7566131ce0ecba1710c1a7552491120751b58d6d55f867e61a886b8e5606afc3
  • 7559c440245aeeca28e67b7f13d198ba8add343e8d48df92b7116a337c98b763
  • 5e5a58bfabd96f0c78c1e12fa2625aba9c84aa3bd4c9bb99d079d6ccb6e46650
  • 35db2b34412ad7a1644a8ee82925a88369bc58f6effc11d8ec6d5f81650d897e
  • 2ff420e3d01893868a50162df57e8463d1746d3965b76025ed88db9bb13388af
  • 2d2c2ba0f0d155233cdcbf41a9cf166a6ce9b80a6ab4395821ce658afe04aaba
  • 27914c36fd422528d8370cbbc0e45af1ba2c3aeedca1579d92968649b3f562f7
  • 276a1e9f62e21c675fdad9c7bf0a489560cbd959ac617839aeb9a0bc3cd41366
  • 24fac4ef193014e34fc30f7a4b7ccc0b1232ab02f164f105888aabe06efbacc3
  • 09027fa9653bdf2b4a291071f7e8a72f14d1ba5d0912ed188708f9edd6a084fe
  • contador.danfajuda.com
  • fileondemandd.site
Download all indicators here!

Attack Patterns

  • BBTok
  • BBTok

Additional Informations

  • Brazil