{
	"id": "db4e0dde-eb12-4d95-bcb1-ed24fe629519",
	"created_at": "2026-04-06T00:14:20.218702Z",
	"updated_at": "2026-04-10T03:20:30.432212Z",
	"deleted_at": null,
	"sha1_hash": "8ea21f78c23179b5c175e8efb7699be3344986bf",
	"title": "A hard look at at BBTok",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 358319,
	"plain_text": "A hard look at at BBTok\r\nBy Marius Benthin, Karsten Hahn\r\nPublished: 2025-08-11 · Archived: 2026-04-05 16:00:43 UTC\r\n09/26/2024\r\nBBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and\r\nPowerShell\r\nReading time: 8 min (2182 words)\r\nWe break down the full infection chain of the Brazilian-targeted threat BBTok and demonstrate how to\r\ndeobfuscate the loader DLL using PowerShell, Python, and dnlib.\r\nIn a complex infection chain that starts with an email containing an ISO image, this malware stands out by its way\r\nof compiling C# code directly on the infected machine. It also uses a technique known as AppDomain Manager\r\nInjection to advance execution. Articles from Checkpoint and TrendMicro describe a similar infection chain and\r\nattribute it to BBTok banker, but to our knowledge, no one has yet published an analysis on the obfuscated .NET\r\nbased loader named Trammy.dll.\r\nThe loader writes a log file with obscure words onto infected machines, for which we provide a translation table\r\nso that incident responders can decode the logs.\r\nThe obfuscation of Trammy.dll, which uses a ConfuserEx variant, prevents current automatic tools from retrieving\r\nthe strings. We provide the necessary scripts and commands to deobfuscate them.\r\nIntrusion utilizing the Microsoft Build Engine\r\nRecently, we discovered several malicious ISO images[F1-4] in our telemetry, apparently targeting Brazilian\r\nentities. A comment on Virustotal mentions that they are delivered via email. All these ISOs[F1-4] contain one\r\nWindows shortcut file (LNK)[F5] and one folder (see figure 1). Inside the folder we found an executable[F6], an\r\nXML file[F7], a PDF[F8] and a ZIP archive[F9].  \r\nThe LNK file[F5], DANFE10103128566164.pdf.lnk, links to the executable[F6] in the folder and passes the XML\r\nfile[F7] as input along with the –nologo option. All files inside the ISO[F1] are named \"DANFE10103128566164\"\r\nwhich includes the Portuguese acronym \"DANFE\". The acronym means \"Documento Auxiliar da Nota Fiscal\r\nElectronica\" and refers to a digital invoice usually distributed in PDF format between Brazilian companies.  \r\nhttps://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nPage 1 of 9\n\nThe attackers take advantage of this by disguising the LNK file[F5]\r\n with the PDF icon that is embedded within the\r\nstandard Microsoft Edge executable (msedge.exe) of the system to lure targets into executing it. \r\nFigure 1: Content of the ISO image\r\nThe executable, DANFE10103128566164.exe[F6], is a validly signed Microsoft Build Engine version 4.7.3190.0\r\n(MSBuild.exe). The malware uses it to compile malicious C# code embedded within the XML file[F7] on the\r\ninfected machine (see figure 2). The result of the compilation process is a .NET DLL[F13] which is dropped and\r\nexecuted in the local TEMP folder with a randomized name. Since the plain C# code is included in the XML\r\nfile[F7], the analysis is straightforward. \r\nFigure 2: XML project file[F7] for Microsoft Build Engine containing the malicious C# code\r\nFirst, the freshly compiled .NET DLL[F13] opens the decoy PDF[F8] which displays a DANFE invoice to the\r\ntarget user. Afterwards, it extracts the ZIP archive[F9] and copies the Microsoft Build Engine[F6] to\r\nC:\\ProgramData\\regid.5498-06.com.microsoft[P1] via PowerShell. Finally, it leverages a UAC bypass using\r\nProgIDs together with the auto-elevated system binary computerdefaults.exe to run the Microsoft Build\r\nEngine[F6] once again.  \r\nThis time, however, MSBuild.exe[F6] does not compile C# code again but runs another DLL, Trammy.dll[F10],\r\nbased on project configuration file[F11]. Both are extracted from the previously mentioned ZIP archive[F9]. To\r\nprevent consecutive execution of the UAC bypass, it creates a local mutex called TiiSbtvhvbCMW.  \r\nFigure 3 shows a comprehensive overview of this part of the infection chain.\r\nhttps://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nPage 2 of 9\n\nFigure 3: Stage 1—Utilizing Microsoft Build Engine to execute .NET DLLs; the letters and\r\nnumbers in square brackets are references into the IoC table (click to enlarge)\r\nAppDomain Manager Injection\r\nThe configuration file[F11] declares the class SacApp.SacApp of Trammy.dll[F10] as AppDomainManager (see\r\nfigure 4). An AppDomainManager is responsible for customizing the AppDomain of an application, which is an\r\nisolated environment for the managed code. \r\nThat means declaring SacApp.SacApp as AppDomainManager leads to the execution of malicious code in\r\nInitializeNewDomain() - a standard method that has been overridden by SacApp.SacApp[F10]\r\n. This technique is\r\nknown as AppDomain Manager Injection. \r\nFigure 4: The class SacApp.SacApp is registered as AppDomainManagerType in the .config file\r\n[F11]\r\nDeobfuscation of Trammy.dll\r\nDANFE10103128566164.dll[F10], is not packed but obfuscated with ConfuserEx. It has the module name\r\nTrammy.dll. Specific deobfuscation tools like NoFuserEx and de4dot-cex remove the control flow flattening, but\r\ndo not automatically retrieve the strings.\r\nThere are five string decode methods and each one takes an integer as key that it uses to compute the deobfuscated\r\nstring. After applying de4dot-cex to the DLL, we retrieve all these keys using dnlib and Python. This code\r\nsearches for pairs of ldc_i4 and call instructions, and returns the ldc_i4 operands. This may return more\r\nthan the string decoding keys, but it does not matter for the steps that follow.\r\nhttps://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nPage 3 of 9\n\nWe use DnSpy's IL editing feature to remove the anti-reversing checks from the five string decoding methods.\r\nEvery methods starts with an if statement that checks if the caller is the current assembly. If it is not the current\r\nassembly, an empty string will be returned. Replacing the if statement with NOP instructions allows us to execute\r\nthe code from PowerShell.\r\nWe recover the strings dynamically for each method using the following PowerShell commands. The variable\r\n$nums is an array of all the keys that we extracted with the previous script. The string decoding methods have\r\ntwo characteristics that must be taking into account.\r\n1. They are located in the global type \u003cModule\u003e and cannot be accessed via\r\n[namespace.ClassName]::methodname() . So we resolve the string decoding methods via their token\r\ninstead (here 0x6000005).\r\n2. The string decoding methods have a generic return type, so we must provide the return type via\r\nMakeGenericMethod([string]) .\r\nThe last command creates a mapping of the keys for the string decoding methods to the deobfuscated strings. The\r\ntry-catch swallows any error messages that would be printed due to wrong keys.\r\nWe repeat these commands for all string decoding methods until we have a merged result.txt that contains all\r\nkeys and decoded strings. This file will also have empty mappings that we remove with by replacing the regex\r\n^.*:\\r\\n$ with nothing. We transform the result into a Python dictionary by replacing ^(-?\\d+):(.*)$ with\r\n\\1:r'\\2', (Notepad++ syntax). Then we slightly modify the previous Python script so that it replaces call\r\ninstructions to the string decoding functions with ldstr instructions and the appropriate deobfuscated string as\r\noperand.\r\nWe execute the script on the Trammy.dll and successfully deobfuscate the strings. As a final step, we use Simple\r\nAssembly Explorer to remove indirect calls by selecting the 'Nothing' profile in the deobfuscator and enabling the\r\n'Direct Call' option.\r\nFigures 5 and 6 show the SacApp.SacApp.InitializeNewDomain method before and after applying string\r\ndeobfuscation and indirect call removal.\r\nTrammy.dll Analysis\r\nTrammy.dll[F10] starts execution in the method InitializeNewDomain() of SacApp.SacApp because it has been\r\ndeclared as AppDomainManager by the config[F11]. \r\nFirst, it opens the decoy PDF[F8]. Then it checks if the malicious code shall be run. Two conditions need to be met\r\n1. A file named C:\\ProgramData\\internal_drive_version2.3.4.txt  must not exist—this is an empty file that\r\nwill be created later \r\n2. hxxp://ipwho(dot)is/ must report that the IP is Brazilian\r\nWhile the first condition ensures that the code is only executed once, the second check confirms that the malware\r\nruns in the targeted area Brazil. That way automatic sandbox systems are hindered from determining\r\nhttps://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nPage 4 of 9\n\nmaliciousness unless they use Brazilian IPs or proxies. \r\nLog File Translation\r\nThe malware creates a log file in C:\\ProgramData\\log.txt[P3] that encodes stages of execution with specific\r\nkeywords.\r\nLog entry Meaning\r\nSTART The checks 1. and 2. succeeded and the main malicious routine executed\r\nADMIN malware had admin rights\r\nR attempted to create a mutex ‘KOKKIIKKKOOOO’ \r\nMTX_F mutex ‘KOKKIIKKKOOOO’ was created successfully\r\nCP CCProxy was downloaded and installed as service\r\nT OS information was extracted\r\nSV Service that autoruns the Delphi payload as fake explorer.exe[F14]\r\n was created\r\nAdditionally, potential exception messages and their stack traces are written to the log.\r\nThat means incident responders can locate this log file to figure out what the malware did to the infected system.\r\nExfiltrated OS Info\r\nTrammy.dll[F10] obtains the following information via Windows Management Instrumentation (WMI) from the\r\nManagementObject Win32_OperatingSystem: \r\nOSVersion\r\nCSName\r\nCaption\r\nVersion\r\nSerialNumber\r\nBuildNumber\r\nOsArchitecture\r\nFurthermore, it obtains the SerialNumber for all Win32_PhysicalMedia objects and appends the string ‘VM’\r\nwhenever the serial number is null, most likely used as indicator that the malware is running in a virtual machine.\r\nThe malware also obtains a list of all antivirus programs. The resulting information is sent to the URL below[U1] \r\nhxxps://contador(dot)danfajuda(dot)com/contador/save.php\r\nDownload, Decryption and Persistence\r\nhttps://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nPage 5 of 9\n\nNext, Trammy.dll[F10]\r\n schedules a task that adds the folder C:\\ProgramData to Windows Defender’s exclusions. \r\nThe DLL contacts the open directory hxxps://fileondemandd(dot)site/[U2] (see figure 8) and downloads the ZIP\r\narchive filea.tat[F12].\r\nFigure 8: index of the file storage that contains the ZIP archive filea.tat\r\nThe archive is password protected. The password is vsfdefender and has not been changed in a long time, e.g., the\r\narchives in the Checkpoint article from one year ago also use this password (samples are named BBTok by\r\nCheckpoint with filenames fe, fe2, and fe235). However, this password only succeeds for the files that are being\r\nused by the malware. Attempting to unpack the whole archive with this password results in ‘wrong password’\r\nerror messages. This could be intentional to thwart bruteforcing of the archive’s password.\r\nWe obtained seven files from the ZIP archive[F12]. Six of them (CCProxy.exe[F15], wke.dll[F16], Web.exe[F17],\r\nCCProxy.ini, AccInfo.ini and LeftTime.ini) belong to the CCProxy application developed by Youngzsoft Co., Ltd\r\nthat can be used, for example, to filter and monitor network traffic. Trammy.dll[F10] extracts all of them to\r\nC:\\Program Files\\SearchIndexer[P4] except for Web.exe[F17] which remains unused. CCProxy.exe[F15], masked\r\nas Searchlndexer.exe (with small \"L\" instead of large \"i\"), is the main application and registered as a local service\r\nwhich automatically starts on Windows boot. CCProxy.ini and AccInfo.ini configure CCProxy to accept HTTP\r\nconnections from localhost on port 8118, which is used to disguise the communication with the CnC server[U3]. \r\nThe wke.dll[F16] is superfluous because it is only required by the non-extracted Web.exe[F17]. The seventh file is\r\nnamed explorer.exe[F14] and was compiled with Embarcadero Delphi 11.0 Alexandria. Trammy.dll[F10] extracts it\r\nto the program data folder and registers it as a local service as well. In previous articles (link 1, link 2), the Delphi\r\npayload was BBTok.\r\nAfter establishing persistence, Trammy.dll[F10] creates the empty file internal_drive_version2.3.4.txt[P2], which\r\nis used to determine if the code already ran. Then Trammy.dll[F10] displays the default Windows license expiration\r\nwarning and reboots the system. On reboot, the CCProxy service starts with its custom configuration and the fake\r\nexplorer.exe[F14] is called with a renamed filea.tat[F12] as argument. Figure 9 shows the overview for this part of\r\nthe infection chain.\r\nIn our next article, we will describe how the Delphi payload[F14] communicates with the CNC server[U3] via\r\nCCProxy using the Realthinclient SDK. \r\nhttps://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nPage 6 of 9\n\nFigure 9: Stage 2 – Download and persistence (click to enlarge)\r\nHashes\r\n[F1] DANFE10103128566164.iso\r\n09027fa9653bdf2b4a291071f7e8a72f14d1ba5d0912ed188708f9edd6a084fe\r\n[F2] DANFE10103124952781.iso\r\n2ff420e3d01893868a50162df57e8463d1746d3965b76025ed88db9bb13388af\r\n[F3] DANFE10103122718132.iso\r\n5e5a58bfabd96f0c78c1e12fa2625aba9c84aa3bd4c9bb99d079d6ccb6e46650\r\n[F4] DANFE10103121443891.iso\r\ndc03070d50fdd31c89491d139adfb211daf171d03e9e6d88aac43e7ff44e4fef\r\n[F5] DANFE10103128566164.pdf.lnk\r\nddf84fdc080bd55f6f2b409e596b6f7a040c4ab1eb4b965b3f709a0f7faa4e02\r\n[F6] DANFE10103128566164.exe - legitimate MSBuild\r\nb60eb62f6c24d4a495a0dab95cc49624ac5099a2cc21f8bd010a410401ab8cc3\r\n[F7] DANFE10103128566164.xml\r\n7566131ce0ecba1710c1a7552491120751b58d6d55f867e61a886b8e5606afc3\r\n[F8] DANFE10103128566164.pdf - decoy document\r\nac044dd9ae8f18d928cf39d24525e2474930faf8e83c6e3ad52496ecab11f510\r\n[F9] DANFE10103128566164.zip\r\n276a1e9f62e21c675fdad9c7bf0a489560cbd959ac617839aeb9a0bc3cd41366\r\n[F10] DANFE10103128566164.dll - Trammy.dll\r\n24fac4ef193014e34fc30f7a4b7ccc0b1232ab02f164f105888aabe06efbacc3\r\n[F11] DANFE10103128566164.exe.config - registers AppDomainManager\r\n8e7f0a51d7593cf76576b767ab03ed331d822c09f6812015550dbd6843853ce7\r\nhttps://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nPage 7 of 9\n\n[F12] filea.tat - ZIP archive\r\n7559c440245aeeca28e67b7f13d198ba8add343e8d48df92b7116a337c98b763\r\n[F13] .NET DLL after compilation of [F7]\r\na3afed0dabefde9bb8f8f905ab24fc2f554aa77e3a94b05ed35cffc20c201e15\r\n[F14] fake explorer.exe - Delphi payload\r\n35db2b34412ad7a1644a8ee82925a88369bc58f6effc11d8ec6d5f81650d897e\r\n[F15] Searchlndexer.exe - CCProxy\r\n27914c36fd422528d8370cbbc0e45af1ba2c3aeedca1579d92968649b3f562f7\r\n[F16] wke.dll\r\n2d2c2ba0f0d155233cdcbf41a9cf166a6ce9b80a6ab4395821ce658afe04aaba\r\n[F17] Web.exe\r\ncb1d2659508a4f50060997ee0e60604598cb38bd2bb90962c6a51d8b798a03b6 \r\nURLs\r\n[U1] Malware panel\r\nhxxps://contador.danfajuda(dot)com/contador/save.php?\r\n[U2] File storage\r\nhxxps://fileondemandd(dot)site/\r\n[U3] RTC Portal Gateway\r\nhxxp://pingservice(dot)blogdns(dot)com/myPath \r\nPaths\r\n[P1] C:\\ProgramData\\regid.5498-06.com.microsoft\\\r\n[P2] C:\\ProgramData\\internal_drive_version2.3.4.txt\r\n[P3] C:\\ProgramData\\log.txt\r\n[P4] C:\\Program Files\\SearchIndexer\\ \r\nRelated articles:\r\nhttps://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nPage 8 of 9\n\nKarsten Hahn\r\nPrincipal Malware Researcher\r\nShare Article\r\n Content\r\nIntrusion utilizing the Microsoft Build Engine\r\nAppDomain Manager Injection\r\nDeobfuscation of Trammy.dll\r\nTrammy.dll Analysis\r\nLog File Translation\r\nExfiltrated OS Info\r\nDownload, Decryption and Persistence\r\nHashes\r\nURLs\r\nPaths\r\nRelated articles\r\nSource: https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nhttps://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader"
	],
	"report_names": [
		"38039-bbtok-deobfuscating-net-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434460,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ea21f78c23179b5c175e8efb7699be3344986bf.pdf",
		"text": "https://archive.orkl.eu/8ea21f78c23179b5c175e8efb7699be3344986bf.txt",
		"img": "https://archive.orkl.eu/8ea21f78c23179b5c175e8efb7699be3344986bf.jpg"
	}
}