S0528 Javali
Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.1
| Item | Value |
|---|---|
| ID | S0528 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 09 November 2020 |
| Last Modified | 22 December 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | Javali has used embedded VBScript to download malicious payloads from C2.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Javali can use DLL side-loading to load malicious DLLs into legitimate executables.1 |
| enterprise | T1105 | Ingress Tool Transfer | Javali can download payloads from remote C2 servers.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.001 | Binary Padding | Javali can use large obfuscated libraries to hinder detection and analysis.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Javali has been delivered as malicious e-mail attachments.1 |
| enterprise | T1566.002 | Spearphishing Link | Javali has been delivered via malicious links embedded in e-mails.1 |
| enterprise | T1057 | Process Discovery | Javali can monitor processes for open browsers and custom banking applications.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | Javali has used the MSI installer to download and execute malicious payloads.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Javali has achieved execution through victims clicking links to malicious websites.1 |
| enterprise | T1204.002 | Malicious File | Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | Javali can read C2 information from Google Documents and YouTube.1 |