Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.[1]

ID: S0528
Platforms: Windows
Version: 1.0
Created: 09 November 2020
Last Modified: 22 December 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Javali has used embedded VBScript to download malicious payloads from C2.[1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Javali can use DLL side-loading to load malicious DLLs into legitimate executables.[1]

Enterprise T1105 Ingress Tool Transfer

Javali can download payloads from remote C2 servers.[1]

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Javali can use large obfuscated libraries to hinder detection and analysis.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Javali has been delivered as malicious e-mail attachments.[1]

.002 Phishing: Spearphishing Link

Javali has been delivered via malicious links embedded in e-mails.[1]

Enterprise T1057 Process Discovery

Javali can monitor processes for open browsers and custom banking applications.[1]

Enterprise T1218 .007 Signed Binary Proxy Execution: Msiexec

Javali has used the MSI installer to download and execute malicious payloads.[1]

Enterprise T1204 .001 User Execution: Malicious Link

Javali has achieved execution through victims clicking links to malicious websites.[1]

.002 User Execution: Malicious File

Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript.[1]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

Javali can read C2 information from Google Documents and YouTube.[1]