Crypto Wallet MALWARE | Reverse Engineering a malicious MSI and Java Archive Malware Downloader

Learn about a trojanised, backdoored Wasabi Wallet which is deploying a Java-based malware downloader onto systems through malicious MSI files. Note: It's been noted that this may also be part of 'CryptoShuffler'-like malware. For the Java downloader I've broadly named it `TURS AGENT`. Note 2: Apologies for parts of the audio being more fuzzy than others. This was an issue during recording and I didn't have the time or energy to shoot everything again at a higher quality. ** Find me at ** Twitter/X - https://twitter.com/CyberRaiju Blog - https://www.jaiminton.com/ Mastodon - https://infosec.exchange/@CyberRaiju ** Tools ** FLARE VM - https://github.com/mandiant/flare-vm Notepad++ - https://notepad-plus-plus.org/ Urlscan - https://urlscan.io/ Recaf - https://github.com/Col-E/Recaf Process Hacker - https://processhacker.sourceforge.io/ Fakenet - https://github.com/mandiant/flare-fakenet-ng ** Sample ** https://bazaar.abuse.ch/sample/fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43/ https://bazaar.abuse.ch/sample/759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d/ https://www.virustotal.com/gui/file/fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43/behavior https://www.virustotal.com/gui/file/759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d/detection ** Website Scans ** https://urlscan.io/result/d2b5fbfa-33f6-4176-a465-fee83f72b0a1/#transactions https://urlscan.io/result/0fb6e361-d1fc-4b52-ab8f-8570d64dece7/loading https://urlscan.io/result/66444ab9-b92e-47ab-b6ee-9fdde7d253d8/ https://urlscan.io/result/df0af64d-0252-4cf0-8aa0-d19ec8a3ea87/ https://urlscan.io/result/17da581b-db0b-4f26-b0f0-a56ca060aed0/ ** Further Reading ** https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec ** Timestamps ** 00:00 - Intro 00:10 - VT behavior analysis 00:53 - Legitimate MSI and website analysis 01:18 - Malicious MSI and website analysis 01:36 - Comparison of MSIs at a glance 02:04 - Locating second stage MSI 02:43 - Extract malicious MSI file using msiexec 03:34 - msiexec commands 04:15 - Malicious MSI file errors 04:48 - 2nd stage MSI analysis 05:18 - Running backdoored wassabee executable 05:30 - Locating malware downloader dropped 06:14 - Confirming legitimate vs malicious wallet activity 06:53 - Analysis of backdoor directory 07:35 - Using recaf to decompile archive 08:07 - Examining Java classes 08:55 - Locating spoofed user agent 09:35 - File transfer capability 10:00 - Auth class analysis 10:59 - Execute class analysis 11:26 - GetWindowInfo analysis 11:56 - Registry analysis 12:22 - SystemUtils analysis 13:03 - TitleCheck analysis 13:14 - Handler DomainConstants analysis 13:50 - Handler Download analysis 14:14 - Handler HTTPHandler analysis 16:03 - Auth code used to download and run file 16:43 - System information enumeration 17:05 - Interop supporting classes 17:24 - Low VT detection rate 17:50 - Testing JAR and examining process memory 19:10 - Outro Credits: SFX by Pixabay