Crypto Wallet MALWARE | Reverse Engineering a malicious MSI and Java Archive Malware Downloader

Learn about a trojanised, backdoored Wasabi Wallet which is deploying a Java-based malware downloader onto systems through malicious MSI files.

Note: It's been noted that this may also be part of 'CryptoShuffler'-like malware. For the Java downloader I've broadly named it `TURS AGENT`.

Note 2: Apologies for parts of the audio being more fuzzy than others. This was an issue during recording and I didn't have the time or energy to shoot everything again at a higher quality.

** Find me at **
Twitter/X -   / cyberraiju  
Blog - https://www.jaiminton.com/
Mastodon - https://infosec.exchange/@CyberRaiju

** Tools **
FLARE VM - https://github.com/mandiant/flare-vm
Notepad++ - https://notepad-plus-plus.org/
Urlscan - https://urlscan.io/
Recaf - https://github.com/Col-E/Recaf
Process Hacker - https://processhacker.sourceforge.io/
Fakenet - https://github.com/mandiant/flare-fak...

** Sample **
https://bazaar.abuse.ch/sample/fdf228...
https://bazaar.abuse.ch/sample/759d8e...
https://www.virustotal.com/gui/file/f...
https://www.virustotal.com/gui/file/7...

** Website Scans **
https://urlscan.io/result/d2b5fbfa-33...
https://urlscan.io/result/0fb6e361-d1...
https://urlscan.io/result/66444ab9-b9...
https://urlscan.io/result/df0af64d-02...
https://urlscan.io/result/17da581b-db...

** Further Reading **
https://learn.microsoft.com/en-us/win...

** Timestamps **
00:00 - Intro
00:10 - VT behavior analysis
00:53 - Legitimate MSI and website analysis
01:18 - Malicious MSI and website analysis
01:36 - Comparison of MSIs at a glance
02:04 - Locating second stage MSI
02:43 - Extract malicious MSI file using msiexec
03:34 - msiexec commands
04:15 - Malicious MSI file errors
04:48 - 2nd stage MSI analysis
05:18 - Running backdoored wassabee executable
05:30 - Locating malware downloader dropped
06:14 - Confirming legitimate vs malicious wallet activity
06:53 - Analysis of backdoor directory
07:35 - Using recaf to decompile archive
08:07 - Examining Java classes
08:55 - Locating spoofed user agent
09:35 - File transfer capability
10:00 - Auth class analysis
10:59 - Execute class analysis
11:26 - GetWindowInfo analysis
11:56 - Registry analysis
12:22 - SystemUtils analysis
13:03 - TitleCheck analysis
13:14 - Handler DomainConstants analysis
13:50 - Handler Download analysis
14:14 - Handler HTTPHandler analysis
16:03 - Auth code used to download and run file
16:43 - System information enumeration
17:05 - Interop supporting classes
17:24 - Low VT detection rate
17:50 - Testing JAR and examining process memory
19:10 - Outro

Credits:
SFX by Pixabay