Severity
High
Analysis Summary
If UAC is running, when you attempt to extract the archive it will fail to place the malware in the C:\ProgramData folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed” as shown below.
On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.
Now that CMSTray.exe is extracted to the user’s Startup folder, on the next login the executable will be launched.
Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.
Launching %Temp%\wbssrv.exe
Once launched, the malware will connect to http://138.204.171.108/ and download various files, including a Cobalt Strike Beacon DLL. Cobalt Strike Beacon is a penetration testing tool that is also used by criminals to gain remote access to a victim’s computer.
Downloading Cobalt Strike Beacon DLL
Once the DLL is loaded, the attackers will be able to access your computer remotely, execute commands, and spread to other computers on your network.
Impact
Command execution
System access.
Indicators of Compromise
IP(s) / Hostname(s)
138.204.171.108
URLs
http://138.204.171.108/BxjL5iKld8.zip
Malware Hash (MD5/SHA1/SH256)
2a09056cb4615a53b27aed19793f2d91f5fb497fdf4f6be6cce6c6abac48f707
Remediation