MSIL/CodeWall.B!tr
Analysis
MSIL/CodeWall.B!tr is a generic detection for a trojan. A trojan is a type of malware that performs activites without the user’s knowledge.
Since this is a generic detection, malware that are detected as MSIL/CodeWall.B!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- Upon execution, this malware will drop copies of itself to system folders. It will create an autorun registry to maintain persistance during startup. The malware will also disable zone checking, which will prevent security dialogs from appearing, by modifying the registry key value. Finally, the malware will run the dropped file and utilize netsh.exe to add the malicious file as an allowed program to bypass the firewall.
- This malware drops the following files:
- %AppData%\Roaming\Internet8.exe : This file is the copy of the original malware.
- %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7fb67d809a0531e3b83397c642dffd76.exe : This file is the copy of the original malware.
- This malware applies the following registry modifications:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Value: 7fb67d809a0531e3b83397c642dffd76
- Data: ""C:\Users\A\AppData\Roaming\Internet8.exe" .."
- HKEY_CURRENT_USER\Environment
- Value: SEE_MASK_NOZONECHECKS
- Data: "1"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Below are images of the malware:
- Figure 1: Utilizing netsh.exe to bypass the firewall.
- Following are some of the exact file hashes associated with this detection:
- Md5: a6bb1f8f0e3aef666f023d88e0d30fc3
Sha256: 995bc8d3c153dac9c781ef027c029fe8cd8765084e029a0a98432c8960beceb1
- Md5: a6bb1f8f0e3aef666f023d88e0d30fc3
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |