# WMIGhost / Wimmie - WMI malware **secrary.com/ReversingMalware/WMIGhost/** [cd ../reverse_engineering_malware 5 minutes read](https://secrary.com/ReversingMalware) WMIGhost / Wimmie sample is from [theZoo](https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/WMIGhost) SHA256: `a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206` The sample has `.dll extension but there are no exports and according to characteristics,` it’s not `dll file, I’ve changed the extension to` `.exe` [We can use the report from hybrid-analysis.](https://www.hybrid-analysis.com/sample/a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206?environmentId=100) There is no protection, let’s dive in deep. ----- From the beginning, it decrypts text using `XOR with` `0x63 and` `0xE9 :` Decrypted text: ----- Raw format- [Gist link](https://gist.github.com/secrary/8705c3cf184aec54f370c5704742602d) [Much more readable: Gist Link](https://gist.github.com/secrary/a67efdd15cdddc5e39fa2ce75fcf16c9) `NOTE : you can use my script to extract decrypted text from the executable:` [Gist link.](https://gist.github.com/secrary/c4fd3273a24da449795cc47f2e4378ef) The malware uses `CoCreateInstance function to get access to` `COM functionality.` The Microsoft Component Object Model (COM) is an interface standard that makes it possible for different software components to call each other’s code without knowledge of specifics about each other. ----- ``` MS Script Control is provided in msscript.ocx . It is a very handy tool to run ``` VBScript/JScript without relying on `CScript.exe or` `WScript.exe .` Seems like malware uses `Script Control via` `COM to execute decrypted function without` ``` CScript.exe or WScript.exe . call dword ptr[ecx+20h] calls some function from msscript.ocx, but I have no idea ``` which function, there are no symbols, but I think it chooses `javascript to execute the` script: [(Click here to view a larger version)](https://user-images.githubusercontent.com/16405698/28249463-6871beac-6a67-11e7-94ad-945a832fa954.png) ----- After this at `00401AB7 there is another call to function from` `msscript.ocx :` I think this function is used to execute the script because it causes creation of new process ``` scrcons.exe ``` According to `TrendMicro ’s great` [paper:](https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf) ----- ``` Based on our analysis of using JS, the application wscript.exe is responsible for executing the malicious code. However, in the case of WMI implementation, such a script is executed by the WMI Standard Event Consumer - scripting application, which can be found in the WMI folder in %system32%/ wbem/scrcons.exe. This makes the script hard to detect since it uses a notso-common WMI application—scrcons.exe—rather than the traditional JS application—wscript.exe. ``` Yes, the sample uses `WMI and executes the script using` `scrcons.exe .` After creation of the new process, it also creates `httpcom.log file and writes infection` date: Before exit it tries to delete `instell.exe without success:` That’s executable, let’s look at the [script:](https://gist.github.com/secrary/8153a0cb8b4954429e1c430ad4821f96) ----- [(Click here to view a larger version)](https://user-images.githubusercontent.com/16405698/28249667-413e6bba-6a6b-11e7-93a3-d66baabe0716.png) It creates instance of `ActiveScriptEventConsumer under` `root\subscription` namespace, executes `Javascript script every` `0x6e3 milliseconds, you can get the` script from the [Gist or get using WMI Explorer, it’s under](https://gist.github.com/secrary/a67efdd15cdddc5e39fa2ce75fcf16c9) `ROOT\subscription` namespace, the class is `ActiveScriptEventConsumer, the name of the instance is` ``` ProbeScriptFint, the script is a value of the ScriptText property. ``` [(Click here to view a larger version)](https://user-images.githubusercontent.com/16405698/28249657-01e2eb12-6a6b-11e7-8f9b-1d965588f3fd.png) WMI classes stored in namespace: `subscription allow permanent and general access to` WMI services. ``` new MAIN().Fire() causes executing of MAIN routine: ``` ----- ``` CleanObjects terminates execution of the script: ``` Parses URLs from the argument and sends information about infected PC: ----- Receives commands and sends results: ----- ----- If you prefer you can dive deeper into the script, it s not obfuscated and is easy to analyze. That’s all… WMIGhost / Wimmie is a very interesting malware, it uses `WMI to achieve` persistence and get system related information, the script is not on the disk. We can get information about `WMI Database Entries using` `Autoruns :` Maybe I overlook something related to `WMIGhost, due to my limited knowledge, if you find` something interesting please contact me. I’m new to reversing malware and any kind of feedback is helpful for me. Twitter: [@_qaz_qaz](https://twitter.com/_qaz_qaz) **Resources:** [Understanding WMI Malware](https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf) -----