1/11 WMIGhost / Wimmie - WMI malware secrary.com/ReversingMalware/WMIGhost/ cd ../reverse_engineering_malware 5 minutes read WMIGhost / Wimmie sample is from theZoo SHA256: a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206 The sample has .dll extension but there are no exports and according to characteristics, it’s not dll file, I’ve changed the extension to .exe We can use the report from hybrid-analysis. There is no protection, let’s dive in deep. https://secrary.com/ReversingMalware/WMIGhost/ https://secrary.com/ReversingMalware https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/WMIGhost https://www.hybrid-analysis.com/sample/a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206?environmentId=100 2/11 From the beginning, it decrypts text using XOR with 0x63 and 0xE9 : Decrypted text: 3/11 Raw format- Gist link Much more readable: Gist Link NOTE : you can use my script to extract decrypted text from the executable: Gist link. The malware uses CoCreateInstance function to get access to COM functionality. The Microsoft Component Object Model (COM) is an interface standard that makes it possible for different software components to call each other’s code without knowledge of specifics about each other. https://gist.github.com/secrary/8705c3cf184aec54f370c5704742602d https://gist.github.com/secrary/a67efdd15cdddc5e39fa2ce75fcf16c9 https://gist.github.com/secrary/c4fd3273a24da449795cc47f2e4378ef 4/11 MS Script Control is provided in msscript.ocx . It is a very handy tool to run VBScript/JScript without relying on CScript.exe or WScript.exe . Seems like malware uses Script Control via COM to execute decrypted function without CScript.exe or WScript.exe . call dword ptr[ecx+20h] calls some function from msscript.ocx , but I have no idea which function, there are no symbols, but I think it chooses javascript to execute the script: (Click here to view a larger version) https://user-images.githubusercontent.com/16405698/28249463-6871beac-6a67-11e7-94ad-945a832fa954.png 5/11 After this at 00401AB7 there is another call to function from msscript.ocx : I think this function is used to execute the script because it causes creation of new process scrcons.exe According to TrendMicro ’s great paper: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf 6/11 Based on our analysis of using JS, the application wscript.exe is responsible for executing the malicious code. However, in the case of WMI implementation, such a script is executed by the WMI Standard Event Consumer - scripting application, which can be found in the WMI folder in %system32%/ wbem/scrcons.exe. This makes the script hard to detect since it uses a not- so-common WMI application—scrcons.exe—rather than the traditional JS application—wscript.exe. Yes, the sample uses WMI and executes the script using scrcons.exe . After creation of the new process, it also creates httpcom.log file and writes infection date: Before exit it tries to delete instell.exe without success: That’s executable, let’s look at the script: https://gist.github.com/secrary/8153a0cb8b4954429e1c430ad4821f96 7/11 (Click here to view a larger version) It creates instance of ActiveScriptEventConsumer under root\subscription namespace, executes Javascript script every 0x6e3 milliseconds , you can get the script from the Gist or get using WMI Explorer, it’s under ROOT\subscription namespace, the class is ActiveScriptEventConsumer , the name of the instance is ProbeScriptFint , the script is a value of the ScriptText property. (Click here to view a larger version) WMI classes stored in namespace: subscription allow permanent and general access to WMI services. new MAIN().Fire() causes executing of MAIN routine: https://user-images.githubusercontent.com/16405698/28249667-413e6bba-6a6b-11e7-93a3-d66baabe0716.png https://gist.github.com/secrary/a67efdd15cdddc5e39fa2ce75fcf16c9 https://wmie.codeplex.com/ https://user-images.githubusercontent.com/16405698/28249657-01e2eb12-6a6b-11e7-8f9b-1d965588f3fd.png 8/11 CleanObjects terminates execution of the script: Parses URLs from the argument and sends information about infected PC: 9/11 Receives commands and sends results: 10/11 [New request on port &8.1] GET /The-first—blog—bi/R$$—hbi-res2—-posts.htm HITP?1i.1 Accept: */“* User-Agent: Mozilla’S.@ (Windows; WU; Windows NT 5.15 rv:i.9.1> Gecko/26696624 irefox/3.5 Accept-Encoding: gzip. deflate Host: kumardeep.soshlogs.com Connection: Keep-fllive [Sent http response to client.] CReceived new connection on port: §8.1] [New request on port 88.1] GET /‘anilchopra/‘feed/ HITP?1.1 Accept: #7 User-Agent: Mozilla’S.@ (Windows; U; Windows MT 5.13; pruri.?.1> Gecko/’2hO76624 irefox3.5 Accept-Encoding: gzip. deflate Host: blogs.rediff.com Connection: Keep-Alive [Sent http response to client.] [Received new connection on port: #8.] [New request on port §8.1] GET -“kapoorsunil@?/profile/rss HTITP/1.1 Accept: */* User-Agent: Mozilla’S.@ (Windows; WU; Windows NT 5.15 rv:i.9.1> Gecko/26696624 irefox/3.5 Accept-Encoding: gzip. deflate Host: wuw.hlogster.com Connection: Keep-fllive 11/11 If you prefer you can dive deeper into the script, it’s not obfuscated and is easy to analyze. That’s all… WMIGhost / Wimmie is a very interesting malware, it uses WMI to achieve persistence and get system related information, the script is not on the disk. We can get information about WMI Database Entries using Autoruns : Maybe I overlook something related to WMIGhost , due to my limited knowledge, if you find something interesting please contact me. I’m new to reversing malware and any kind of feedback is helpful for me. Twitter: @_qaz_qaz Resources: Understanding WMI Malware https://twitter.com/_qaz_qaz https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf