This is all about malware analysis, reverse engineering and some cool stuff

Saturday, 6 February 2016

Analysis of malware using WMI Query Language

February 06, 2016 Posted by SDKHERE , , , , No comments

The malware is an extremely dangerous Trojan horse that invades your system deeply. Once infected, your PC would start behaving strangely and slowly. This is capable of changing windows files and registry keys, damages your PC by changing default settings, occupy storage by spreading itself, downloads the advertisement and connects to various sites to overload the network.

Fig1 : Workflow

The malware extracts itself at “%USERPROFILE%\<random_chars>” with the name of winlogon.exe and execute it.
The extracted file or the core file is compiled with Visual Basic P-Code which opens Internet Explorer and tries to connect with the malicious websites. The core file is also executes the some WMI queries to perform malicious activities like to block the AV processes, modifies the registry etc.

The malware makes the copies of itself at the below locations:

C:\Documents and Settings\Administrator\Start Menu\Fax y Esc\xE1ner de Windows.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Update.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Windows Media Center.exe
C:\Documents and Settings\All Users\Start Menu\Windows DVD Maker.exe

It creates a directory of random characters in %TEMP% having size 2.33 GB.
The directory has six sub-directories of name FOTOS, JUEGOS, LIBROS, MUSICA, PELICULAS, PROGRAMAS.

Fig2: Shared directories in %TEMP%

The sub-directories has given the shared accesses so it can be accessible throughout the network.
Each sub-directory shown in above figure has 100 above files of respective type and different extensions which are nothing but the copies of the malware (winlogon.exe).
The MUSICA directory has the music files with .mp3 extension which are the copies of malware.

Fig3 : malware copies

After the infection, the malware disables the following system tools by changing the respective registry:

Disable Action Center
Disable Run
Disable Folder Option from explorer
Disable Registry Editor
Disable Task Manager
Disable Command Prompt
Disable Security Alerts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiSpyWareDisableNotify
Disable Windows Firewall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
Disable Update Notification
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AutoUpdateDisableNotify
Disable System Restore
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore

The malware spreads itself through various medium:

  • Using USB
  • Peer to Peer network
  • Shared folder
  • MSN messenger
  • Yahoo messenger
The malware sets the default homepage for Internet Explorer to hxxp://
The web site is claimed in annoying advertisements. It redirect searches, user-entered URLs without clear notification and consent.

Windows Management Instrumentation (WMI):

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. We can write WMI scripts or applications to automate administrative tasks on remote computers or Local Computer. Applications or scripts can get data or perform operations through WMI in a variety of languages. 
Scripts can be written in any scripting language that supports Microsoft ActiveX script hosting, including Visual Basic Scripting Edition (VBScript), PowerShell, and Perl. Windows Script Host (WSH), Active Server Pages, and Internet Explorer can all host WMI scripts.
The two main languages supported by WMI are PowerShell and VBScript.

WMI Query Language (WQL):

There are several ways in which we can access WMI data, and most of them use WQL queries.
WQL is a SQL like Language; it supports various keywords which are already used in SQL.

The malware uses Event query of WQL to register to receive notification of events.
The following query is executed whenever a Process is created.

SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'

Here within clause describe the polling interval in second. It monitors the system in interval of 1sec.

All namespaces derive from the ROOT namespace and Microsoft uses ROOT\CIMV2 as the default namespace. To connect with the local computer it uses GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

The malware monitors the creation of processes and terminate them if they belong to the Antivirus Product.
Some of antiviruses which are going to block are listed below:

Fig4: Antivirus Products

VBScript with WQL to terminate the Antivirus Processes if created in infected machine:
Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2") 
Set objEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'")

Set objLatestProcess = objEvents .NextEvent
If objLatestProcess.TargetInstance.Path = "AV_Name" Then
End If

We can obtain or modify registry data by using the WMI StdRegProv class and its methods. While use the Regedit utility to view and change registry values on the local computer, StdRegProv allows you to use a script or application to automate such activities on the local computer and remote computers.
But the malware authors use this technique to add or modify the registry for malicious purpose.

In our case, The malware creates the registry key for various applications at the location “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options” with the name of process (Example: chrome.exe, procmon.exe, ccsetmgr.exe etc.). Under the key it creates a new string value of name “Debugger” with the value data "%USERPROFILE%\random_chars\winlogon.exe" (Path of malware).

That means it creates a default debugger to the malware (winlogon.exe) for every application.
Whenever an application is open whose registry is already added then by default it executes the malware.

Some of legitimate processes are list below:
Fig5: Processes to block

VBScript with WQL to set the default debugger for the list of processes by modifying the registries:

const HKEY_LOCAL_MACHINE = &H80000002 
strComputer = "."
Set objRegistry = _
    GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _ 
    & strComputer & "\root\default:StdRegProv")
strKeyPath = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options" & ProcessName
strValueName = "Debugger"
arrStringValues = "%USERPROFILE%\random_chars\winlogon.exe"
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath,_
    strValueName, arrStringValues

Network Analysis:

The malware performs the malicious activities using network like to take down a server, increasing hit count of a site and shows the advertisement.

Pseudo Random Sub-domain attack:

The malware send queries to a random non-existence sub-domain of a domain (
These queries are forwarded to DNS resolvers at the upstream ISP. Although the attacks are intended to take down the authoritative servers for this domain. They have the side effect of dramatically increasing the load on ISP’s DNS resolvers so it becomes overloaded and either slow down or crash.

Increase Hit Couter:

The malware sends the request to through is a search engine, which has lowest google page rank. According to MyWot and Google Safe browsing analytics, the site is suspicious domain with no visitor reviews.

Ib.Adnxs is an advertising platform, which is used by adware and other malicious programs to display popup ads from within Internet Explorer, Firefox and Google Chrome.

The malware fetches the advertisement from through search engine.
Indirectly it increases the hit counter of search engine, downloads and display the advertisements.


Post a Comment