Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150807-253-TrendMicro-Understandin
g
WMI Malware
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 07 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This is a high-level report / survey of WMI support for malware activity. This report
uses the malware sample TROJ_WMIGHOST.A as an example of a WMI-based piece of
malware. The report describes what WMI is and how it works and then goes on to describe how
TROJ_WMIGHOST.A implements the mandatory pieces of WMI, WMI System Classes,
necessary to perform its maliciousness.
(S//NF) The report describes the three basic WMI System Classes:
_EventConsumer (analogous to standard malware executable code)
_EventFilter (analogous to standard malware autorun/entry)
_FilterToConsumerBinding (analogous to standard malware condition/trigger)
(S//NF) The report does a very good job of explaining WMI and how malware implements WMI.
The use of TROJ_WMIGHOST.A highlights the mapping of standard malware constructs to the
WMI model. However, there are no interesting techniques implemented via WMI discussed in
this report and therefore no PoCs are recommended.
2.0 (U) Description of the Technique
(S//NF) Not applicable as no PoCs are recommended.
3.0 (U) Identification of Affected Applications
(U) Windows.
4.0 (U) Related Techniques
(S//NF) WMI implementation of standard malware functionality.
5.0 (U) Configurable Parameters
(U) Varied.
6.0 (U) Exploitation Method and Vectors
(S//NF) No exploitation methods or attack vectors were discussed in this report.
7.0 (U) Caveats
(U) Not applicable.