Malicious Macro Generator
 
 
Go to file
Mr-Un1k0d3r 18fcc0189e Update README.md 2016-09-23 10:27:19 -04:00
configs Update generic-cmd-domain-evasion.json 2016-09-22 12:33:35 -04:00
examples Update domain-evasion.vba 2016-09-22 12:28:49 -04:00
templates Rename domain-evasion.template to generic-cmd-domain-evasion.vba 2016-09-22 12:34:15 -04:00
GenMacro.py Update GenMacro.py 2016-09-22 12:34:33 -04:00
README.md Update README.md 2016-09-23 10:27:19 -04:00
TEMPLATE.md Create TEMPLATE.md 2016-09-22 12:53:51 -04:00

README.md

MaliciousMacroGenerator

#Malicious Macro Generator Utility

Simple utility design to generate obfuscated macro that also include a AV / Sandbox escape trick

#Requirement

Python 2.7
Python 3.4 (Not supported yet)

#Usage

Usage: GenMacro.py [config] [output]

        config  Config file that contain generator information
        output  Output filename for the macro
        
python GenMacro.py configs/generic-cmd-domain-evasion.json malicious.vba

#Config file

Example of a macro config file.

{
	"description": "Generic command exec payload including domain check",
	"template": "templates/generic-cmd-domain-evasion.vba",
	"varcount": 50,
	"encodingoffset": 4,
	"encodedvars": 	{
				"DOMAIN": "RINGZER0"
				},
	"payload": "cmd.exe /c ping ringzer0team.com"
}

#Evasion technique

The macro is fetching the USERDOMAIN environment variable and compare the value with a predefined one. If they match the final payload is executed.

The python script will also generate obfuscated code to avoid heuristic detection

#Credit

Mr.Un1k0d3r RingZer0 Team

https://ringzer0team.com charles.hamilton@mandiant.com