76 lines
1.7 KiB
Markdown
76 lines
1.7 KiB
Markdown
# Malicious Macro Generator Utility
|
|
|
|
Simple utility design to generate obfuscated macro that also include a AV / Sandboxes escape mechanism.
|
|
|
|
# Requirement
|
|
```
|
|
Python 2.7
|
|
```
|
|
|
|
# Usage
|
|
```
|
|
MMG.Malicious Macro Generator v2.0 - RingZer0 Team
|
|
Author: Mr.Un1k0d3r
|
|
|
|
Usage: MMG.py [config] [output] (optional -list)
|
|
|
|
config Config file that contain generator information
|
|
output Output filename for the macro
|
|
-list List all available payloads and evasion techniques
|
|
|
|
python MMG.py configs/generic-cmd.json malicious.vba
|
|
```
|
|
|
|
# Config file
|
|
|
|
Example of a project config file.
|
|
```
|
|
{
|
|
"description": "Generic command exec payload\nEvasion technique set to domain check",
|
|
"template": "templates/payloads/generic-cmd-evasion-template.vba",
|
|
"varcount": 150,
|
|
"encodingoffset": 4,
|
|
"chunksize": 200,
|
|
"encodedvars": {
|
|
"DOMAIN":"RINGZER0"
|
|
},
|
|
"vars": [],
|
|
"evasion": ["encoder", "domain"],
|
|
"payload": "cmd.exe /c whoami"
|
|
}
|
|
```
|
|
|
|
# Evasion techniques
|
|
|
|
###### Domain check
|
|
|
|
The macro is fetching the USERDOMAIN environment variable and compare the value with a predefined one. If they match the final payload is executed.
|
|
|
|
###### Disk check
|
|
|
|
The macro is looking for the total disk space. VMs and test machines use small disk most of the time.
|
|
|
|
###### Memory check
|
|
|
|
The macro is looking for the total memory size. Vms and test machines use less resources.
|
|
|
|
###### Uptime check
|
|
|
|
The macro is looking for the system uptime. Sandboxes will return a short uptime.
|
|
|
|
###### Process check
|
|
|
|
The macro is checking if a specific process is running (example outlook.exe)
|
|
|
|
###### Obfuscation
|
|
|
|
The python script will also generate obfuscated code to avoid heuristic detection
|
|
|
|
###### More to come
|
|
|
|
# Credit
|
|
|
|
Mr.Un1k0d3r RingZer0 Team
|
|
|
|
https://ringzer0team.com
|