MaliciousMacroGenerator

Malicious Macro Generator

Go to file

Mr-Un1k0d3r 5e7405e97e Update README.md		2016-09-29 08:37:01 -04:00
configs	fix path to template `donwloader`	2016-09-29 13:50:33 +03:00
examples	Add files via upload	2016-09-23 14:46:46 -04:00
templates	Add files via upload	2016-09-23 14:43:50 -04:00
GenMacro.py	Update GenMacro.py	2016-09-23 20:50:38 -04:00
README.md	Update README.md	2016-09-29 08:37:01 -04:00
TEMPLATE.md	Update TEMPLATE.md	2016-09-23 10:27:40 -04:00

README.md

MaliciousMacroGenerator

#Malicious Macro Generator Utility

Simple utility design to generate obfuscated macro that also include a AV / Sandbox escape trick

#Requirement

Python 2.7
Python 3.4 (Not supported yet)

#Usage

Usage: GenMacro.py [config] [output]

        config  Config file that contain generator information
        output  Output filename for the macro
        
python GenMacro.py configs/generic-cmd-domain-evasion.json malicious.vba

#Config file

Example of a macro config file.

{
	"description": "Generic command exec payload including domain check",
	"template": "templates/generic-cmd-domain-evasion.vba",
	"varcount": 50,
	"encodingoffset": 4,
	"encodedvars": 	{
				"DOMAIN": "RINGZER0"
				},
	"payload": "cmd.exe /c ping ringzer0team.com"
}

#Evasion techniques

Domain check

The macro is fetching the USERDOMAIN environment variable and compare the value with a predefined one. If they match the final payload is executed.

Disk check

The macro is looking for the total disk space. VMs and test machines use small disk most of the time.

Memory check

The macro is looking for the total memory size. Vms and test machine use less resources.

Uptime check

The macro is looking for the system uptime. Sandboxes will return a short uptime. The python script will also generate obfuscated code to avoid heuristic detection

#Credit

Mr.Un1k0d3r RingZer0 Team

https://ringzer0team.com charles.hamilton@mandiant.com