infosecn1nja
/
MaliciousMacroGenerator
mirror of https://github.com/infosecn1nja/MaliciousMacroGenerator.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Malicious Macro Generator
33 Commits
3 Branches
0 Tags
144 KiB
VBA 84.8%
Python 15.2%
 
 
Go to file
Mr-Un1k0d3r 6202e1e8c1 Update GenMacro.py 2016-09-23 20:50:38 -04:00
configs Add files via upload 2016-09-23 14:45:02 -04:00
examples Add files via upload 2016-09-23 14:46:46 -04:00
templates Add files via upload 2016-09-23 14:43:50 -04:00
GenMacro.py Update GenMacro.py 2016-09-23 20:50:38 -04:00
README.md Update README.md 2016-09-23 10:27:19 -04:00
TEMPLATE.md Update TEMPLATE.md 2016-09-23 10:27:40 -04:00

README.md

MaliciousMacroGenerator

#Malicious Macro Generator Utility

Simple utility design to generate obfuscated macro that also include a AV / Sandbox escape trick

#Requirement

Python 2.7
Python 3.4 (Not supported yet)

#Usage

Usage: GenMacro.py [config] [output]

        config  Config file that contain generator information
        output  Output filename for the macro
        
python GenMacro.py configs/generic-cmd-domain-evasion.json malicious.vba

#Config file

Example of a macro config file.

{
	"description": "Generic command exec payload including domain check",
	"template": "templates/generic-cmd-domain-evasion.vba",
	"varcount": 50,
	"encodingoffset": 4,
	"encodedvars": 	{
				"DOMAIN": "RINGZER0"
				},
	"payload": "cmd.exe /c ping ringzer0team.com"
}

#Evasion technique

The macro is fetching the USERDOMAIN environment variable and compare the value with a predefined one. If they match the final payload is executed.

The python script will also generate obfuscated code to avoid heuristic detection

#Credit

Mr.Un1k0d3r RingZer0 Team

https://ringzer0team.com charles.hamilton@mandiant.com