Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mr-un1k0d3r/maliciousmacrogenerator
Malicious Macro Generator
https://github.com/mr-un1k0d3r/maliciousmacrogenerator
Last synced: 9 days ago
JSON representation
Malicious Macro Generator
- Host: GitHub
- URL: https://github.com/mr-un1k0d3r/maliciousmacrogenerator
- Owner: Mr-Un1k0d3r
- License: other
- Created: 2016-09-21T23:18:14.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2019-04-17T19:47:38.000Z (over 5 years ago)
- Last Synced: 2024-08-02T09:28:58.891Z (3 months ago)
- Language: Visual Basic
- Size: 107 KB
- Stars: 823
- Watchers: 43
- Forks: 203
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
# Malicious Macro Generator Utility
Simple utility design to generate obfuscated macro that also include a AV / Sandboxes escape mechanism.
# Requirement
```
Python 2.7
```# Usage
```
MMG.Malicious Macro Generator v2.0 - RingZer0 Team
Author: Mr.Un1k0d3r [email protected]Usage: MMG.py [config] [output] (optional parameters)
[config] Config file that contain generator information
[output] Output filename for the macro-l --list List of all available payloads and evasion techniques
-s --split_strings Randomly split strings at parts
-x --strings_to_hex Encode strings to hexpython MMG.py configs/generic-cmd.json malicious.vba
```# Config file
Example of a project config file.
```
{
"description": "Generic command exec payload\nEvasion technique set to domain check",
"template": "templates/payloads/generic-cmd-evasion-template.vba",
"varcount": 150,
"encodingoffset": 4,
"chunksize": 200,
"encodedvars": {
"DOMAIN":"RINGZER0"
},
"vars": [],
"evasion": ["encoder", "domain"],
"payload": "cmd.exe /c whoami"
}
```# Evasion techniques
###### Domain check
The macro is fetching the USERDOMAIN environment variable and compare the value with a predefined one. If they match the final payload is executed.
###### Disk check
The macro is looking for the total disk space. VMs and test machines use small disk most of the time.
###### Memory check
The macro is looking for the total memory size. Vms and test machines use less resources.
###### Uptime check
The macro is looking for the system uptime. Sandboxes will return a short uptime.
###### Process check
The macro is checking if a specific process is running (example outlook.exe)
###### Obfuscation
The python script will also generate obfuscated code to avoid heuristic detection
###### More to come
# Credit
Mr.Un1k0d3r RingZer0 Team
https://ringzer0team.com