Overcoming sandbox evasion via msgbox - Success in attempt #2

I'm quite suprised by the number of sandboxes that do not deal with this issue.

Whilst I have not written any code that trawls through all the open windows looking for dialog boxes, because of time.

I have used AutoHotKey to create a script that deals with the issue quite nicely in fact. Once the script is compiled you no long need the app installed and can move the portable exe where ever you see fit.

; Close all dialog boxes
; Kempy 13-07-15
SendMode Input
Loop ;
WinWait, ahk_class #32770,
IfWinNotActive, ahk_class #32770,
WinActivate, ahk_class #32770,
WinWaitActive, ahk_class #32770,
Send, {ESC} ;
ControlClick, Button1, ahk_class #32770,

Drop it in you startup folder in your VM for cuckoo sandbox with MS Office Trust Center settings set to insecure ;) and voilla successful detonations for office macro malware.

Also I used this macro for testing;

Sub AutoOpen()
MsgBox "vbAbortRetryIgnore", vbAbortRetryIgnore
MsgBox "vbApplicationModal", vbApplicationModal
MsgBox "vbCritical", vbCritical
MsgBox "vbDefaultButton1", vbDefaultButton1
MsgBox "vbDefaultButton2", vbDefaultButton2
MsgBox "vbDefaultButton3", vbDefaultButton3
MsgBox "vbDefaultButton4", vbDefaultButton4
MsgBox "vbExclamation", vbExclamation
MsgBox "vbInformation", vbInformation
MsgBox "vbMsgBoxHelpButton", vbMsgBoxHelpButton
MsgBox "vbMsgBoxRight", vbMsgBoxRight
MsgBox "vbMsgBoxRtlReading", vbMsgBoxRtlReading
MsgBox "vbMsgBoxSetForeground", vbMsgBoxSetForeground
MsgBox "vbOKOnly", vbOKOnly
MsgBox "vbOKCancel", vbOKCancel
MsgBox "vbQuestion", vbQuestion
MsgBox "vbRetryCancel", vbRetryCancel
MsgBox "vbSystemModal", vbSystemModal
MsgBox "vbYesNo", vbYesNo
MsgBox "vbYesNoCancel", vbYesNoCancel
End Sub

Hope you found this useful!


Popular Posts