SYMBOLCOMMON_NAMEaka. SYNONYMS
js.ostap (Back to overview)

ostap


Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe
anti-virus.EXE
BehaviorDumper
BennyDB.exe
ctfmon.exe
fakepos_bin
FrzState2k
gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)
ImmunityDebugger.exe
KMS Server Service.exe
ProcessHacker
procexp
Proxifier.exe
python
tcpdump
VBoxService
VBoxTray.exe
VmRemoteGuest
vmtoolsd
VMware2B.exe
VzService.exe
winace
Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

References
2021-11-24Lasq's Security BlogLasq's Security Blog
From the archive #1: OSTap downloader deobfuscation and analysis
ostap
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-04-14IntrinsecJean Bichet
Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend
ostap TrickBot
2020-03-20BitdefenderLiviu Arsene
5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2019-09-12Github (cryptogramfan)Alex Holland
Ostap Deobfuscation script
ostap
2019-09-03BromiumAlex Holland
Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader
ostap
2019-08-05Trend MicroMichael Jhon Ofiaza, Noel Anthony Llimos
Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot
2018-01-06CERT.PLPaweł Srokosz
Ostap malware analysis (Backswap dropper)
ostap
Yara Rules
[TLP:WHITE] js_ostap_w0 (20190905 | No description)
rule js_ostap_w0 {
	meta:
		author = "Alex Holland @cryptogramfan (Bromium Labs)"
		date = "2019-08-29"
		sample_1 = "F3E03E40F00EA10592F20D83E3C5E922A1CE6EA36FC326511C38F45B9C9B6586"
		sample_2 = "38E2B6F06C2375A955BEA0337F087625B4E6E49F6E4246B50ECB567158B3717B"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap"
        malpedia_version = "20190905"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
	strings:
		$comment = { 2A 2A 2F 3B } // Matches on **/;
		$array_0 = /\w{5,8}\[\d+\]=\d{1,3};/
		$array_1 = /\w{5,8}\[\d+\]=\d{1,3};/
				
	condition:
		((($comment at 0) and (#array_0 > 100) and (#array_1 > 100)) or
		((#array_0 > 100) and (#array_1 > 100))) and
		(filesize > 500KB and filesize < 1500KB)
}
Download all Yara Rules