SYMBOLCOMMON_NAMEaka. SYNONYMS
js.ostap (Back to overview)

ostap


Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe
anti-virus.EXE
BehaviorDumper
BennyDB.exe
ctfmon.exe
fakepos_bin
FrzState2k
gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)
ImmunityDebugger.exe
KMS Server Service.exe
ProcessHacker
procexp
Proxifier.exe
python
tcpdump
VBoxService
VBoxTray.exe
VmRemoteGuest
vmtoolsd
VMware2B.exe
VzService.exe
winace
Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-04-14IntrinsecJean Bichet
@online{bichet:20200414:deobfuscating:d7320ab, author = {Jean Bichet}, title = {{Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend}}, date = {2020-04-14}, organization = {Intrinsec}, url = {https://www.intrinsec.com/deobfuscating-hunting-ostap/}, language = {English}, urldate = {2021-01-11} } Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend
ostap TrickBot
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2019-09-12Github (cryptogramfan)Alex Holland
@online{holland:20190912:ostap:9374bd2, author = {Alex Holland}, title = {{Ostap Deobfuscation script}}, date = {2019-09-12}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py}, language = {English}, urldate = {2020-01-06} } Ostap Deobfuscation script
ostap
2019-09-03BromiumAlex Holland
@online{holland:20190903:deobfuscating:22e33f3, author = {Alex Holland}, title = {{Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader}}, date = {2019-09-03}, organization = {Bromium}, url = {https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/}, language = {English}, urldate = {2020-01-06} } Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader
ostap
2019-08-05Trend MicroNoel Anthony Llimos, Michael Jhon Ofiaza
@online{llimos:20190805:latest:62ba94b, author = {Noel Anthony Llimos and Michael Jhon Ofiaza}, title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}}, date = {2019-08-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/}, language = {English}, urldate = {2020-01-23} } Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot
2018-01-06CERT.PLPaweł Srokosz
@online{srokosz:20180106:ostap:619979b, author = {Paweł Srokosz}, title = {{Ostap malware analysis (Backswap dropper)}}, date = {2018-01-06}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/}, language = {English}, urldate = {2020-01-09} } Ostap malware analysis (Backswap dropper)
ostap
Yara Rules
[TLP:WHITE] js_ostap_w0 (20190905 | No description)
rule js_ostap_w0 {
	meta:
		author = "Alex Holland @cryptogramfan (Bromium Labs)"
		date = "2019-08-29"
		sample_1 = "F3E03E40F00EA10592F20D83E3C5E922A1CE6EA36FC326511C38F45B9C9B6586"
		sample_2 = "38E2B6F06C2375A955BEA0337F087625B4E6E49F6E4246B50ECB567158B3717B"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap"
        malpedia_version = "20190905"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
	strings:
		$comment = { 2A 2A 2F 3B } // Matches on **/;
		$array_0 = /\w{5,8}\[\d+\]=\d{1,3};/
		$array_1 = /\w{5,8}\[\d+\]=\d{1,3};/
				
	condition:
		((($comment at 0) and (#array_0 > 100) and (#array_1 > 100)) or
		((#array_0 > 100) and (#array_1 > 100))) and
		(filesize > 500KB and filesize < 1500KB)
}
Download all Yara Rules