SYMBOLCOMMON_NAMEaka. SYNONYMS
js.ostap (Back to overview)

ostap


Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe
anti-virus.EXE
BehaviorDumper
BennyDB.exe
ctfmon.exe
fakepos_bin
FrzState2k
gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)
ImmunityDebugger.exe
KMS Server Service.exe
ProcessHacker
procexp
Proxifier.exe
python
tcpdump
VBoxService
VBoxTray.exe
VmRemoteGuest
vmtoolsd
VMware2B.exe
VzService.exe
winace
Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

References
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap GuLoader HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2019-09-12Github (cryptogramfan)Alex Holland
@online{holland:20190912:ostap:9374bd2, author = {Alex Holland}, title = {{Ostap Deobfuscation script}}, date = {2019-09-12}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py}, language = {English}, urldate = {2020-01-06} } Ostap Deobfuscation script
ostap
2019-09-03BromiumAlex Holland
@online{holland:20190903:deobfuscating:22e33f3, author = {Alex Holland}, title = {{Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader}}, date = {2019-09-03}, organization = {Bromium}, url = {https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/}, language = {English}, urldate = {2020-01-06} } Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader
ostap
2019-08-05Trend MicroNoel Anthony Llimos, Michael Jhon Ofiaza
@online{llimos:20190805:latest:62ba94b, author = {Noel Anthony Llimos and Michael Jhon Ofiaza}, title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}}, date = {2019-08-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/}, language = {English}, urldate = {2020-01-23} } Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot
2018-01-06CERT.PLPaweł Srokosz
@online{srokosz:20180106:ostap:619979b, author = {Paweł Srokosz}, title = {{Ostap malware analysis (Backswap dropper)}}, date = {2018-01-06}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/}, language = {English}, urldate = {2020-01-09} } Ostap malware analysis (Backswap dropper)
ostap
Yara Rules
[TLP:WHITE] js_ostap_w0 (20190905 | No description)
rule js_ostap_w0 {
	meta:
		author = "Alex Holland @cryptogramfan (Bromium Labs)"
		date = "2019-08-29"
		sample_1 = "F3E03E40F00EA10592F20D83E3C5E922A1CE6EA36FC326511C38F45B9C9B6586"
		sample_2 = "38E2B6F06C2375A955BEA0337F087625B4E6E49F6E4246B50ECB567158B3717B"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap"
        malpedia_version = "20190905"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
	strings:
		$comment = { 2A 2A 2F 3B } // Matches on **/;
		$array_0 = /\w{5,8}\[\d+\]=\d{1,3};/
		$array_1 = /\w{5,8}\[\d+\]=\d{1,3};/
				
	condition:
		((($comment at 0) and (#array_0 > 100) and (#array_1 > 100)) or
		((#array_0 > 100) and (#array_1 > 100))) and
		(filesize > 500KB and filesize < 1500KB)
}
Download all Yara Rules