Cyber security

Script Overview – Decoding GootLoader Payloads And Obfuscations

In the intricate realm of cyber threats, GootLoader emerges as a formidable challenge. This article delves deep into the intricacies of decoding its payloads and obfuscations.

Equipped with hands-on scripts and tools, we aim to guide cybersecurity enthusiasts and professionals through the maze of GootLoader. Get ready for an informative journey.

  • GootLoaderAutoJsDecode.py – automatically decodes .js files using static analysis (recommended)
  • GootLoaderAutoJsDecode-Dynamic.py – automatically decodes .js files using dynamic analysis
  • GootLoaderManualJsDecode-Dynamic.py – used to manually decode .js files using dynamic analysis
  • GootloaderRegDecode.py – automatically decodes reg payload exports
  • GootloaderWindowsRegDecode.ps1 – Directly decodes a payload from the registry.

Index

JavaScript Decoding

Automated Decoding

Run the script GootLoaderAutoJsDecode.py against the .js file.

python GootLoaderAutoJsDecode.py "evil.js"

The script will output the files below:

  • FileAndTaskData.txt – Contains the names of the scheduled task and dropped files.
  • DecodedJsPayload.js_ – The decoded payload that runs a PowerShell command. You can use a CyberChef’s Generic Code Beautify in order to make the content easier to read.

If the GootLoaderAutoJsDecode.py script stops working then you can attempt to use the dynamic version of the script (GootLoaderAutoJsDecode-Dynamic.py). Be aware that the dynamic script executes part of the GOOTLADER code, as a result it should only be run in an isolated environment.

Manual Decoding

Sometimes the GOOTLOADER js obfuscation changes and the GootLoaderAutoJsDecode.py script stops working. In those instances, follow the instructions found at ManualDecoding.md.

Sample MD5s:

Gootloader Obfuscation Variant 2:
82607b68e061abb1d94f33a2e06b0d20
961cd55b17485bfc8b17881d4a643ad8
af9b021a1e339841cfdf65596408862d
d3787939a5681cb6d6ac7c42cd9250b5

Gootloader Obfuscation Variant 3:
ea2271179e75b652cafd8648b698c6f9
c07b581fde56071e05754eef450dfa17

Registry Payload Decoding

Redline

  1. On the left menu go to Agent Events\Registry Key Events
  2. Filter on the following:
    • Change Type: value change
    • Path: HKEY_USERS\<USER_SID>\SOFTWARE\Microsoft\Phone\%USERNAME%
      • The specific path might change, but you should end up with two sets of keys, one called ...\Phone\UserName\... and one called ...\Phone\UserName0\....
  3. Select all the rows that have something in the Text Data field.
  4. Right click and select “Copy with Headers”
  5. Paste the text into a text document and save it as a CSV

Decoding The CSV File

  1. Transfer the CSV and Python scripts to the same machine
  2. Run the command below:
python GootloaderRegDecode.py "regExport.csv"

3. The script should generate 2 files payload1.dll_ and payload2.exe_

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtoolsScript Overview
2 years ago

Recent Posts

How Web Application Firewalls (WAFs) Work

General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…

5 days ago

How to Send POST Requests Using curl in Linux

How to Send POST Requests Using curl in Linux If you work with APIs, servers,…

5 days ago

What Does chmod 777 Mean in Linux

If you are a Linux user, you have probably seen commands like chmod 777 while…

5 days ago

How to Undo and Redo in Vim or Vi

Vim and Vi are among the most powerful text editors in the Linux world. They…

5 days ago

How to Unzip and Extract Files in Linux

Working with compressed files is a common task for any Linux user. Whether you are…

5 days ago

Free Email Lookup Tools and Reverse Email Search Resources

In the digital era, an email address can reveal much more than just a contact…

5 days ago