Giters

f0wl / GootJasperDeobfuscator

A deobfuscation script for Gootkit / Jasper Loader Malware

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

GootJasperDeobfuscator

A deobfuscation script for Gootkit / Jasper Loader Malware

Usage

python3 gootdecrypt.py script.vbs or python3 gootdecrypt.py script.js

gootdecrypt.py will return the decoded PowerShell script as well as the inline PS Base64 string.

Threat Description

The first VBS script is dropped via a ZIP File (VBS AnyRun Analysis). It executes an obfuscated and base64 encoded PowerShell script.

VBS script

The second stage is a classic Jasper Loader Sample (Javascript file that contains another PowerShell script, Jasper AnyRun Analysis)

Jasper JS script

About

A deobfuscation script for Gootkit / Jasper Loader Malware

License:GNU General Public License v3.0

Languages

Language:Python 100.0%