GootJasperDeobfuscator
A deobfuscation script for Gootkit / Jasper Loader Malware
Usage
python3 gootdecrypt.py script.vbs
or python3 gootdecrypt.py script.js
gootdecrypt.py will return the decoded PowerShell script as well as the inline PS Base64 string.
Threat Description
The first VBS script is dropped via a ZIP File (VBS AnyRun Analysis). It executes an obfuscated and base64 encoded PowerShell script.
The second stage is a classic Jasper Loader Sample (Javascript file that contains another PowerShell script, Jasper AnyRun Analysis)