New Sample that Needs Detection
cccs-kevin opened this issue · comments
Hey there!
Love the auto decoder tool 🥇
We've seen a sample recently that is not decoded correctly by the tool:
https://www.virustotal.com/gui/file/9a822d004f5f813136b0426bce059b9faf14d875829458dbde9e0b9781bf670b
Can you please take a look?
Kevin 🇨🇦
@cccs-kevin That sample is a stage 2 payload which the static version of the script can't decode. However, you should be able to decode it by following the steps below in a VM:
- Run the VT sample through CyberChef "JavaScript Beautify" (remove junk data at the end to speed this up)
- Add "GOOT3" to the top of the file
- Use GootLoaderAutoJsDecode-Dynamic.py to decode the file
Malicious Domains:
hxxps[:]//detailworx[.]at/xmlrpc.php
hxxps[:]//carlapinana[.]ch/xmlrpc.php
hxxps[:]//stpaulsiding[.]net/xmlrpc.php
hxxps[:]//soccerinteraction[.]com/xmlrpc.php
hxxps[:]//alfatihmakassar[.]sch[.]id/xmlrpc.php
hxxps[:]//phpchart[.]com/xmlrpc.php
hxxps[:]//jatanshah[.]in/xmlrpc.php
hxxps[:]//ismeteroglu[.]com/xmlrpc.php
hxxps[:]//nutrabay[.]com/xmlrpc.php
hxxps[:]//nightlifepizza[.]com/xmlrpc.php
Hey @andy2002a thanks for the quick reply!
I tried each step that you suggested and ended up with the following file (password: infected)
9a822d004f5f813136b0426bce059b9faf14d875829458dbde9e0b9781bf670b_modified.zip
When I pass that file to GootLoaderAutoJsDecode-Dynamic.py, I get the following error:
This script executes part of the GOOTLOADER code, as a result it should only be run in an isolated environment. This script should only be used if the static version (GootLoaderAutoJsDecode.py) fails.
GootLoader Obfuscation Variant 3.0 detected
If this fails try using CyberChef "JavaScript Beautify" against the sample first.
Traceback (most recent call last):
File "/path/gootloader/GootLoaderAutoJsDecode-Dynamic.py", line 296, in <module>
gootDecode(args.jsFilePath)
File "/path/gootloader/GootLoaderAutoJsDecode-Dynamic.py", line 218, in gootDecode
CodeMatch = findCodeinQuotePattern.search(round1Result)[0]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
TypeError: 'NoneType' object is not subscriptable
It looks like the stringToDecode
leading up to this error is '(3)4;=}x hcramtwcohg(mex)k e{G m}htluulDrrtoxt=cmuyrvtnsdnyo;c '
which results in the round1Result
variable equal to ' ;ydnvym=xtrlut} { )e(hctac };)(34=xhrmwogmxkeGmhluDrotcurtsnoc'
.
Then https://github.com/mandiant/gootloader/blob/main/GootLoaderAutoJsDecode-Dynamic.py#L218 is unable to find a match using the findCodeinQuotePattern
regular expression.
Am I doing something wrong or are you using an updated version?
In "JavaScript Beautify" use "\t" for the indent string option: https://www.virustotal.com/gui/file/e556340f600c125714aabb0532310bc490adc6897d2c0ae71370f1edc9626083/details
Let me know if that works
Yes that works! Thank you!