New Sample that Needs Detection

Question

New Sample that Needs Detection

cccs-kevin opened this issue a year ago · comments

Hey there!

Love the auto decoder tool 🥇

We've seen a sample recently that is not decoded correctly by the tool:
https://www.virustotal.com/gui/file/9a822d004f5f813136b0426bce059b9faf14d875829458dbde9e0b9781bf670b

Can you please take a look?

Kevin 🇨🇦

Andy Morales · Answer 1 · Wed May 31 2023 06:54:22 GMT+0800 (China Standard Time)

@cccs-kevin That sample is a stage 2 payload which the static version of the script can't decode. However, you should be able to decode it by following the steps below in a VM:

Run the VT sample through CyberChef "JavaScript Beautify" (remove junk data at the end to speed this up)
Add "GOOT3" to the top of the file
Use GootLoaderAutoJsDecode-Dynamic.py to decode the file

Malicious Domains:

hxxps[:]//detailworx[.]at/xmlrpc.php
hxxps[:]//carlapinana[.]ch/xmlrpc.php
hxxps[:]//stpaulsiding[.]net/xmlrpc.php
hxxps[:]//soccerinteraction[.]com/xmlrpc.php
hxxps[:]//alfatihmakassar[.]sch[.]id/xmlrpc.php
hxxps[:]//phpchart[.]com/xmlrpc.php
hxxps[:]//jatanshah[.]in/xmlrpc.php
hxxps[:]//ismeteroglu[.]com/xmlrpc.php
hxxps[:]//nutrabay[.]com/xmlrpc.php
hxxps[:]//nightlifepizza[.]com/xmlrpc.php

Kevin · Answer 2 · Wed May 31 2023 21:31:50 GMT+0800 (China Standard Time)

Hey @andy2002a thanks for the quick reply!

I tried each step that you suggested and ended up with the following file (password: infected)
9a822d004f5f813136b0426bce059b9faf14d875829458dbde9e0b9781bf670b_modified.zip

When I pass that file to GootLoaderAutoJsDecode-Dynamic.py, I get the following error:

This script executes part of the GOOTLOADER code, as a result it should only be run in an isolated environment. This script should only be used if the static version (GootLoaderAutoJsDecode.py) fails.

GootLoader Obfuscation Variant 3.0 detected

If this fails try using CyberChef "JavaScript Beautify" against the sample first.
Traceback (most recent call last):
  File "/path/gootloader/GootLoaderAutoJsDecode-Dynamic.py", line 296, in <module>
    gootDecode(args.jsFilePath)
  File "/path/gootloader/GootLoaderAutoJsDecode-Dynamic.py", line 218, in gootDecode
    CodeMatch = findCodeinQuotePattern.search(round1Result)[0]
                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
TypeError: 'NoneType' object is not subscriptable

It looks like the stringToDecode leading up to this error is '(3)4;=}x hcramtwcohg(mex)k e{G m}htluulDrrtoxt=cmuyrvtnsdnyo;c ' which results in the round1Result variable equal to ' ;ydnvym=xtrlut} { )e(hctac };)(34=xhrmwogmxkeGmhluDrotcurtsnoc'.

Then https://github.com/mandiant/gootloader/blob/main/GootLoaderAutoJsDecode-Dynamic.py#L218 is unable to find a match using the findCodeinQuotePattern regular expression.

Am I doing something wrong or are you using an updated version?

Andy Morales · Answer 3 · Wed May 31 2023 21:41:14 GMT+0800 (China Standard Time)

In "JavaScript Beautify" use "\t" for the indent string option: https://www.virustotal.com/gui/file/e556340f600c125714aabb0532310bc490adc6897d2c0ae71370f1edc9626083/details

Let me know if that works

@cccs-kevin

Kevin · Answer 4 · Wed May 31 2023 21:52:31 GMT+0800 (China Standard Time)

Yes that works! Thank you!