Loading GootLoader
Disclaimer: Opinions expressed are solely my own. N one of the ideas expressed in this blog post are shared, supported, or endorsed in any manner by my employer. In this blog, I will be taking a look at the initial GootLoader sample (MD5: 4dd369b5e028beebe3aa5c980960c502 , Sha256: c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020). Available here: https://bazaar.abuse.ch/sample/c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020/ The sample is a javascript program which is meant to be executed in windows using wscript.exe. Opening the sample in a text editor, it appears to look like jquery library 3.6.0 (screenshot below). Comparing the sample with jqeury 3.6.0 downloaded from https://code.jquery.com/jquery-3.6.0.js, differences can be observed. The following lines shows the code inserted to create the sample: One important thing to mention about javascript: If a variable is declared without keywords such as var, it will be treated as global var