Loading GootLoader

-

 

Disclaimer: Opinions expressed are solely my own. None of the ideas expressed in this blog post are shared, supported, or endorsed in any manner by my employer.

In this blog, I will be taking a look at the initial GootLoader sample (MD5: 4dd369b5e028beebe3aa5c980960c502 , Sha256: c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020). 

Available here: https://bazaar.abuse.ch/sample/c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020/ 

The sample is a javascript program which is meant to be executed in windows using wscript.exe. 

Opening the sample in a text editor, it appears to look like jquery library 3.6.0 (screenshot below).


Comparing the sample with jqeury 3.6.0 downloaded from https://code.jquery.com/jquery-3.6.0.js, differences can be observed. 

The following lines shows the code inserted to create the sample: 


One important thing to mention about javascript: If a variable is declared without keywords such as var, it will be treated as global variable. 

After reading the code, following points can be observed: 

  • Function seat07() is incrementing a variable in a loop. The incremented variable is not referred in any part of the code. This is most likely done to increase the execution time and thus timeout sandbox detection. Commenting out the function would speed up the execution.
  • Function gone068() contains the obfuscated string which is likely deobfuscated and executed. Generally, deobfuscated string would require one of the following to be executed:
    • eval()
    • function constructor 
    • window object  
  • It would be interesting to see how deobfuscated string is executed in this sample.
  • Function law1() and present4() are quite interesting because they are accessing array elements and making a call. They could be used to call deobfuscating routine and execute the deobfuscated string. 

After adding breakpoints and running the program in a javascript debugger, first layer of the GootLoader becomes clear: 
 

Following points can be observed:
  • Deobfuscated strings are executed using function constructor.
  • It contains obfuscated string which needs to be deobfuscated. 
  • It also seems to be accessing the registry: HKEY_CURRENT_USER  

Deobfuscating the string in first layer reveals the second layer of GootLoader: 
 


The following points can be noted: 
  • It checks if the environment variable userdnsdomain is set which would indicate that the system is part of AD. 
  • If active directory is set, then it would add the string "4173581" to parameter value in its requests.
  • The C2 communication would look something like this:
    • GET request to server with path: test.php?zgntopmtyplqx=
    • The parameter will be <random value>4173581 if computer is part of AD otherwise only <random value> 
    • If the http response status code is anything other than 200, it would sleep for 12345 milliseconds and check for another domain. 
    • If the http response status code is 200, then it would look for the string :  "@<parameter value sent>@" in the response text. 
      • if it is not present, then it will sleep for 23232 milliseconds. 
      • If it is present, then it will do the following:
        • Remove the string "@<parameter value sent>@" in the response text. 
        • Response text is likely to be series of numbers which are parsed as integers then converted to ascii strings which are then deobfuscated. 
If you are interested to read about this campaign, you can read the following blogs:
You can also follow the twitter account: https://twitter.com/GootLoaderSites to get updates about the C2 server used by this campaign. 

In this blog, I used a debugger to deobfuscate the sample. There is a decoder script for this campaign available at: https://github.com/hpthreatresearch/tools/blob/main/gootloader/decode.py 

You can also read the blog that explains how this decoder script was written: https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/

Have a nice Day! 

Comments

Post a Comment

Popular posts from this blog

AUDI SQLi Labs Lesson 1 walkthrough

-
Image
Hi,Everyone! This post is about audi sqli labs lesson 1. Audi Sqli labs is a vulnerable web application which is designed for practicing various forms of sqli injection. You can download it from github: https://github.com/skyblueee/sqli-labs-php7 and follow this video: https://www.youtube.com/watch?v=Ri0e249x5PY for installation. Let's get started with lesson 1. Lesson 1: Let's add ?id=1 in the url. Well, this means that ?id=1 works. Now, let's try to break this query. You can try different values of id such as 10000000, asdwqe,@, ' etc. When you try ?id=1' , you will see an error message. Let's analyse the error. The important part is : ''1'' LIMIT 0,1'  Remove the first single quote: '1'' LIMIT 0,1 Remove "LIMIT 0,1" : '1'' This means that our given input is being enclosed in a single quote(').  You can fix the query while keeping the value of id as 1' by commenting out the
Read more

Lokibot Campaign

-
Image
  Disclaimer: Opinions expressed are solely my own. None of the ideas expressed in this blog post are shared, supported, or endorsed in any manner by my employer. In this blog, we take a look at Lokibot campaign.  The email  MD5: a42ef269e70416810810d0fa01fe02ee SHA256: 8f8bc761f92ff8f3c442699c8b41358e5716339482264f1ef7d09eb57f68b9f0 VT:  https://www.virustotal.com/gui/file/8f8bc761f92ff8f3c442699c8b41358e5716339482264f1ef7d09eb57f68b9f0 The campaign begins with a email.  The Email Sample The email has a different email-id in From and Reply-to header. It contains an attachment named "Payment Copy.docx" . It appears to be sent from 45.143.7.113 Geolocation information of IP The Attachment MD5: 1ba139d79438fc4406ab8b8fd93f6a30 SHA256: 94fa80c133c152abe46e0f6f20c06b1f27c225f2723915596af2ad8499fa4ff0 The attachment is a docx file which can be treated as a zip file.  After unzipping, we check the file word/_rels/webSettings.xml.rels where we see the remote url Co
Read more