Strange File in Downloads Folder? Gootloader Malware Analysis

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this strange zip file was found in a user's downloads folder non-compete agreement installment sale 38907 opening the zip file we have a DOT JS script so to get started with some analysis for safety reasons I'm not going to be opening this up on Windows I do want to take a look at it in remnucks the reverse engineering and malware Linux distribution and I've opened up my terminal here with a directory that's just a strange download and the non-compete agreement installment sales zip file so I'm going to go ahead and unzip this I'll go ahead and tab complete that and uh it goes ahead and extracts it to a non-compete agreement installmentsale.js that very same jscript file that we were just looking at so I'm going to take a look at this within Sublime Text my text editor and let's see what this thing is interestingly enough it looks just like a regular online library or module component written in JavaScript that would then be used for other online applications like websites but interestingly enough if I kind of keep exploring and scroll down through here we see some weird looking code here's a function bit f with an argument caught three that has a more randomly named variables to do different things all kind of strewed along and kind of just carried throughout what was originally probably genuine code like actual legitimate code written for a library called backbone and we can actually do some research here backbone.js is of course a real legitimate JavaScript model this file was trying to masquerade as version 1.41 so I'm kind of curious hey can we actually get that 1.41 this is of course the production minified and compressed rendition but if we did the development version we might be able to see exactly what we saw just a moment ago within Sublime Text so here's an idea we could honestly just kind of take this original source code make it any original file original backbone.js is supposed a fine name here and with that we could kind of compare and contrast hey what does one look like compared to the other side by side we can use the diff tool to take a look at this we could use a graphical tool like melt to see the differences it might be meld let's go find out let me see is it meld yeah okay sudo install meld totally cool with installing that that's a good one if you wanted a graphical representation of the different files here and now that's downloaded I can run meld with the non-compete and the original backbone file it says hey these files were really really large so hey we could try and keep highlighting it despite all those differences but take a look at all the green interjected portions here that are not present in the right hand original backbone script all the other lines verbatim as they were are still present but just kind of cut up and kind of separated with malicious code with that weird obfuscated sense so with meld identifying all the things that were present in one file and not the other we could actually go ahead and save as or format as patch which will give us the diff with the patch kind of file format and structure as to the lines that are present or not present in the other this might be kind of cool because we could go and extract out and carve out all of those ones prefixed by the minus sign or the lines that were different or not in the other original file so let me go ahead and save this I'll put this as differences and I guess that's just fine as a without a file extension so if I take a look at this this is everything that we just saw but I want only the lines that start with this hyphen here or the minus sign to say this is in the other left hand side of the files that we were comparing so let's try to see if we can cut those out so what I'll do is I'll cat out the difference file and pipe it to grep or I will only look with extended regular Expressions the things that start with so the arrow the carrot symbol referring to the very start of a line a hyphen and then literally anything that follows it can I get that there we go now I have all of that output that seems to have matched and let's see do I have clear functions at the very very beginning of this I know this is a lot of red it looks pretty bloody hey let's just go ahead and redirect this to a ad.js or JavaScript can I open that up yeah okay cool so it looks like it has intact functions at the very very beginning and maybe building out all of the functionality and features that this original Stager would have needed now I can go ahead and remove I'm gonna control a to select all lines Ctrl shift L and Sublime Text gonna press the home key and then just shift over with my arrow to the right to remove all of those preceding hyphens we could very well have done that in bash with some sweet commands but hey Sublime Text makes it just as easy now if I turn on word wrap we might be able to see just how egregious this thing is over in the right hand scroll bar of sublime text you can see a lot of nonsense a whole lot of obfuscated data it looks like oh there might even still be some commentative extends of backbone whatever all of this looks like nonsense though and I gotta be honest obfuscated JavaScript sucks especially with this amount like this sheer caliber of how much data that we want to dig through and try to reverse I don't exactly want to do that by hand I'll be the first to admit so with this carved out I think I'll go ahead and honestly bring this back over to Windows and see if I can do some Dynamic analysis to see what the heck this thing does when it's ran when it's executed and detonated on a machine so I've got this file now present inside of the flare VM and I do want to go ahead and disconnect the network adapter just in case there's any Oddities to this thing so I'll go ahead over to VM removable devices and just turn off the network adapter hey just in case uh and then I gotta be honest let's set this thing up to watch it and monitor it I'm gonna keep it simple I'll open up proc walks to monitor for new processes I'll go ahead and open up process Explorer so that I can see that just as well I'll open up procmon and this isn't super Advanced but it's at least a little bit of visibility as to what's going on where and when and how I'll also open up the command prompt and I'll drag that down here I'll move into the desktop and with that I should still see my bad.js file present which I do so what I will do is actually clear this list for monitoring processes in proc watch and I'm going to filter with process monitor for the process name being cscript.exe because I want to go ahead and use cscript to actually execute this I'm not going to double click it on the desktop top because that would fire off W script or one of the windows like graphical user representations for running those jscript files I could very well do this from the command line I'll keep filter on for process monitor make sure it's listening and watching and they'll try and run mycscript.exe on my bad.js file now I want to keep an eye on process Explorer procmon and proc watch and let's see when I fired this thing off what is it going to do so it ends up invoking of course cscript nothing else seems to follow it it looks like it's still running which is interesting and there are a whole lot of results coming inside of process monitor a whole lot of opening registry keys a whole lot of loading dlls things that we'll need to be able to actually do stuff but I'm curious which of these things are actually going to be left over as artifacts once the script runs or finishes or I don't know what does it try to do okay so finally it has ended cscript has closed and I want to know oh okay what is actually happening here I'm going to expand out process monitor to see what they've got going on the results the details anything that would might be interesting but note there are about 8 000 events so there's a whole lot to sift through here trust me a whole lot of this is boilerplate and not all that interesting but I do want to see are there any breadcrumbs we might be able to latch onto here's opening the file reading it doing what it does grabbing a whole lot of encryption style stuff like bcrypt RSA maybe some of this data that was obviously it was also encrypted and that's one of the things that you never exactly run that backwards unless you stare at it for a long long time oh you know what I should have ran red shot to see what was different before and after uh this I also probably should have made a snapshot oh there are a lot of write files here to update a roaming npm cacheconstruction products.log that looks very weird there are a lot of these I am still scrolling Construction products.log probably isn't normally in the npm cache I want to go take a look at that but I do want to go see look at the offsets here it's just keeping keep writing crap what is it doing whoa oh there's a new one here interactive design presumably okay making sure if if it does or doesn't exist but then they grab the information set the rename information what is the properties on that oh okay so it renames what would have been our Construction Products to interactiondesign.js and they play with that for a little bit over and over again and then the end of this just looks like regular tear down they're also playing with scheduled tasks did they set any of those I'm curious what sort of persistence did they make did they make any do I have Auto runs yeah I do okay cool okay so some of this is just going to be normal natural stuff that the flare VM does oh but hey take a look at these scheduled tasks here yeah well that one looks relatively normal uh Windows media sharing update library but electrical safety uh no that looks a little bit weird can I see the properties on that file does not exist and that's supposed to be W script so allegedly present in our npm cache directory and D dot exe which is not present where did that one come from that one's sketch also file not found but seeing some of the tasks scheduling uh dlls loaded within procmon from our cscript execution and now seeing some of these electrical safety trying to run stuff if we had that cscript.exe I wonder what it would be doing can I still dig into that can I still see what it's trying to do within Auto runs we can actually jump to entry and that tries to open it within the task scheduler but it's not present I don't I don't see it like it's not even under hey Microsoft Windows or whatever it's it's it's supposed to just be here what if I were to go put a file there like can I just copy see Windows system 32 let's do notepad let's go ahead and put notepad in that npm cache directory uh that's an app data under roaming yeah which is where I am okay npm cash and there's our interactiondesign.javascript file uh if I just put a notepad.ac change that to W script.exe will this thing run hello weird you're supposed to be running notepad oh you probably don't have whatever dll crap that you need uh we could put calculator but then it's just going to call back to something else like that would be dumb let's try it here's a calc.exe slap that fellow there let's rename that as our W script.exe will that run there's a little calculator Okay cool so uh electrical safety can I refresh this now presumably lunchable safety W script and ooh check it out okay obviously it's a fake uh calculator application taking the place of it but it will try to fill that out and run our interact one dot JS file which is one of those expanded like DOS prompt things I think that's it let me go to that directory and see if I can show you that whatever I think I should do it with dir because that way uh it'll fill and kind of Auto expand that file and there it is there's our interactiondesign.js so now I want to open this thing up all right so let's open with Sublime Text how big is this file oh my goodness 40 megabytes that's going to take a long time all right you do use Sublime Text I'll be here looks like it's almost done oh okay uh can I even interact with this thing Sublime Text choking I want word wrap okay here we go here we go here we go let's see oh my gosh wait what the heck is that what is way down here what is all this this is not JavaScript code is this a giant comment this is just random letters this is not code it ends with a semicolon okay at the very very top there is stuff and this will execute that'll detonate but all of this nonsense nah nah no well okay so it's at the very very end so even if it errors everything else is already executed so it's at the end of the code segment here but oh God Sublime Text is dying okay so all of this is nonsense and we can kill this and that's like what 90 of the file if not 98 of the file like this is the only portion I care about so I wonder if I can just kind of cut that last bit so this is where it starts srl is where all the nonsense random letters begin uh can I just chop that off Sublime Text gonna choke on it okay so let me control end oh no all the way to the end and delete okay now it's gone right I can save this and now I have that but can I beautify this can I beautify JavaScript please there is a certain amount of sketchiness uh and like just putting a piece of malware or like uh obfuscated bad code into a beautifier that is online but I'm going to be assuming that it is written in JavaScript I hope so I don't have internet duh all right so let me just slap it in here beautify that code and there we go now we have some things save this as I'll put on my desktop here again so like here's cleaned stage two dot JS okay so this is the exact same sort of like manipulated obfuscated weird random variable names and letters and just random junk uh that we started with in our first layer of the backbone.js but I'm curious what this will do now so hey we'll go back to some more of that Dynamic analysis if we're just trusting ourselves to run it we could go through and say hey here's the source of contact here's first touch is when we run the bright P4 function if you wanted to trace it back between what arguments are passed to it what would be literally and steam zero tend to do uh but that's going to take a lot of time and I just want to see this thing explode but before we go any further please let me include a quick shout out and some love to today's sponsor if you're anything like me you love malware and you love hacking you love red teaming and penetration testing and all the super cool stuff that you do with adversarial emulation so what if you put those two together what if you wrote and developed your own custom malware for red team well you can learn how with some of the incredible training from the sector 7 Institute now I don't have to sing the Praises for sector 7 because you probably already know just how fantastic their material is but if you aren't familiar sector 7 is all about information security research focusing on developing and refining both new and existing offensive techniques and tradecraft with sector 7 you learn how to be an expert red teamer how to build a team and how to develop your own in-house tooling learn the ropes with their red team operator courses from Windows persistence Windows privilege escalation defense evasion and of course malware development learn how to hide your payloads in memory in the corners and crevices of the NTFS file system and registry create Global hooks call apis and remote processes via RPC perform process injection operate with stealth and craft to user land root kits and so so much more sector 7 sets the bar for red teaming training in the industry and I'm a huge fan of all the great work that they do and with that I am super excited to partner with them to offer 20 off of their malware development Essentials course get started learning Top Class red teaming and malware development with sector 7 with my link below in the video description huge thanks to sector 7 for sponsoring this video so let's get back to running our procmon and let's get back to having proc watch and proc Explorer all open and I neglected to run like red shot or uh even TCP view granted I don't have internet connectivity because I removed the network adapter but it might still be worth trying to see what pops up and opens or at least attempts to right I'll bring that over process monitor actually well I want all of these I got to admit I need more screen space and let's bring TCP view there okay so I can go ahead and slap the red shot on the desktop just as well uh and let's go ahead and get our commander up and running let's bring this down to the bottom left again I'll change directory to my desktop we'll come in and know how to handle that no about user profile or batch variable is going to work yeah okay cool let's get to desktop and now I have my clean stage 2.javascript file let's take our first shot okay I think we are looking good let's try and take the first shot of the registry okay done all the keys a lot of values and with that let's uh fire the gun here so we want to run C script on our cleaned stage two and let's see what happens firing it up C script is cruising I forgot oh I forgot to start filtering with procmon no oh at least it was at least it was C script I can control C before you know stuff started to happen I'm really bad at this guys I'm really bad okay start filtering on cscript uh let's stop and start now we go and let's fire the gun Okay C script is now running we see it started and I see no outbound connections not that any are going to be able to try to anyway um it is going to do that run and process another hanging at about 1 834 events um probably all the startup oh there we go whoa something happening what was that what was that what was that did you see that where did this Powershell come from let me check proc watch oh it tried to run Powershell it did it did run Powershell and this is where we left off in procmon so let's go see what it did what the what regopenkey w script.shell with random case looks like a little SpongeBob Meme lot of shenanigans did you get out hey create file desktop Powershell name not found Powershell yet again okay so it goes through the path trying to find and run Powershell so it's it's trying to it's literally gonna detonate Powershell there it is yeah yeah opens it what is this registry key oh I should redshot before I go click around again this meme case is obviously like a Smoking Gun and then it dies and then it kills itself C script just exits but I want to know what's going on with Powershell right now that Powershell process is still running okay that's done can I compare these now see what changes have been made in the registry the best it can this powershells the weird sketchy Powershell can I get any info on that whoa okay the command line doesn't give me anything new it's not taking in any arguments or doing anything it's probably just executing something did you see the csc.exe that ran though like it was a child process for a moment see what.net assemblies this thing might have pulled in is there anything weird or random yeah there's that guy and mouse05wh can I get some more details on that it's just loaded right away like I'm sure it's some inline C sharp anyway it's still running Keys deleted zero Keys added one values added values modified okay so we got some stuff to look at some of these virtual desktop things nothing all that cool though whoa what is being set for this user assist Randomness here rkr ceb p64 so Randomness all right we can go down that road a little bit later if we wanted to if this thing had internet I want to know what it would do because powershell's still going well what we might be able to do to get a little bit more visibility as to what's happening with Powershell is honestly just turn on Powershell transcription logging and I think that actually might even already be on because uh because of flair do I have a Powershell transcripts I do okay so for today when this thing ran that would have been a little bit ago 356 right so what gets started here yeah here's our host application weird wonky Powershell uh meme case and what does this thing do loads up the profile outstring errors with some stuff look at this look at this look at this here's some here's some of the randomness I want to grab that get response zero get response zero get response zero okay it's trying to call out to something remote name could not be resolved and all of these look at that oh my gosh are these like different command and control Frameworks just trying to reach out dude let's pull apart that Powershell let me see that super quick all right rain power shut up PS1 all right cool let's do a word rap crap and we've got to be able to beautify this there is no that I know of like good Powershell di obfuscator so let me just try to cruise through this by hand here okay I think I have it basically cleaned up here we've got this function igv Kook uh which is seemingly the main function passed in with an argument uh there is a variable declared with a seemingly random string of uh hex values on innermost function scwi that ends up writing a compressed gzip uh into memory and oh man I want that I want to know what that is and how that's doing it especially because it looks like it's cut up it joins together some pieces here and it slaps out into memory um okay and base64 is in the mix just as well uh but what is it pulling here hang on this is I didn't finish there's a for Loop where we get oh oh it like oh it compresses the data that you give to it and it's going to end up grabbing environment data names and oswmi portions to get the operating system name and all GPS is going to be get processes I believe to see what processes are running to see oh which active processor open or see what's running and just displayed on your desktop with the main window title you could like run that and validate that along with namespace zero which is all the items on your desktop uh and we could see that like here I'll show you these super duper quick fire up Powershell slap that in desktop you want to look through the items on that hey you got it my friend you take the reins grab that pull it out you'll be able to see here all the files here all the folders here's everything that is on your desktop at the moment and it looks like they're taking that data bundling it up into a base64 encoded gzip object and then tries to get where there are free drives and then okay yeah does some callbacks like creates the TLs boilerplate to be able to create a new web request with a fake boilerplate user agent cookies ooh that look like it's grabbing each of these yeah all those pieces of data that just exfiltrated those variables that we see being set are all those things that we just got collected are now going to be exfiltrated via a cookie uh and that is going to use their victim ID presumably what it looks like as to hey what Target is this and what information have we gotten from there uh and then if we have a response like if we can pull back the response from the connection here after we go ahead and send this if we read to the end splitting on the victim ID if it provides some info like if there are three accounts or whatever trigger that it might need it'll go ahead and IEX or invoke expression to run and detonate that so it can do some command and control it's like simple Powershell command and control wow oh so that did we see an ad type or we saw CSC get ran but I never saw an ad type how did they I thought I saw CSC that got ran but maybe that's just regular Powershell doing its thing I don't know it didn't show it in proc watch but the coolest part here is this a little while loop that says hey run that big old function for all of these potentially uh online maybe available different command and control servers uh and all these are xmlrpc.php it'll just grab a random one and then try again in 20 seconds if it failed try catch do nothing if it fails but keep cruising hahaha with that I think the analysis is done but there is a looming question as to okay what the heck were we just looking at if we bundled that all down to eventually just like a weird Powershell implant for like some cutesy command and control uh what about all those techniques in trade crafts and everything that might help us identify what sort of threat actor or malware family really was this some folks might have already caught on this presumably at least uh it looks like Goot loader good loader is kind of a recent new threat in the spotlight however it has been around for a couple of years uh but it's seeing some peculiar stuff and actually got a mandiant article out about it uh just last month in January uh the affection chains is chatting about all the same sort of stuff that we have done it is everything that's going to download a malicious zip archive stored in the downloads uh includes a JavaScript excuse me jscript file ran with W script.exe or C script if we're doing it mainly from the command line but double clicking on it will as I mentioned us trigger W script it does try to reach out to some of those domains that we saw I don't know if it's just three hard-coded ones we saw a good many uh and I have not yet seen all of those registry changes like phone launch or Beacon that are put in here based off of their usernames at least in the sample that we were playing with we didn't see those changes in the registry however if it says it's downloading these payloads we had internet off we could turn this thing on if we really wanted to but hey that would make a little bit more of a mess even when I ran this in an online sandbox and let me add a note here uh it is usually discouraged to run things in an online sandbox just because you don't know hey what information what thing it might do what potentially identifiable information whether it's for customers clients yada yada yada that you just don't want in the mix so it's sort of bad practice to just give it away to that external thing when you get to it and play with it locally you can but you might not have all the bells and whistles at a nice online sandbox might have so of course hey we could turn on the internet but then I just don't know if I want to infect my virtual machine I can roll back to snapshot if we want to but whatever I digress they have also seen tradecraft that ends up building out a Cobalt strike Beacon however I'll admit uh I haven't seen that uh ours was just like a weird commanding control with Powershell but maybe I'm out of the loop or I didn't track down all the odds and ends of it really neat thing though exactly what we were seeing W script ends up creating an inflated file with a DOT log extension that was our like construction products.log or whatever two random directory hard-coded file name and ends up obfuscating jscript followed by a padding of random characters to increase the file size that 40 megabyte file is intentionally put that way so that antivirus vendors or whatever products and security mechanisms might just choke on it like Sublime Text was when I tried to open it log is renamed ends up creating a scheduled task that executed as we saw there it is W script and C script launch a Powershell process that reaches out to 10 hard-coded domains okay so that is what we saw and exactly as we saw it grabbing environment variables Windows OS version file names running processes gzip compressed base64 encoded and then send to the control CT 2 server in the cookie cruising through this because again this is just a recap on everything that you've seen the obfuscated stuff as we were just taking a look at again even looks like bootloader randomly named variables lots of backslashes and single quotes and things that it just slaps together here and another recent change that we were even privy to was our backbone.js or Genuine Javascript file like a JavaScript library looks like they had ones that they'd seen uh through like a trojanized or another representation of like a jQuery library and here they go into exactly that several legitimate JavaScript libraries chroma underscore and ours was backbone they do list a whole lot of indicators of compromise or other things that we were just seeing and tracking uh but hey all in all really great article and write-up from mandians huge Kudos and hats off to you all for that I am curious if we would have been able to see those phone launch or uh phone launch Beacon facts phone whatever things because those are net assemblies and you can see they cracked them open with the nspy and since we saw that c csc.exe the c-sharp compiler execute I wonder if it was trying to do that but we just didn't have it pulled down so I'm curious if we would have been able to find those another good threat Intel blog and article on this from our good friends over at Red Canary I see some familiar faces on this hey great to see you doing great work uh and again this is in May of 2022 last modified in November so some changes and look good no good loader is nothing new by any means uh it's still one threat that's out there and around using some of those jscript powershell.net Shenanigans they do all have the same sort of lore in the file name or even the downloadable that is uh starting this thing off like financial support broker price option progress billing trying to look relatively reasonable but still evil here's a hey how do I withdraw funds right they were also tracking that same.net dll persistence and the scheduled task to run whenever the user logs in as we saw granted maybe we could have seen Cobalt strike come through this uh but again we did not get the C2 server's response from if it were to actually connect externally online but if I may please say goodloader has been running rampant for a little bit uh so much so that there was even a Twitter account called Goot loader sites that would just share a couple of those command and control sites or those xmlrpc URLs that we saw or things just hosting and serving up the original payload now uh that account has been suspended for whatever reason online on Twitter uh so that's dumb and silly and it makes me sad because I was following that account and I really like seeing whoa hey there's a new goat loader going around uh not that that's a good thing but you know it's something to chase with that I've been rambling for way too long but I hope you thought this was a fun one a little bit exploratory a little bit of hey using our own tools in our own little flare VM or rednox to be able to pull this apart nothing too crazy nothing too fancy we weren't digging into assembly op codes or low level compiled stuff but please please please give some love to our sponsor sector 7 to be able to go dig into some of that yourself should be a ton of fun and you get into more lead stuff than me I got to admit so hey still a lot of cool cool stuff to see the tradecraft but I'm done yapping I'll see you next video everyone like comment subscribe take care
Info
Channel: John Hammond
Views: 639,144
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: zBt6uEuMOd4
Channel Id: undefined
Length: 30min 19sec (1819 seconds)
Published: Thu Mar 02 2023
Related Videos
Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS
John Hammond
481K
I Stole a Microsoft 365 Account. Here's How.
John Hammond
284K
How Hackers Move Through Networks (with Ligolo)
John Hammond
74K
Why VPNs are a WASTE of Your Money (usually…)
Cyberspatial
1.1M
KOVTER Malware Analysis - Fileless Persistence in Registry
John Hammond
327K
Mozi Malware - Finding Breadcrumbs...
John Hammond
193K
FAKE Antivirus? Malware Analysis of Decoy 'kaspersky.exe'
John Hammond
266K
Is your PC hacked? RAM Forensics with Volatility
The PC Security Channel
871K
malware ain't what it used to be
nimk
450K
pfSense Firewall - pfSense Administration Full Course
Knowledge Power
339K
Is THIS a VIRUS? Finding a Remcos RAT - Malware Analysis
John Hammond
351K
TryHackMe! Skynet - Wildcard Injection
John Hammond
106K
everything is open source if you can reverse engineer (try it RIGHT NOW!)
Low Level Learning
983K
Ethical Hacking 101: Web App Penetration Testing - a full course for beginners
freeCodeCamp.org
1.8M
He tried to hack me...
John Hammond
362K
Malware Development: Processes, Threads, and Handles
crow
630K
The Latest YouTube Malware Scam
John Hammond
113K
Discord Malware - "i hacked MYSELF??"
John Hammond
190K
Windows Defender vs Top 100 Malware Sites
The PC Security Channel
406K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.