Gootkit... analysing malicious JavaScript

 


Gootkit continues to target Australian companies with sites still live as of the time of this post. Searching for an Australian company name and the words "enterprise agreement" will often lead to a result on the first page containing a link to a malicious site which will often then have a fake forum with a post containing the link to the malicious download. I managed to get a hit after trying a few different random companies names.







The forum site with the malicious link will only be redirected to upon first visit otherwise the user will be redirected to a normal looking blog post.



Clicking the link leads to the download of a zip file which contains a JavaScript file.


Upon first glance the file appears to be benign jQuery.


When compared with the official library it is almost identical except some additional lines have been added at a few locations.





After extracting and prettifying the code we can see a bunch of variables and what looks like a de-obfuscator function.







Using SpiderMonkey JS engine I was able to print the output of the function to reveal the second layer of obfuscated code. Below we can see reference to WScript and a try catch statement where the registry key 'kdGZI' is attempted to be read and if it fails then a registry key with the same value is set.

Following that we see a second try catch statement wee see an attempt to call a bunch of obfuscated code and if it fails a sleep for 115301536ms or ~32hrs.



I was not able to get any further with SpiderMonkey so I loaded the code into Visual Studio and used the debugging function. Adding WScript as an external tool in Visual Studio we can attach to the process and run the code in the debugger.


Now I can run the code and inspect the variables as I step through checking if the de-obfuscated code is set anywhere.



After stepping through a bit I can see the variable named 'reason5' being set to the obfuscated code string that we saw when we revealed the second layer. Searching the code for 'reason5' I can see it is  used in the function 'began2'. 


This is may be the de-obfuscator function so I set the obfuscated code to the variable and called the function after replacing the return with a print statement.




And we have the final decoded string.


Once the code is cleaned up a bit we can see the final script. We can see 3 domain names on line 1, the script makes a call to each domain with a sleep in between of ~20 seconds. Also if the user is in a domain we see a string of numbers added to the parameter p.


And there we have it using a both SpiderMonkey JS engine and a Visual Studio debugger we were able to understand how the code worked, extract the IOCs and de-obfuscate the payload.





Comments

Post a Comment

Popular posts from this blog

Velociraptor-01: Velociraptor to Timesketch

Image
In this post I will go through all the steps of setting up an automated processing pipeline for generation of timelines using Velociraptor, Plaso and Timesketch.  Based on this fantastic project by ReconInfoSec  timeline generation from Kape forensic artifacts collected by Velociraptor can be automated and implemented at Enterprise scale using open-source software.  The purpose of this post is to provide a more detailed explanation of how to deploy velociraptor-to-timesketch Prerequisites :  Velociraptor instance: I will cover setting up Velociraptor in another post An AWS instance for installing Timesketch and timesketch-to-velociraptor (as least 8GiB memory). I am using Ubuntu Server 22.04 LTS t2.xlarge. Overview of Components : Server Monitoring Artifact , Server.Utils.BackupS3, on Velociraptor will monitor clients for any Artifacts matching "Windows.KapeFiles.Triage" and automatically upload to S3 storage. watch-s3-to-timsketch.py watch s3 bucket for new zi...
Read more

Add authentication in front of your apps with a reverse proxy using Keycloak and OpenResty

Image
Recently I setup a bunch of apps to assist with malware analysis and realised that I didn't want to expose the applications to the internet directly and wanted a layer of authentication in between my applications and the internet and a reverse proxy was the solution is settled on.  Using OpenResty and Keycloak I was able to setup a single entry point for my web applications and have it serve as an authentication point before traffic is passed on to my apps preventing people from accessing them without first authenticating. Any requests to the sites will be redirected to an authentication portal where the user then signs on and then is redirected to the application.  Disclaimer : this guide is intended as a demonstration only and not intended for production systems. Prerequisite:  Ubuntu 22.04 Application(s) to redirect your traffic to Step 1 - Installing OpenResty
Read more

GuLoader... analysing malicious PDF, VBS and PowerShell

Image
I came across a sample recently that looked interesting because of the number of steps in the infection chain and the use of PowerShell to inject shell code into an existing legitimate process so I though I would have a go at analysis. For this analysis I will go as far as I can using just static analysis and fall back to dynamic analysis when I hit my limits. The initial payload is a PDF file which I will take a look at now.
Read more