{"id":19390588,"url":"https://github.com/mandiant/gootloader","last_synced_at":"2025-04-24T03:46:26.972Z","repository":{"id":78687444,"uuid":"591058494","full_name":"mandiant/gootloader","owner":"mandiant","description":"Collection of scripts used to deobfuscate GOOTLOADER malware samples.","archived":false,"fork":false,"pushed_at":"2024-12-19T18:05:03.000Z","size":646,"stargazers_count":61,"open_issues_count":1,"forks_count":9,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-04-24T03:46:21.696Z","etag":null,"topics":["deobfuscation","gootloader"],"latest_commit_sha":null,"homepage":"https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mandiant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-19T20:41:05.000Z","updated_at":"2025-04-02T15:46:41.000Z","dependencies_parsed_at":"2023-09-28T02:26:29.192Z","dependency_job_id":"85df0846-8e13-4987-a5f3-656dfaaf3a31","html_url":"https://github.com/mandiant/gootloader","commit_stats":{"total_commits":29,"total_committers":1,"mean_commits":29.0,"dds":0.0,"last_synced_commit":"18f8960854c28178c5b9984e527c57ff7478428b"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fgootloader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fgootloader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fgootloader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fgootloader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mandiant","download_url":"https://codeload.github.com/mandiant/gootloader/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250560000,"owners_count":21450168,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deobfuscation","gootloader"],"created_at":"2024-11-10T10:22:01.731Z","updated_at":"2025-04-24T03:46:26.951Z","avatar_url":"https://github.com/mandiant.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Script Overview\n\n- `GootLoaderAutoJsDecode.py` - automatically decodes `.js` files using static analysis (recommended)\n- `GootLoaderAutoJsDecode-Dynamic.py` - automatically decodes `.js` files using dynamic analysis\n- `GootLoaderManualJsDecode-Dynamic.py` - used to manually decode `.js` files using dynamic analysis\n- `GootloaderRegDecode.py` - automatically decodes reg payload exports\n- `GootloaderWindowsRegDecode.ps1` - Directly decodes a payload from the registry. \n\n# Index\n\n- [Javacript Decoding:](#javacript-decoding)\n  * [Automated Decoding](#automated-decoding)\n  * [Manual Decoding](#manual-decoding)\n  * [Sample MD5](#sample-js-md5)\n- [Registry Payload Instructions:](#registry-payload-decoding)\n  * [Redline](#redline)\n  * [Decoding the CSV File](#decoding-the-csv-file)\n\n\n# JavaScript Decoding\n\n\n## Automated Decoding\nRun the script `GootLoaderAutoJsDecode.py` against the `.js` file.\n\n```bash\npython GootLoaderAutoJsDecode.py \"evil.js\"\n```\n\n\nThe script will output the files below:\n- `FileAndTaskData.txt` - Contains the names of the scheduled task and dropped files.\n- `DecodedJsPayload.js_` - The decoded payload that runs a PowerShell command. You can use a CyberChef's `Generic Code Beautify` in order to make the content easier to read.\n\n![](rsc/dfvdfvdfvdf.png)\n\nIf the `GootLoaderAutoJsDecode.py` script stops working then you can attempt to use the dynamic version of the script (`GootLoaderAutoJsDecode-Dynamic.py`). Be aware that the dynamic script executes part of the GOOTLADER code, as a result it should only be run in an isolated environment.\n\n## Manual Decoding\nSometimes the GOOTLOADER `js` obfuscation changes and the `GootLoaderAutoJsDecode.py` script stops working. In those instances, follow the instructions found at [ManualDecoding.md](ManualDecoding.md).\n\n## Sample MD5s:\n\n```\nGootloader Obfuscation Variant 2:\n82607b68e061abb1d94f33a2e06b0d20\n961cd55b17485bfc8b17881d4a643ad8\naf9b021a1e339841cfdf65596408862d\nd3787939a5681cb6d6ac7c42cd9250b5\n\nGootloader Obfuscation Variant 3:\nea2271179e75b652cafd8648b698c6f9\nc07b581fde56071e05754eef450dfa17\n8d29be5bccda884c5abbba52fc1f038c\nb20162ee69b06184d87dc2f5665f5c80\n```\n\n# Registry Payload Decoding\n\n## Redline\n\n1. On the left menu go to `Agent Events\\Registry Key Events`\n2. Filter on the following:\n   * Change Type: `value change`\n   * Path: `HKEY_USERS\\\u003cUSER_SID\u003e\\SOFTWARE\\Microsoft\\Phone\\%USERNAME%`\n      * The specific path might change, but you should end up with two sets of keys, one called `...\\Phone\\UserName\\...` and one called `...\\Phone\\UserName0\\...`.\n3. Select all the rows that have something in the `Text Data` field. \n4. Right click and select \"Copy with Headers\"\n5. Paste the text into a text document and save it as a CSV\n\n![](rsc/lghxCwwMdC.png)\n\n## Decoding the CSV File\n\n1. Transfer the CSV and Python scripts to the same machine\n2. Run the command below:\n\n```bash\npython GootloaderRegDecode.py \"regExport.csv\"\n```\n3. The script should generate 2 files `payload1.dll_` and `payload2.exe_`\n\n\n![](rsc/scdrfvfdd43.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fgootloader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmandiant%2Fgootloader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fgootloader/lists"}