# Recent Posts **[threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/](https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/)** May 4, 2022 [HP Threat Research Blog • Tips for Automating IOC Extraction from GootLoader, a Changing](https://threatresearch.ext.hp.com/blog/) JavaScript Malware ## Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware The threat actors behind GootLoader are always making adjustments to this family of JavaScript malware, which affects indicator of compromise (IOC) extraction using our decoder script. Whenever the GootLoader decoder breaks we try to adapt it to the new version of the malware to help the security community. In this post, we share the process of debugging and fixing the script, showing the common steps we usually take. First, we look at all extracts from the regular expressions (regex) because this is usually the reason why the decoder breaks. To do so, we add print statements before and after each regex evaluation starting from the bottom of the script. The following image shows our first check. ----- Figure 1 – Print statements around regular expression evaluations. Based on the output we try to figure out the position where the script fails to decode the new GootLoader version. In this case, we get an empty content output and therefore the script failed earlier in the process. In Figure 2, above the regex evaluation, we you can see an additional print statement to debug the script: Figure 2 – Printing the content and the longest match of the regex. Running the script again leads to another empty output. So further debugging is required. Again, we add two print statements around the next regex evaluation, which looks as follows: Figure 3 – Debug prints to check if the regex still works. At this point we finally get an output from our debug print statements. This tells us that we found the position where the script fails to decode the new version of the malware. Figure 4 – Printed script content of the new GootLoader version. To understand why this specific regex does not work anymore, we compare our debug outputs to the outputs of an older GootLoader version where the decoder worked. Using the output of the working one, we can see what it should look like (Figure 5). ----- Figure 5 – Printed script content of an older GootLoader version. The regex result for this evaluation should lead to a list of variables concatenated with plus signs. This list is used by GootLoader to rearrange the code into the right order and then later on execute it using the eval function. To decode the script and extract the domains and URLs we need to do the same and bring the code into the correct order. With this version adjustment, GootLoader no longer uses just one statement to rearrange the code, but several interdependent ones. To fix the script we need to make two edits. First, we need to adjust the regex pattern so that it matches the new statements. Second, we need to add logic to merge the code. With the help of regex101.com we can adjust and fix the regex pattern. Figure 6 – Extracting the statements using regex. The idea is to extract all the statements used for the code arrangement. Figure 7 – Definition of regex pattern to extract the statements. Each statement can be split into the variable and the expression. To keep track of the variables we create a dictionary which uses the variables as keys and the expressions as values. The last statement is the main statement used to join the code. For this statement we ----- substitute the expression based on the values in our dictionary and get the final expression consisting of variables that refer to code fragments. The adjusted code sequence looks like this: Figure 8 – Modified code sequence to decode the new GootLoader version. To keep the script still compatible for older GootLoader versions, we add an If statement. If we do not get regex matches for the simple statement, we use the code which evaluates compound statements. Finally, we remove the print statements which we inserted for debugging and run the repaired script to get the following output: Figure 9 – GootLoader decoding script output. This is the typical process we go through to adapt the decoding script to new GootLoader versions. As the threat actors behind GootLoader have been making version changes more frequently lately, we have had to make changes to our script more frequently as well. We hope that this explanation is helpful for analyzing GootLoader and making adjustments of our decoder script. ----- ## Tools You can download the latest GootLoader decoder script here: [https://github.com/hpthreatresearch/tools/blob/main/gootloader/decode.py](https://github.com/hpthreatresearch/tools/blob/main/gootloader/decode.py) ## IOCs New GootLoader version: 0a7c07fc84fd9f5b91bde6822b865f9647ca4ece67e8a4a646ce8d405187dc8b hxxps://lakeside-fishandchips[.]com/test.php?sgjngbizjfwgs= hxxps://learn.openschool[.]ua/test.php?sgjngbizjfwgs= hxxps://kristinee[.]com/test.php?sgjngbizjfwgs= Older GootLoader version: 765fbca3b6b1a922b442bc7304454e752e8bf231e2abe5060ace55db72c78d68 hxxps://kristinee[.]com/test.php?zemyrwgzcsnjur= hxxps://kepw[.]org/test.php?zemyrwgzcsnjur= hxxps://korsakovmusic[.]com/test.php?zemyrwgzcsnjur= Tags [automate](https://threatresearch.ext.hp.com/blog/?post-tag=automate) [gootloader](https://threatresearch.ext.hp.com/blog/?post-tag=gootloader) [ioc](https://threatresearch.ext.hp.com/blog/?post-tag=ioc) -----