{
	"id": "9498aa25-6c89-468e-8cd1-b4e29c753ab2",
	"created_at": "2026-04-06T00:15:56.550254Z",
	"updated_at": "2026-04-10T03:20:36.709278Z",
	"deleted_at": null,
	"sha1_hash": "6677a2b32117658ffb89efd1d6b6a6e28517c7a3",
	"title": "hedgehog-tools/gootloader at main · struppigel/hedgehog-tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 129516,
	"plain_text": "hedgehog-tools/gootloader at main · struppigel/hedgehog-tools\r\nBy struppigel\r\nArchived: 2026-04-05 18:46:26 UTC\r\nGootLoader JS Unpacker and C2 Extractor\r\nWhy\r\nThis was a project to learn AST manipulation with babel and JavaScript.\r\nSo it is likely that this is not the best code because I am a JavaScript noob.\r\nThe script is static, it does not execute any of the manipulated code.\r\nRequirements\r\nInstall NodeJS and npm\r\nExecute this to install required packages\r\nnpm.exe install -save-dev @babel/core commander\r\nUsage\r\nnode.exe gootloader_decoder.js -f \u003csample\u003e --c2s \u003ctextfile\u003e\r\nThis will unpack the Gootloader script layers to sample.layer\u003cnr\u003e.js. After that it will attempt to find C2 data.\r\nEven if some of it fails, it should serve in saving some unpacking steps.\r\nThe very first transpiled layer is the extraction of just the relevant functions which are often buried in \u003e 6000 lines\r\nof code. To achieve that, the decoder will search for the typical structure of the entry point function and determine\r\nall matched functions as start nodes. That means there might be some false positives, but as long as the actual\r\nentry point function is included, it should not be an issue.\r\nFrom this point forward it will search for all used identifiers in that entry point function and recursively for the\r\nfunctions that are being called. This way a 6000 lines script can be trimmed down to 200 lines, making manual\r\nanalysis of the initial code possible. In case the entry point function for the malware code turns out to be the\r\nwrong one, you can set it manually, e.g., here for the function named iolad7:\r\nnode.exe gootloader_decoder.js -f \u003csample\u003e -s iolad7\r\nStarting from the second layer the unpacker will determine the responsible decrypt function, the key and a\r\ndecoding constant which is changed in every sample.\r\nhttps://github.com/struppigel/hedgehog-tools/tree/main/gootloader\r\nPage 1 of 4\n\nIt will attempt to extract C2's at the last layer, which it currently assumes to be either the third or the 6th (as these\r\nare the samples I got).\r\nNote: Some of the layers will be wrapped into a function named gldr(). This function is not part of the malware\r\nbut the decoder. It is necessary where gootloader dynamically wraps the unpacked code into an unnamed function.\r\nSince the body contains the a return, the AST can only be parsed with this wrapped function.\r\nSamples\r\n07253c4ff2a7f296cfdb6c45ddec08f61b6ecad37a30f45455df83d48c193083 --\u003e malpedia sample, complete, has 3\r\nlayers\r\n1bc77b013c83b5b075c3d3c403da330178477843fc2d8326d90e495a61fbb01f --\u003e complete, has 3 layers\r\n08f06fc48fe8d69e4ab964500150d1b2f5f4279fea2f76fdfcefd32266dfa1af --\u003e complete, has 6 layers\r\n320b4d99c1f5fbc3cf1dfe593494484b1d4cb1ac7ac1f6266091e85ef51b4508 --\u003e complete, has 6 layers\r\n445a5c6763877994206d2b692214bb4fba04f40a07ccbd28e0422cb1c21ac95b --\u003e complete, has 6 layers\r\ncbd826f59f1041065890cfe71f046e59ae0482364f1aaf79e5242de2246fb54b --\u003e complete, has 6 layers\r\nb34bcf097ad6ab0459bc6a4a8f487ca3526b6069ec01e8088fd4b00a15420554 --\u003e complete, has 6 layers\r\n1b8b2fbdff9e4109edae317c4dd8cef7bb7877d656e97a3dd0a1e8c0c9d72b0b --\u003e complete, has 6 layers\r\nExample Output\r\nDecoded last layer with C2 data:\r\nhttps://github.com/struppigel/hedgehog-tools/tree/main/gootloader\r\nPage 2 of 4\n\nOutput of unpacking and extraction:\r\nhttps://github.com/struppigel/hedgehog-tools/tree/main/gootloader\r\nPage 3 of 4\n\nSource: https://github.com/struppigel/hedgehog-tools/tree/main/gootloader\r\nhttps://github.com/struppigel/hedgehog-tools/tree/main/gootloader\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/struppigel/hedgehog-tools/tree/main/gootloader"
	],
	"report_names": [
		"gootloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434556,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6677a2b32117658ffb89efd1d6b6a6e28517c7a3.pdf",
		"text": "https://archive.orkl.eu/6677a2b32117658ffb89efd1d6b6a6e28517c7a3.txt",
		"img": "https://archive.orkl.eu/6677a2b32117658ffb89efd1d6b6a6e28517c7a3.jpg"
	}
}