Reconstructing the Registry Payloads
It is possible to reconstruct the registry payloads depending on where their data resides.
Off Host — Python Script + CSV
The script “GootloaderRegDecode.py”, combined with a CSV registry export, can be used to automatically reconstruct the payloads. The script provides details on how the CSV file must be formatted, one or both registry payloads can be processed at the same time.
GootloaderRegDecode.py Payload-1-and-2-Reg-Export.csv
GootloaderRegDecode.py Payload-1-Reg-Export.csv
GootloaderRegDecode.py Payload-2-Reg-Export.csv
Both payloads will be saved to the current directory and an MD5 hash for each payload will be provided.
This script was tested using a registry export from Redline and Trellix HX triage packages. The script should work with other EDRs directly or with slight modification.
Off Host — CyberChef + Reg Export
CyberChef can be used to extract the payloads from a registry export.
- Create separate .reg exports of the HKCUSOFTWAREMicrosoftPhone%USERNAME%0 and HKCUSOFTWAREMicrosoftPhone%USERNAME% registry keys. The following commands can be used:
reg export HKCUSOFTWAREMicrosoftPhone%USERNAME%0 reg_stage1.reg reg export HKCUSOFTWAREMicrosoftPhone%USERNAME% reg_stage2.reg
- Import the file into CyberChef.
- Load the appropriate CyberChef recipe (GootloaderCyberChef-Stage1.recipie) (GootloaderCyberChef-Stage2.recipie).
- Save the output.
On Host — PowerShell Script
The script “GootloaderWindowsRegDecode.ps1” can be run on a host that currently has the registry keys present. The script can be executed against the current user, or another user that exists on the system.
#Run against the current user account
GootloaderWindowsRegDecode.ps1
#Run against the JSmith user account
GootloaderWindowsRegDecode.ps1 -User JSmith
Both payloads will be saved to the current directory and an MD5 hash for each payload will be provided.
Technical Indicators
GOOTLOADER ZIP file
- 1011b2cbe016d86c7849592a76b72853
- 80a79d0c9cbc3c5188b7a247907e7264
- bee08c4481babb4c0ac6b6bb1d03658e
GOOTLOADER JS file
- 82607b68e061abb1d94f33a2e06b0d20
- 961cd55b17485bfc8b17881d4a643ad8
- af9b021a1e339841cfdf65596408862d
- d3787939a5681cb6d6ac7c42cd9250b5
- ea2271179e75b652cafd8648b698c6f9
- ab1171752af289e9f85a918845859848
Registry Payload 1 (FONELAUNCH)
- FONELAUNCH.FAX
- d6220ca85c44e2012f76193b38881185
- FONELAUNCH.PHONE
- 35238d2a4626e7a1b89b13042f9390e9
- 53c213b090784a0d413cb00c27af6100
- 7352c70b2f427ef4ff58128a428871d3
- a0b7da124962b334f6c788c27beb46e3
- a4ee41bd81dc3b842ddb2952d01f14ed
- d401dc350aff1e3fd4cc483238208b43
- ec17564ac3e10530f11a455a475f9763
- f9365bf8d4b021a873eb206ec98453d9
- aec78c1ef489f3f4b621037113cbdf81
- FONELAUNCH.DIALTONE
- 08fa99c70e90282d6bead3bb25c358dc
- aef6d31b3249218d24a7f3682a00aa10
Registry Payload 2
- Cobalt Strike BEACON
- 04746416d5767197f6ce02e894affcc7
- 2eede45eb1fe65a95aefa45811904824
- 3d768691d5cb4ae8943d8e57ea83cac1
- 84f313426047112bce498aad97778d38
- 92a271eb76a0db06c94688940bc4442b
- SNOWCONE
- 328b032c5b1d8ad5cf57538a04fb02f2
- 7a1369922cfb6d00df5f8dd33ffb9991
Network Indicators
- jonathanbartz[.]com
- jp[.]imonitorsoft[.]com
- junk-bros[.]com
- kakiosk[.]adsparkdev[.]com
- kepw[.]org
- kristinee[.]com
- lakeside-fishandchips[.]com
Cobalt Strike Beacon Backdoor
- hxxps://108.61.242[.]65/dot.gif
- hxxps://108.61.242[.]65/submit.php
- hxxps://146.70.78[.]43/fwlink
- hxxps://146.70.78[.]43/submit.php
- hxxps://87.120.254[.]39/ga.js
- hxxps://87.120.254[.]39/submit.php
- hxxps://45.150.108[.]213/ptj
- hxxps://45.150.108[.]213/submit.php
- hxxps://92.204.160[.]240/load
- hxxps://92.204.160[.]240/submit.php
More atomic indicators may be found in our Mandiant Advantage portal.
YARA Rules
The following YARA rules are not intended to be used on production systems or to inform blocking rules without first being validated through an organization’s own internal testing processes to ensure appropriate performance and limit the risk of false positives. These rules are intended to serve as a starting point for hunting efforts to identify FONELAUNCH and GOOTLOADER.POWERSHELL samples; however, they may need adjustment over time if the malware family changes.
rule M_Launcher_FONELAUNCH_1
{
meta:
author = "Mandiant”
description = "Hunting rule looking for FONELAUNCH.FAX samples.”
md5 = "d6220ca85c44e2012f76193b38881185"
strings:
$str_method_a = "OpenSubKey" ascii
$str_namespace = "System.Reflection" ascii
$str_method_b = "[Environment]::GetEnvironmentVariable(" wide
$ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
$ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }
condition:
uint16(0) == 0x5A4D and all of ($str_*) and
(
$ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16
)
}
FONELAUNCH.FAX YARA rule
rule M_Launcher_FONELAUNCH_2
{
meta:
author = "Mandiant"
description = "Hunting rule looking for FONELAUNCH.DIALTONE samples."
md5 = "aef6d31b3249218d24a7f3682a00aa10"
strings:
$ilasmx86_sequence_fprototype_a = { 1F 30 20 1B 00 10 00 28 }
$ilasmx86_sequence_fprototype_b = { 26 11 ?? 11 ?? 07 6A 20 ?? 30 00 00 1F 40 28 }
$ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
$ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }
condition:
uint16(0) == 0x5A4D and all of ($ilasmx86_sequence_fprototype_*) and
(
$ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16
)
}
FONELAUNCH.DIALTONE YARA rule
rule M_Launcher_FONELAUNCH_3
{
meta:
author = “Mandiant”
description = “Hunting rule looking for FONELAUNCH.PHONE samples.”
md5 = "ec17564ac3e10530f11a455a475f9763"
strings:
$str_winfunction = "LoadLibrary" ascii
$str_registrykey = "SOFTWARE" wide
$str_constant = "PAGE_EXECUTE_READWRITE" ascii
$ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
$ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }
condition:
uint16(0) == 0x5A4D and all of ($str_*) and
(
$ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16
)
}
FONELAUNCH.PHONE YARA rule
rule M_Downloader_GOOTLOADER_POWERSHELL
{
meta:
author = "Mandiant"
description = "Hunting rule looking for GOOTLOADER.POWERSHELL samples."
md5 = "2567a2bca964504709820de7052d3486"
strings:
$ps_object_a = ".IsLink" ascii
$ps_object_b = ".IsFolder" ascii
$ps_object_c = ".IsFileSystem" ascii
$ps_code_parseresponse = "[1] -replace" ascii nocase
$ps_code_httpheader = ".Headers.Add("Cookie:" ascii nocase
$ps_code_concatenatedata = "([String]::Join("|" ascii nocase
condition:
all of ($ps_code_*) and any of ($ps_object_*)
}
GOOTLOADER.POWERSHELL YARA rule
import "pe"
rule M_Hunting_Win_FONELAUNCH
{
meta:
author = "Mandiant"
description = "Hunting rule looking for suspicious version information metadata observed in FONELAUNCH samples"
md5 = "35238d2a4626e7a1b89b13042f9390e9"
strings:
$m1 = { 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 64 00 6C 00 6C 00 }
$m2 = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 64 00 6C 00 6C 00 }
condition:
filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and (pe.version_info["OriginalFilename"] == "powershell.dll" or pe.version_info["InternalName"] == "powershell.dll" or any of ($m*))
}
FONELAUNCH YARA rule
Detection Techniques
Product |
Signature |
Trellix Endpoint Security |
|
Trellix Endpoint Security (Hunting) |
|
Microsoft Defender for Endpoint |
|
Trellix Network Security |
|
Malware Definitions
BEACON
BEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported backdoor commands include shell command execution, file transfer, file execution, and file management. BEACON can also capture keystrokes and screenshots as well as act as a proxy server. BEACON may also be tasked with harvesting system credentials, port scanning, and enumerating systems on a network. BEACON communicates with a C2 server via HTTP or DNS.
FONELAUNCH
FONELAUNCH is a .NET-based loader that loads an encoded payload from registry into memory.
GOOTLOADER
GOOTLOADER is a JavaScript downloader that comes in an obfuscated form. It downloads another JavaScript file which drops and executes the intended payload.
GOOTLOADER.POWERSHELL
GOOTLOADER.POWERSHELL is a variant of the GOOTLOADER downloader that was rewritten in PowerShell and retrieves payloads via HTTP. Prior to obtaining the payload, the downloader collects specific victim host information, including current Windows OS version, environment variables, list of files and running processes, and sends this information to one of ten hard-coded C2 URLs. We have observed instances where several decoy URLs were distributed amongst the list of hard-coded C2s.
SNOWCONE
SNOWCONE is a family of downloaders that retrieve their next stage payloads via HTTP and have historically been observed to download ICEDID.
Acknowledgements
Ng Choon Kiat, David Lindquist, Yash Gupta, Jonathan Lepore, Tufail Ahmed and Moritz Raabe
Source: https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations