Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations

Reconstructing the Registry Payloads

It is possible to reconstruct the registry payloads depending on where their data resides.

Off Host — Python Script + CSV

The script “GootloaderRegDecode.py”, combined with a CSV registry export, can be used to automatically reconstruct the payloads. The script provides details on how the CSV file must be formatted, one or both registry payloads can be processed at the same time.

GootloaderRegDecode.py Payload-1-and-2-Reg-Export.csv
GootloaderRegDecode.py Payload-1-Reg-Export.csv
GootloaderRegDecode.py Payload-2-Reg-Export.csv

Both payloads will be saved to the current directory and an MD5 hash for each payload will be provided.

This script was tested using a registry export from Redline and Trellix HX triage packages. The script should work with other EDRs directly or with slight modification.

Off Host — CyberChef + Reg Export

CyberChef can be used to extract the payloads from a registry export.

  1. Create separate .reg exports of the HKCUSOFTWAREMicrosoftPhone%USERNAME%0 and HKCUSOFTWAREMicrosoftPhone%USERNAME% registry keys. The following commands can be used:
    reg export HKCUSOFTWAREMicrosoftPhone%USERNAME%0 reg_stage1.reg
    reg export HKCUSOFTWAREMicrosoftPhone%USERNAME% reg_stage2.reg
  2. Import the file into CyberChef.
  3. Load the appropriate CyberChef recipe (GootloaderCyberChef-Stage1.recipie) (GootloaderCyberChef-Stage2.recipie).
  4. Save the output.

On Host — PowerShell Script

The script “GootloaderWindowsRegDecode.ps1” can be run on a host that currently has the registry keys present. The script can be executed against the current user, or another user that exists on the system.

#Run against the current user account
GootloaderWindowsRegDecode.ps1

#Run against the JSmith user account
GootloaderWindowsRegDecode.ps1 -User JSmith

Both payloads will be saved to the current directory and an MD5 hash for each payload will be provided.

Technical Indicators

GOOTLOADER ZIP file

  • 1011b2cbe016d86c7849592a76b72853
  • 80a79d0c9cbc3c5188b7a247907e7264
  • bee08c4481babb4c0ac6b6bb1d03658e

GOOTLOADER JS file

  • 82607b68e061abb1d94f33a2e06b0d20
  • 961cd55b17485bfc8b17881d4a643ad8
  • af9b021a1e339841cfdf65596408862d
  • d3787939a5681cb6d6ac7c42cd9250b5
  • ea2271179e75b652cafd8648b698c6f9
  • ab1171752af289e9f85a918845859848

Registry Payload 1 (FONELAUNCH)

  • FONELAUNCH.FAX
    • d6220ca85c44e2012f76193b38881185
  • FONELAUNCH.PHONE
    • 35238d2a4626e7a1b89b13042f9390e9
    • 53c213b090784a0d413cb00c27af6100
    • 7352c70b2f427ef4ff58128a428871d3
    • a0b7da124962b334f6c788c27beb46e3
    • a4ee41bd81dc3b842ddb2952d01f14ed
    • d401dc350aff1e3fd4cc483238208b43
    • ec17564ac3e10530f11a455a475f9763
    • f9365bf8d4b021a873eb206ec98453d9
    • aec78c1ef489f3f4b621037113cbdf81
  • FONELAUNCH.DIALTONE
    • 08fa99c70e90282d6bead3bb25c358dc
    • aef6d31b3249218d24a7f3682a00aa10

Registry Payload 2

  • Cobalt Strike BEACON
    • 04746416d5767197f6ce02e894affcc7
    • 2eede45eb1fe65a95aefa45811904824
    • 3d768691d5cb4ae8943d8e57ea83cac1
    • 84f313426047112bce498aad97778d38
    • 92a271eb76a0db06c94688940bc4442b
  • SNOWCONE
    • 328b032c5b1d8ad5cf57538a04fb02f2
    • 7a1369922cfb6d00df5f8dd33ffb9991

Network Indicators

  • jonathanbartz[.]com
  • jp[.]imonitorsoft[.]com
  • junk-bros[.]com
  • kakiosk[.]adsparkdev[.]com
  • kepw[.]org
  • kristinee[.]com
  • lakeside-fishandchips[.]com

Cobalt Strike Beacon Backdoor

  • hxxps://108.61.242[.]65/dot.gif
  • hxxps://108.61.242[.]65/submit.php
  • hxxps://146.70.78[.]43/fwlink
  • hxxps://146.70.78[.]43/submit.php
  • hxxps://87.120.254[.]39/ga.js
  • hxxps://87.120.254[.]39/submit.php
  • hxxps://45.150.108[.]213/ptj
  • hxxps://45.150.108[.]213/submit.php
  • hxxps://92.204.160[.]240/load
  • hxxps://92.204.160[.]240/submit.php

More atomic indicators may be found in our Mandiant Advantage portal.

YARA Rules

The following YARA rules are not intended to be used on production systems or to inform blocking rules without first being validated through an organization’s own internal testing processes to ensure appropriate performance and limit the risk of false positives. These rules are intended to serve as a starting point for hunting efforts to identify FONELAUNCH and GOOTLOADER.POWERSHELL samples; however, they may need adjustment over time if the malware family changes.

rule M_Launcher_FONELAUNCH_1
{
    meta:
      author = "Mandiant”
      description = "Hunting rule looking for FONELAUNCH.FAX samples.”
      md5 = "d6220ca85c44e2012f76193b38881185" 

    strings:
      $str_method_a = "OpenSubKey" ascii
      $str_namespace = "System.Reflection" ascii
      $str_method_b  = "[Environment]::GetEnvironmentVariable(" wide
     
      $ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
      $ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }

    condition:

      uint16(0) == 0x5A4D and all of ($str_*) and
      (
        $ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16
      )
}

FONELAUNCH.FAX YARA rule

rule M_Launcher_FONELAUNCH_2
{
    meta:
      author = "Mandiant"
      description = "Hunting rule looking for FONELAUNCH.DIALTONE samples."
      md5 = "aef6d31b3249218d24a7f3682a00aa10"

    strings:
      $ilasmx86_sequence_fprototype_a = { 1F 30 20 1B 00 10 00 28 }   
      $ilasmx86_sequence_fprototype_b = { 26 11 ?? 11 ?? 07 6A 20 ?? 30 00 00 1F 40 28 }

      $ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
      $ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }

    condition:
      uint16(0) == 0x5A4D and all of ($ilasmx86_sequence_fprototype_*) and
      (
        $ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16
      )
}

FONELAUNCH.DIALTONE YARA rule

rule M_Launcher_FONELAUNCH_3
{
    meta:
      author = “Mandiant”
      description = “Hunting rule looking for FONELAUNCH.PHONE samples.”
      md5 = "ec17564ac3e10530f11a455a475f9763"
      
      strings:
      $str_winfunction = "LoadLibrary" ascii
      $str_registrykey = "SOFTWARE" wide
      $str_constant = "PAGE_EXECUTE_READWRITE" ascii

      $ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
      $ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }

    condition:
      uint16(0) == 0x5A4D and all of ($str_*) and
    (
        $ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16
      )
}

FONELAUNCH.PHONE YARA rule

rule M_Downloader_GOOTLOADER_POWERSHELL
{
  meta:
    author = "Mandiant"
    description = "Hunting rule looking for GOOTLOADER.POWERSHELL samples."
    md5 = "2567a2bca964504709820de7052d3486"

  strings:
    $ps_object_a = ".IsLink" ascii
    $ps_object_b = ".IsFolder" ascii
    $ps_object_c = ".IsFileSystem" ascii

    $ps_code_parseresponse = "[1] -replace" ascii nocase
    $ps_code_httpheader = ".Headers.Add("Cookie:" ascii nocase
    $ps_code_concatenatedata = "([String]::Join("|" ascii nocase

  condition:
    all of ($ps_code_*) and any of ($ps_object_*)
}

GOOTLOADER.POWERSHELL YARA rule

import "pe"
rule M_Hunting_Win_FONELAUNCH
{
    meta:
        author = "Mandiant"
        description = "Hunting rule looking for suspicious version information metadata observed in FONELAUNCH samples"
        md5 = "35238d2a4626e7a1b89b13042f9390e9"

    strings:
        $m1 = { 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 64 00 6C 00 6C 00 }

        $m2 = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 64 00 6C 00 6C 00 }
   
    condition:
        filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and (pe.version_info["OriginalFilename"] == "powershell.dll" or pe.version_info["InternalName"] == "powershell.dll" or any of ($m*))
}

FONELAUNCH YARA rule

Detection Techniques

Product

Signature

Trellix Endpoint Security

  • SUSPICIOUS POWERSHELL USAGE B (METHODOLOGY)
  • Powershell Encoded Command
  • JS loader extracted from ZIP file
  • Potential GootLoader File
  • CRITICAL: JS loader extracted from ZIP file

Trellix Endpoint Security (Hunting)

  • WSCRIPT WRITES LARGE REG KEY VALUE (METHODOLOGY)
  • EXPLORER LAUNCHING WSCRIPT (METHODOLOGY)
  • FILEWRITE TO ARCHIVE (FILETRACKER)

Microsoft Defender for Endpoint

  • Suspicious PowerShell command line
  • Suspicious file launch
  • Suspicious JavaScript process
  • An active ‘Gootkit’ malware in a PowerShell script was detected while executing via AMSI
  • An active ‘Gootkit’ malware in a PowerShell script was prevented from executing via AMSI

Trellix Network Security

  • Downloader.JS.GOOTLOADER
  • Backdoor.BEACON
  • M.Malicious.SSL.Certificate.[CobaltStrike]
  • M.Malicious.SSL.Certificate.[146473198]

Malware Definitions

BEACON

BEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported backdoor commands include shell command execution, file transfer, file execution, and file management. BEACON can also capture keystrokes and screenshots as well as act as a proxy server. BEACON may also be tasked with harvesting system credentials, port scanning, and enumerating systems on a network. BEACON communicates with a C2 server via HTTP or DNS.

FONELAUNCH

FONELAUNCH is a .NET-based loader that loads an encoded payload from registry into memory.

GOOTLOADER

GOOTLOADER is a JavaScript downloader that comes in an obfuscated form. It downloads another JavaScript file which drops and executes the intended payload.

GOOTLOADER.POWERSHELL

GOOTLOADER.POWERSHELL is a variant of the GOOTLOADER downloader that was rewritten in PowerShell and retrieves payloads via HTTP. Prior to obtaining the payload, the downloader collects specific victim host information, including current Windows OS version, environment variables, list of files and running processes, and sends this information to one of ten hard-coded C2 URLs. We have observed instances where several decoy URLs were distributed amongst the list of hard-coded C2s.

SNOWCONE

SNOWCONE is a family of downloaders that retrieve their next stage payloads via HTTP and have historically been observed to download ICEDID.

Acknowledgements

Ng Choon Kiat, David Lindquist, Yash Gupta, Jonathan Lepore, Tufail Ahmed and Moritz Raabe

Source: https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations