search

mandiant / gootloader

Collection of scripts used to deobfuscate GOOTLOADER malware samples.
https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
Apache License 2.0
53 stars 9 forks source link

GootLoaderAutoJsDecode passing directory as parameter? #4

Open dr4lekhine opened 2 months ago

dr4lekhine commented 2 months ago

Hello,

First of all, thanks for sharing this tool!

I would like to ask if there any way to execute the "GootLoaderAutoJsDecode.py" but instead of passing as parameter a particular file like "evil.js" giving a directory with multiple files like "/path/to/evilsamples" to try bulk deobfuscation?

Something like that: Capture

Thanks in advance.

Regards.

andy2002a commented 2 months ago

That might be something I can add later on. For now you can replace line 485-end with this and it will print them all to console.

import os
directory = os.fsencode(args.jsFilePath)

for fileName in os.listdir(directory):
    filePath = os.path.join(directory, fileName)

    goot3detected = False

    gootDecode(filePath)

    if goot3detected:
        gootDecode('GootLoader3Stage2.js_')

Might not be perfect since DecodedJsPayload.js_, FileAndTaskData.txt, and GootLoader3Stage2.js_ will get constantly over written, but you'll at least get the C2.

dr4lekhine commented 2 months ago

That might be something I can add later on. For now you can replace line 485-end with this and it will print them all to console.

import os
directory = os.fsencode(args.jsFilePath)

for fileName in os.listdir(directory):
    filePath = os.path.join(directory, fileName)

    goot3detected = False

    gootDecode(filePath)

    if goot3detected:
        gootDecode('GootLoader3Stage2.js_')

Might not be perfect since DecodedJsPayload.js_, FileAndTaskData.txt, and GootLoader3Stage2.js_ will get constantly over written, but you'll at least get the C2.

Thanks for the feedback! I will be testing that :)