We use abstract syntax tree manipulation, regex search and replace and dynamic analysis to deobfuscate and unpack GootLoader. Each method has its own pros and cons. GootLoader is an initial infector written in JScript. Current samples feature up to five layers of packed and obfuscated code.
Malware Analysis course:
https://www.udemy.com/course/windows-...
extract called functions:
https://github.com/struppigel/hedgeho...
gootloader unpacker:
https://github.com/struppigel/hedgeho...
sample:
https://bazaar.abuse.ch/sample/1bc77b...
Follow me on Twitter:
/ struppigel
00:00 Introduction
00:26 First Layer - extract relevant functions
07:24 Regex deobfuscation
14:05 Abstract syntax tree transformations with babel
30:57 Dynamic deobfuscation
40:46 Deobfuscation method overview
41:43 GootLoader unpacker
