gootloader | 173cf21fb6eb97344bf1e5941efab13afcadaed98dfa8ade37d672e2233d63c2

General

Target

canada revenue agency psac collective agreement 21615.js
Size

20.5MB
MD5

1add5539fec37fcc25c5223fa890a944
SHA1

d9681e3eab7b0f6974f3cc0b13657376f9e6a72b
SHA256

173cf21fb6eb97344bf1e5941efab13afcadaed98dfa8ade37d672e2233d63c2
SHA512

4675f0442cf73061ca42be78b4f62904fb29825c74308c487543a9d7f6225a28585de4a154e91f9c85c991f6dfc3c6f6fdbcfb54cd38dd9db119b2551dc5d290
SSDEEP

49152:YYRxr8uC0NjaCXWigYRxr8uC0NjaCXWigYRxr8uC0NjaCXWif:Y772

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
50	2624	powershell.exe
69	2624	powershell.exe
72	2624	powershell.exe
79	2624	powershell.exe
82	2624	powershell.exe
85	2624	powershell.exe
88	2624	powershell.exe
90	2624	powershell.exe
91	2624	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.EXE

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation wscript.EXE
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wscript.EXE

Modifies registry class 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exe

pid	process
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeIncreaseQuotaPrivilege	2624	powershell.exe
Token: SeSecurityPrivilege	2624	powershell.exe
Token: SeTakeOwnershipPrivilege	2624	powershell.exe
Token: SeLoadDriverPrivilege	2624	powershell.exe
Token: SeSystemProfilePrivilege	2624	powershell.exe
Token: SeSystemtimePrivilege	2624	powershell.exe
Token: SeProfSingleProcessPrivilege	2624	powershell.exe
Token: SeIncBasePriorityPrivilege	2624	powershell.exe
Token: SeCreatePagefilePrivilege	2624	powershell.exe
Token: SeBackupPrivilege	2624	powershell.exe
Token: SeRestorePrivilege	2624	powershell.exe
Token: SeShutdownPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeSystemEnvironmentPrivilege	2624	powershell.exe
Token: SeRemoteShutdownPrivilege	2624	powershell.exe
Token: SeUndockPrivilege	2624	powershell.exe
Token: SeManageVolumePrivilege	2624	powershell.exe
Token: 33	2624	powershell.exe
Token: 34	2624	powershell.exe
Token: 35	2624	powershell.exe
Token: 36	2624	powershell.exe
Token: SeIncreaseQuotaPrivilege	2624	powershell.exe
Token: SeSecurityPrivilege	2624	powershell.exe
Token: SeTakeOwnershipPrivilege	2624	powershell.exe
Token: SeLoadDriverPrivilege	2624	powershell.exe
Token: SeSystemProfilePrivilege	2624	powershell.exe
Token: SeSystemtimePrivilege	2624	powershell.exe
Token: SeProfSingleProcessPrivilege	2624	powershell.exe
Token: SeIncBasePriorityPrivilege	2624	powershell.exe
Token: SeCreatePagefilePrivilege	2624	powershell.exe
Token: SeBackupPrivilege	2624	powershell.exe
Token: SeRestorePrivilege	2624	powershell.exe
Token: SeShutdownPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeSystemEnvironmentPrivilege	2624	powershell.exe
Token: SeRemoteShutdownPrivilege	2624	powershell.exe
Token: SeUndockPrivilege	2624	powershell.exe
Token: SeManageVolumePrivilege	2624	powershell.exe
Token: 33	2624	powershell.exe
Token: 34	2624	powershell.exe
Token: 35	2624	powershell.exe
Token: 36	2624	powershell.exe
Token: SeIncreaseQuotaPrivilege	2624	powershell.exe
Token: SeSecurityPrivilege	2624	powershell.exe
Token: SeTakeOwnershipPrivilege	2624	powershell.exe
Token: SeLoadDriverPrivilege	2624	powershell.exe
Token: SeSystemProfilePrivilege	2624	powershell.exe
Token: SeSystemtimePrivilege	2624	powershell.exe
Token: SeProfSingleProcessPrivilege	2624	powershell.exe
Token: SeIncBasePriorityPrivilege	2624	powershell.exe
Token: SeCreatePagefilePrivilege	2624	powershell.exe
Token: SeBackupPrivilege	2624	powershell.exe
Token: SeRestorePrivilege	2624	powershell.exe
Token: SeShutdownPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeSystemEnvironmentPrivilege	2624	powershell.exe
Token: SeRemoteShutdownPrivilege	2624	powershell.exe
Token: SeUndockPrivilege	2624	powershell.exe
Token: SeManageVolumePrivilege	2624	powershell.exe
Token: 33	2624	powershell.exe
Token: 34	2624	powershell.exe
Token: 35	2624	powershell.exe
Token: 36	2624	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.EXEcscript.exe

description	pid	process	target process
PID 4532 wrote to memory of 4132	4532	wscript.EXE	cscript.exe
PID 4532 wrote to memory of 4132	4532	wscript.EXE	cscript.exe
PID 4132 wrote to memory of 2624	4132	cscript.exe	powershell.exe
PID 4132 wrote to memory of 2624	4132	cscript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\canada revenue agency psac collective agreement 21615.js"
1⤵
PID:2268

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE HEALTH~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" "HEALTH~1.JS"
2⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4okci3z.3ir.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HEALTH~1.JS

Filesize
40.5MB

MD5
3de14370e2879aeadbe46a0e02f0976f

SHA1
fb095a4f51b0ddcf2a556ad1580e8c6e884af8d3

SHA256
39ce6f31bd15d1e7978ebf11964a35376a36ebf230b06a4d2a9260fec1104047

SHA512
58e2c31447671f381297169e98c0f8f23157379c5e2ea8676ddbe05bb52ea89cddd129c93d1ed2be26457e40689c08af78ed916b51cf81538bc2d71dba8d06a7

Download Submit
memory/2624-12-0x000001F94A8F0000-0x000001F94A912000-memory.dmp

Filesize
136KB

Download
memory/2624-13-0x000001F963C10000-0x000001F963C54000-memory.dmp

Filesize
272KB

Download
memory/2624-14-0x000001F963CE0000-0x000001F963D56000-memory.dmp

Filesize
472KB

Download
memory/2624-16-0x000001F963F50000-0x000001F963F74000-memory.dmp

Filesize
144KB

Download
memory/2624-15-0x000001F963F50000-0x000001F963F7A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads