GuLoader Script Deobfuscation

Stage 1 - VBS

To obtain the second-stage PowerShell script, some manual work is required. Fortunately, breaking down the first stage is relatively straightforward, allowing us to extract the embedded PowerShell script.

GuLoader utilizes wscript for interaction with the operating system. The initial step involves locating the variable used to call wscript, typically identified by searching for the string "WScript".

Once the variable name is identified, another search helps pinpoint where it's utilized. This search should lead to a line resembling the following:

By modifying this line to output its contents to the command line, we can extract the second-stage script.

Running the modified first stage using cscript from PowerShell enables dumping of the second stage directly to the command line.

Stage 2 - PowerShell

After dumping the PowerShell payload, the next step is to determine the substring integer needed for the deobfuscation script. This is typically straightforward; at the beginning of the PowerShell script, there's usually a function defined. Inside this function, there's a for loop initialized with a non-zero number, which serves as the substring value for deobfuscating a passed string. In the sample, this number is set to seven.

Once the substring value has been determined it can be configured in the python deobfuscation script.

Running the python script drops a deobfuscated version of the PowerShell script in the current working directory.

Background information

Algorithm
Value

MD5

a4163c297e14cd940d72f601f04cabbc

SHA-1

7be322a6b0571912ded2402cd3ac0b2312fb9c1c

SHA-256

c31703fe238a825c2f0edabb1cf130de04f78702c81608f0fa9cc2267e8b44a8

https://bazaar.abuse.ch/sample/c31703fe238a825c2f0edabb1cf130de04f78702c81608f0fa9cc2267e8b44a8bazaar.abuse.ch
Link to sample
PreviousOperation Duck HuntNextCreating a deobfuscator

Last updated

Was this helpful?