# GuLoader Script Deobfuscation

### Stage 1 - VBS

To obtain the second-stage PowerShell script, some manual work is required. Fortunately, breaking down the first stage is relatively straightforward, allowing us to extract the embedded PowerShell script.

GuLoader utilizes `wscript` for interaction with the operating system. The initial step involves locating the variable used to call `wscript`, typically identified by searching for the string "WScript".

<figure><img src="/files/IfBOHNxETQDctsbUjpek" alt=""><figcaption></figcaption></figure>

Once the variable name is identified, another search helps pinpoint where it's utilized. This search should lead to a line resembling the following:

<figure><img src="/files/z3rCOErGJAyl5O2wIrH9" alt=""><figcaption></figcaption></figure>

By modifying this line to output its contents to the command line, we can extract the second-stage script.

<figure><img src="/files/449YHddHuK2IqiXTnoSm" alt=""><figcaption></figcaption></figure>

Running the modified first stage using `cscript` from PowerShell enables dumping of the second stage directly to the command line.

<figure><img src="/files/Uy7rwicPIfKCS5aRfz4C" alt=""><figcaption></figcaption></figure>

### Stage 2 - PowerShell

After dumping the PowerShell payload, the next step is to determine the substring integer needed for the deobfuscation script. This is typically straightforward; at the beginning of the PowerShell script, there's usually a function defined. Inside this function, there's a for loop initialized with a non-zero number, which serves as the substring value for deobfuscating a passed string. In the sample, this number is set to seven.

<figure><img src="/files/KkFRcvJ1FM13ItSZ2dIS" alt=""><figcaption></figcaption></figure>

Once the substring value has been determined it can be configured in the python deobfuscation script.

<figure><img src="/files/BlQz89wztPlpj4f2FR07" alt=""><figcaption></figcaption></figure>

Running the python script drops a deobfuscated version of the PowerShell script in the current working directory.

<figure><img src="/files/Gdqj1Axnno07hjlMuNV1" alt=""><figcaption></figcaption></figure>

### Background information

<table><thead><tr><th width="139">Algorithm</th><th>Value</th></tr></thead><tbody><tr><td>MD5</td><td>a4163c297e14cd940d72f601f04cabbc</td></tr><tr><td>SHA-1</td><td>7be322a6b0571912ded2402cd3ac0b2312fb9c1c</td></tr><tr><td>SHA-256</td><td>c31703fe238a825c2f0edabb1cf130de04f78702c81608f0fa9cc2267e8b44a8</td></tr></tbody></table>

{% embed url="<https://bazaar.abuse.ch/sample/c31703fe238a825c2f0edabb1cf130de04f78702c81608f0fa9cc2267e8b44a8>" %}
Link to sample
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0x.b4dc0.de/malware-writeups/analysis/guloader-script-deobfuscation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.