SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gootkit (Back to overview)

GootKit

aka: Waldek, Xswkit, talalpek
URLhaus      

Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.

References
2019-10-02Dissecting MalwareMarius Genheimer
@online{genheimer:20191002:nicht:20adbf8, author = {Marius Genheimer}, title = {{Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)}}, date = {2019-10-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html}, language = {English}, urldate = {2020-03-27} } Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)
FTCODE JasperLoader GootKit
2019-08-29SentinelOneDaniel Bunce
@online{bunce:20190829:gootkit:b379f2c, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities}}, date = {2019-08-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/}, language = {English}, urldate = {2020-01-08} } Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities
GootKit
2019-08-15Sentinel LABSDaniel Bunce
@online{bunce:20190815:gootkit:480c7e8, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2020-06-18} } Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features
GootKit
2019-08-15SentinelOneDaniel Bunce
@online{bunce:20190815:gootkit:1052b18, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2019-12-20} } Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features
GootKit
2019-02-14CertegoMatteo Lodi
@online{lodi:20190214:malware:93db4e1, author = {Matteo Lodi}, title = {{Malware Tales: Gootkit}}, date = {2019-02-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-gootkit/}, language = {English}, urldate = {2020-01-06} } Malware Tales: Gootkit
GootKit
2018-05-20Youtube (OALabs)Sergei Frankoff
@online{frankoff:20180520:unpacking:7db8c96, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg}}, date = {2018-05-20}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=QgUlPvEE4aw}, language = {English}, urldate = {2020-01-08} } Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg
GootKit
2018-03-04Youtube (OALabs)Sergei Frankoff
@online{frankoff:20180304:unpacking:4d7dc7c, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request}}, date = {2018-03-04}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=242Tn0IL2jE}, language = {English}, urldate = {2020-01-08} } Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request
GootKit
2018-02-13JuniperPaul Kimayong
@online{kimayong:20180213:new:b8d70e2, author = {Paul Kimayong}, title = {{New Gootkit Banking Trojan variant pushes the limits on evasive behavior}}, date = {2018-02-13}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055}, language = {English}, urldate = {2019-12-10} } New Gootkit Banking Trojan variant pushes the limits on evasive behavior
GootKit
2017-03-01SecurityIntelligenceGadi Ostrovsky, Limor Kessem
@online{ostrovsky:20170301:gootkit:ab4991e, author = {Gadi Ostrovsky and Limor Kessem}, title = {{GootKit Developers Dress It Up With Web Traffic Proxy}}, date = {2017-03-01}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/}, language = {English}, urldate = {2020-01-07} } GootKit Developers Dress It Up With Web Traffic Proxy
GootKit
2016-12-01US-CERTUS-CERT
@online{uscert:20161201:alert:b0f05c8, author = {US-CERT}, title = {{Alert (TA16-336A): Avalanche (crimeware-as-a-service infrastructure)}}, date = {2016-12-01}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA16-336A}, language = {English}, urldate = {2020-01-07} } Alert (TA16-336A): Avalanche (crimeware-as-a-service infrastructure)
GootKit
2016-10-27Kaspersky LabsAlexey Shulmin, Sergey Yunakovsky
@online{shulmin:20161027:inside:50f43ed, author = {Alexey Shulmin and Sergey Yunakovsky}, title = {{Inside the Gootkit C&C server}}, date = {2016-10-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/}, language = {English}, urldate = {2019-12-20} } Inside the Gootkit C&C server
GootKit
2016-07-08SecurityIntelligenceLimor Kessem
@online{kessem:20160708:gootkit:ed75518, author = {Limor Kessem}, title = {{GootKit: Bobbing and Weaving to Avoid Prying Eyes}}, date = {2016-07-08}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/}, language = {English}, urldate = {2020-01-07} } GootKit: Bobbing and Weaving to Avoid Prying Eyes
GootKit
2015-04-13CERT Societe GeneraleCERT Societe Generale
@online{generale:20150413:analyzing:2a4956d, author = {CERT Societe Generale}, title = {{Analyzing Gootkit's persistence mechanism (new ASEP inside!)}}, date = {2015-04-13}, organization = {CERT Societe Generale}, url = {http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html}, language = {English}, urldate = {2020-01-13} } Analyzing Gootkit's persistence mechanism (new ASEP inside!)
GootKit
2015-03-30Trend MicroCedric Pernet, Dark Luo
@online{pernet:20150330:fake:3b24447, author = {Cedric Pernet and Dark Luo}, title = {{Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority}}, date = {2015-03-30}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/}, language = {English}, urldate = {2020-01-10} } Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority
GootKit
2014-04-09Dr.WebDr.Web
@online{drweb:20140409:backdoorgootkit112a:b63758d, author = {Dr.Web}, title = {{BackDoor.Gootkit.112—a new multi-purpose backdoor}}, date = {2014-04-09}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=4338&lng=en}, language = {English}, urldate = {2019-07-11} } BackDoor.Gootkit.112—a new multi-purpose backdoor
GootKit
Yara Rules
[TLP:WHITE] win_gootkit_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_gootkit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7f1 81c260ea0000 52 ff15???????? }
            // n = 4, score = 2000
            //   f7f1                 | div                 ecx
            //   81c260ea0000         | add                 edx, 0xea60
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_1 = { 137de0 eb06 8b7dd8 8b75d4 }
            // n = 4, score = 1700
            //   137de0               | adc                 edi, dword ptr [ebp - 0x20]
            //   eb06                 | jmp                 8
            //   8b7dd8               | mov                 edi, dword ptr [ebp - 0x28]
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]

        $sequence_2 = { 7510 33c9 41 e8???????? 8ad8 f6db 1adb }
            // n = 7, score = 1700
            //   7510                 | jne                 0x12
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx
            //   e8????????           |                     
            //   8ad8                 | mov                 bl, al
            //   f6db                 | neg                 bl
            //   1adb                 | sbb                 bl, bl

        $sequence_3 = { 0fb75738 8bf0 8b4f3c d1ea }
            // n = 4, score = 1700
            //   0fb75738             | movzx               edx, word ptr [edi + 0x38]
            //   8bf0                 | mov                 esi, eax
            //   8b4f3c               | mov                 ecx, dword ptr [edi + 0x3c]
            //   d1ea                 | shr                 edx, 1

        $sequence_4 = { 50 ffd6 ff75ec 6a00 ff15???????? 50 ffd6 }
            // n = 7, score = 1700
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi

        $sequence_5 = { 8bd6 8bcb e8???????? 53 6a00 8945fc }
            // n = 6, score = 1700
            //   8bd6                 | mov                 edx, esi
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_6 = { ff75f8 ff15???????? 8bd8 85db 7431 3bfb 752d }
            // n = 7, score = 1700
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7431                 | je                  0x33
            //   3bfb                 | cmp                 edi, ebx
            //   752d                 | jne                 0x2f

        $sequence_7 = { 895df8 0fb74314 8d7b18 0fb75b06 03f8 33f6 }
            // n = 6, score = 1700
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   0fb74314             | movzx               eax, word ptr [ebx + 0x14]
            //   8d7b18               | lea                 edi, [ebx + 0x18]
            //   0fb75b06             | movzx               ebx, word ptr [ebx + 6]
            //   03f8                 | add                 edi, eax
            //   33f6                 | xor                 esi, esi

        $sequence_8 = { 52 50 8b4510 99 52 50 8b450c }
            // n = 7, score = 1400
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_9 = { f3aa 68???????? ff15???????? 50 }
            // n = 4, score = 1200
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   68????????           |                     
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_10 = { 8b7df4 32c0 8b4de4 f3aa }
            // n = 4, score = 1200
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   32c0                 | xor                 al, al
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al

        $sequence_11 = { 68???????? ff15???????? 85c0 7405 e8???????? }
            // n = 5, score = 1100
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7
            //   e8????????           |                     

        $sequence_12 = { 50 e8???????? 83c40c 68fd000000 }
            // n = 4, score = 1100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68fd000000           | push                0xfd

        $sequence_13 = { 8b4508 8b00 99 52 }
            // n = 4, score = 1000
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   99                   | cdq                 
            //   52                   | push                edx

        $sequence_14 = { c705????????02000000 8be5 5d c3 55 8bec }
            // n = 6, score = 900
            //   c705????????02000000     |     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_15 = { 7514 c705????????01000000 c705????????02000000 8be5 }
            // n = 4, score = 900
            //   7514                 | jne                 0x16
            //   c705????????01000000     |     
            //   c705????????02000000     |     
            //   8be5                 | mov                 esp, ebp

        $sequence_16 = { e8???????? 6a0c 6a08 ff15???????? 50 }
            // n = 5, score = 800
            //   e8????????           |                     
            //   6a0c                 | push                0xc
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_17 = { 53 53 53 8901 }
            // n = 4, score = 300
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_18 = { 0f114f50 0f104060 0f114760 8b4070 894770 be01000000 }
            // n = 6, score = 200
            //   0f114f50             | movups              xmmword ptr [edi + 0x50], xmm1
            //   0f104060             | movups              xmm0, xmmword ptr [eax + 0x60]
            //   0f114760             | movups              xmmword ptr [edi + 0x60], xmm0
            //   8b4070               | mov                 eax, dword ptr [eax + 0x70]
            //   894770               | mov                 dword ptr [edi + 0x70], eax
            //   be01000000           | mov                 esi, 1

        $sequence_19 = { ff15???????? 8bd0 83fa01 7e18 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8bd0                 | mov                 edx, eax
            //   83fa01               | cmp                 edx, 1
            //   7e18                 | jle                 0x1a

        $sequence_20 = { ffc3 83fb0a 7cd5 33c0 }
            // n = 4, score = 200
            //   ffc3                 | inc                 ebx
            //   83fb0a               | cmp                 ebx, 0xa
            //   7cd5                 | jl                  0xffffffd7
            //   33c0                 | xor                 eax, eax

        $sequence_21 = { 0f104010 0f110f 0f104820 0f114710 0f104030 0f114f20 0f104840 }
            // n = 7, score = 200
            //   0f104010             | movups              xmm0, xmmword ptr [eax + 0x10]
            //   0f110f               | movups              xmmword ptr [edi], xmm1
            //   0f104820             | movups              xmm1, xmmword ptr [eax + 0x20]
            //   0f114710             | movups              xmmword ptr [edi + 0x10], xmm0
            //   0f104030             | movups              xmm0, xmmword ptr [eax + 0x30]
            //   0f114f20             | movups              xmmword ptr [edi + 0x20], xmm1
            //   0f104840             | movups              xmm1, xmmword ptr [eax + 0x40]

        $sequence_22 = { 83faff 7508 ff15???????? 8bd0 }
            // n = 4, score = 200
            //   83faff               | cmp                 edx, -1
            //   7508                 | jne                 0xa
            //   ff15????????         |                     
            //   8bd0                 | mov                 edx, eax

        $sequence_23 = { 0f104860 0f114750 0f114f60 b801000000 }
            // n = 4, score = 200
            //   0f104860             | movups              xmm1, xmmword ptr [eax + 0x60]
            //   0f114750             | movups              xmmword ptr [edi + 0x50], xmm0
            //   0f114f60             | movups              xmmword ptr [edi + 0x60], xmm1
            //   b801000000           | mov                 eax, 1

        $sequence_24 = { 55 8bec 837d1010 7508 8b4d0c }
            // n = 5, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   837d1010             | cmp                 dword ptr [ebp + 0x10], 0x10
            //   7508                 | jne                 0xa
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_25 = { 85c0 7510 8d4864 ff15???????? }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   8d4864               | lea                 ecx, [eax + 0x64]
            //   ff15????????         |                     

        $sequence_26 = { 3bc8 7344 2bca 898de4fdffff }
            // n = 4, score = 200
            //   3bc8                 | cmp                 ecx, eax
            //   7344                 | jae                 0x46
            //   2bca                 | sub                 ecx, edx
            //   898de4fdffff         | mov                 dword ptr [ebp - 0x21c], ecx

        $sequence_27 = { 8d4dd0 e8???????? 5f 5e 8be5 }
            // n = 5, score = 200
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp

        $sequence_28 = { 8d852cfdffff 898de4fdffff 50 ff7704 ffd3 }
            // n = 5, score = 200
            //   8d852cfdffff         | lea                 eax, [ebp - 0x2d4]
            //   898de4fdffff         | mov                 dword ptr [ebp - 0x21c], ecx
            //   50                   | push                eax
            //   ff7704               | push                dword ptr [edi + 4]
            //   ffd3                 | call                ebx

        $sequence_29 = { 0f114730 0f104050 0f114f40 0f104860 }
            // n = 4, score = 200
            //   0f114730             | movups              xmmword ptr [edi + 0x30], xmm0
            //   0f104050             | movups              xmm0, xmmword ptr [eax + 0x50]
            //   0f114f40             | movups              xmmword ptr [edi + 0x40], xmm1
            //   0f104860             | movups              xmm1, xmmword ptr [eax + 0x60]

        $sequence_30 = { 3bca 724b 8d4204 3bc8 }
            // n = 4, score = 200
            //   3bca                 | cmp                 ecx, edx
            //   724b                 | jb                  0x4d
            //   8d4204               | lea                 eax, [edx + 4]
            //   3bc8                 | cmp                 ecx, eax

        $sequence_31 = { 8a06 3cff 7552 807e0125 754c }
            // n = 5, score = 200
            //   8a06                 | mov                 al, byte ptr [esi]
            //   3cff                 | cmp                 al, 0xff
            //   7552                 | jne                 0x54
            //   807e0125             | cmp                 byte ptr [esi + 1], 0x25
            //   754c                 | jne                 0x4e

        $sequence_32 = { 3bd8 7323 8b33 eb19 3ce9 }
            // n = 5, score = 200
            //   3bd8                 | cmp                 ebx, eax
            //   7323                 | jae                 0x25
            //   8b33                 | mov                 esi, dword ptr [ebx]
            //   eb19                 | jmp                 0x1b
            //   3ce9                 | cmp                 al, 0xe9

        $sequence_33 = { 7235 8b82dc000000 0382d8000000 03c1 3bd8 7323 }
            // n = 6, score = 200
            //   7235                 | jb                  0x37
            //   8b82dc000000         | mov                 eax, dword ptr [edx + 0xdc]
            //   0382d8000000         | add                 eax, dword ptr [edx + 0xd8]
            //   03c1                 | add                 eax, ecx
            //   3bd8                 | cmp                 ebx, eax
            //   7323                 | jae                 0x25

        $sequence_34 = { 885dd0 8945fc 895df8 885de8 }
            // n = 4, score = 100
            //   885dd0               | mov                 byte ptr [ebp - 0x30], bl
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   885de8               | mov                 byte ptr [ebp - 0x18], bl

        $sequence_35 = { 55 57 ff15???????? 89442414 85c0 75c4 }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   57                   | push                edi
            //   ff15????????         |                     
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   85c0                 | test                eax, eax
            //   75c4                 | jne                 0xffffffc6

        $sequence_36 = { 56 ff74240c ff742418 e8???????? 83c40c }
            // n = 5, score = 100
            //   56                   | push                esi
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_37 = { 33db 56 57 ff742418 8b4c2420 53 }
            // n = 6, score = 100
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   53                   | push                ebx

        $sequence_38 = { c20400 8b01 56 8b742408 83660400 }
            // n = 5, score = 100
            //   c20400               | ret                 4
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   56                   | push                esi
            //   8b742408             | mov                 esi, dword ptr [esp + 8]
            //   83660400             | and                 dword ptr [esi + 4], 0

        $sequence_39 = { c20800 55 8bec 56 ff7508 8b750c 56 }
            // n = 7, score = 100
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   56                   | push                esi

        $sequence_40 = { e8???????? 8b4c2410 83c702 8803 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   83c702               | add                 edi, 2
            //   8803                 | mov                 byte ptr [ebx], al

    condition:
        7 of them and filesize < 527360
}
Download all Yara Rules