From 3150bd8cbed9f6086bad784bfb1ce64d1ffbff75 Mon Sep 17 00:00:00 2001
From: Andy Morales <39770126+andy2002a@users.noreply.github.com>
Date: Fri, 26 Jul 2024 15:03:33 -0400
Subject: [PATCH] Update GootLoaderAutoJsDecode.py

Fixed scheduled tasks and second stage File name parsing on new samples: d5e60e0941ebcef5436406a7ecf1d0f1
---
 GootLoaderAutoJsDecode.py | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/GootLoaderAutoJsDecode.py b/GootLoaderAutoJsDecode.py
index 901dd24..a748318 100644
--- a/GootLoaderAutoJsDecode.py
+++ b/GootLoaderAutoJsDecode.py
@@ -4,8 +4,8 @@
 # author            : @andy2002a - Andy Morales
 # author            : @g0vandS - Govand Sinjari
 # date              : 2023-01-13
-# updated           : 2024-01-08
-# version           : 3.7
+# updated           : 2024-07-26
+# version           : 3.7.2
 # usage             : python GootLoaderAutoJsDecode.py malicious.js
 # output            : DecodedJsPayload.js_ and GootLoader3Stage2.js_
 # py version        : 3
@@ -196,7 +196,16 @@ def getFileandTaskData(inputString):
         '''"((?:.{3,30}?\|.{3,30}){5,})";'''  # Find: "text|text2|text3";
     )
     
-    splitTextArray = splitTextPattern.search(inputString).group(1).split('|')
+    try:
+        splitTextArray = splitTextPattern.search(inputString).group(1).split('|')
+    except:
+        # some new samples are using @ as a separator rather than | : MD5: d5e60e0941ebcef5436406a7ecf1d0f1
+        splitTextPattern= re.compile(
+            '''"((?:.{3,30}?\@.{3,30}){5,})";'''  # Find: "text@text2@text3";
+        )
+
+        splitTextArray = splitTextPattern.search(inputString).group(1).split('@')
+
     
     # un-rotate the strings
     fixedStrings = []
@@ -371,7 +380,10 @@ def parseRound2Data(round2InputStr, round1InputStr, variablesDict, isGootloader3
         print('GootLoader Obfuscation Variant 3.0 sample detected.')
         
         # File Names and scheduled task
-        getFileandTaskData(decodeString(round1InputStr.encode('raw_unicode_escape').decode('unicode_escape')))
+        try:
+            getFileandTaskData(decodeString(round1InputStr.encode('raw_unicode_escape').decode('unicode_escape')))
+        except:
+            print('Unable to parse Scheduled Task and Second Stage File Names')
 
         global goot3detected
         goot3detected = True