Gootkit is an advanced banking trojan first discovered in mid-2014. Known for using various techniques to evade detection, the malware also has its own unique twists: it’s partially written in JavaScript and it incorporates the node.js runtime environment.
Gootkit employs several checks in order to identify a virtual environment and halt its propagation sequence once that happens. In this post, we’ll demonstrate a way to tackle these anti-research methods in order to have the sample executing in a virtual environment.
First Glance
Running the sample in a virtual machine results in the creation of several threads, but no modifications to the system are made. Without interruptions, Gootkit’s process would continue to run forever.
Running the sample in a debugger allows us to interrupt the process and inspect its execution flow. Whenever the debugger is paused, Gootkit’s process is sleeping.