In this blob post, I will describe how I wrote a config extractor for obfuscated JavaScript-based GootLoader component. The hard part of automating the config extraction is the obfuscation: the C2 servers are just plain text in the last stage. All code is on Github if you are just interested in that. # Intro A fellow Cyberian struppigel recently released Samplepedia, a platform were people can drop SHA256 hashes of files with a description and an analysis goal and some other metadata. My understanding is that the goal is to finally have a place to find interesting malware to analyze, a question I get asked a lot when teaching reverse engineering. Naturally I picked a task myself and decided to do one involve JavaScript, something I don't have a lot of expose to as a reverse engineer (I do have some exposure to it as a forward engineer, but that's a different story). The sample in question is 1bc77b013c83b5b075c3d3c403da330178477843fc2d8326d90e495a61fbb01f and the task is: > Create a static C2 extractor that uses abstract syntax tree transformations with Babel. You can use astexplorer.net as helper tool. I was particularly intrigued because I've recently seen other people be extremely successful leveraging "normal dev tooling" in the JavaScript ecosystem to tackle challenges with JavaScript-based malware. Would you like to know more?