Malware Analysis - ROKRAT Unpacking from Injected Shellcode

uoBQE5s2ba4/default.jpg

The newest ROKRAT variant injects its shellcode into cmd.exe, which will in turn decrypt a PE image. We debug the injected code to obtain the payload.
The sample is from an article published by Warren Mercer and Paul Rascagneres on talosintelligence.com (link below).

Sample:
https://beta.virusbay.io/sample/brows...
https://www.hybrid-analysis.com/sampl...

Article: http://blog.talosintelligence.com/201...

Process Injection Graphic: http://struppigel.blogspot.de/2017/07...

x64dbg: https://x64dbg.com/#start
HxD: https://mh-nexus.de/en/hxd/
PortexAnalyzer batch: https://pastebin.com/Qudtr5eN
PortexAnalyzer jar: https://github.com/katjahahn/PortEx/r...
Process Explorer: https://docs.microsoft.com/en-us/sysi...



uoBQE5s2ba4/default.jpg
Malware Analysis - ROKRAT Unpacking from Injected Shellcode Malware Analysis - ROKRAT Unpacking from Injected Shellcode Reviewed by Unknown on January 14, 2018 Rating: 5