Malware Analysis - ROKRAT Unpacking from Injected Shellcode
The newest ROKRAT variant injects its shellcode into cmd.exe, which will in turn decrypt a PE image. We debug the injected code to obtain the payload.
The sample is from an article published by Warren Mercer and Paul Rascagneres on talosintelligence.com (link below).
Sample:
https://beta.virusbay.io/sample/brows...
https://www.hybrid-analysis.com/sampl...
Article: http://blog.talosintelligence.com/201...
Process Injection Graphic: http://struppigel.blogspot.de/2017/07...
x64dbg: https://x64dbg.com/#start
HxD: https://mh-nexus.de/en/hxd/
PortexAnalyzer batch: https://pastebin.com/Qudtr5eN
PortexAnalyzer jar: https://github.com/katjahahn/PortEx/r...
Process Explorer: https://docs.microsoft.com/en-us/sysi...