Malops Challenge 8: Reversing APT 37’s RokRaT Loader
Contents
Malops Challenge 8: Reversing APT 37’s RokRaT Loader
I decided to take some practice doing a reversing challenge from Malops. Malops.io is a hands-on malware analysis training platform built by analysts for analysts. It provides realistic, guided labs and real-world malware scenarios. This challenge focuses on reversing RokRAT loader leveraged by APT-37.
The challenge can be found here:
https://malops.io/challenges/8
1. What is the MD5 hash of the binary?
To answer this question, analysts can upload sample to VT, go through binary ninja triage or just enter the following commands:
GetFilehash <sample> -algorithm MD5
Answer is CF28EF5CEDA2AA7D7C149864723E5890.
2.What is the entrypoint of Hex?
Entrypoint can be gathered once loading it into binary ninja or through ghidra. Get the address of the function.
Answer is 0x401000.
3. What XOR key is used to decrypt the embedded shellcode in hex?
In the entrypoint, ntdll.rtlFillmemory via API hashing, it is called filling the address of the first arg with 16 bytes of 0s. The next function …
I decided to take some practice doing a reversing challenge from Malops. Malops.io is a hands-on malware analysis training platform built by analysts for analysts. It provides realistic, guided labs and real-world malware scenarios. This challenge focuses on reversing RokRAT loader leveraged by APT-37.
The challenge can be found here:
https://malops.io/challenges/8
1. What is the MD5 hash of the binary?
To answer this question, analysts can upload sample to VT, go through binary ninja triage or just enter the following commands:
GetFilehash <sample> -algorithm MD5
Answer is CF28EF5CEDA2AA7D7C149864723E5890.
2.What is the entrypoint of Hex?
Entrypoint can be gathered once loading it into binary ninja or through ghidra. Get the address of the function.
Answer is 0x401000.
3. What XOR key is used to decrypt the embedded shellcode in hex?
In the entrypoint, ntdll.rtlFillmemory via API hashing, it is called filling the address of the first arg with 16 bytes of 0s. The next function …
IoC
CF28EF5CEDA2AA7D7C149864723E5890