 Welcome to my analysis for our head shocks. Today's topic is again based on an article that was published last week on Tuesday. That's the articles named RogueGrid Reloaded and there have been other articles before that one which we can guess from the title. And RogueGrid is there's a new variant of this malware and the article discusses what's new and what's what has changed and also they say there are some similarities to another malware family that they share code. The interesting part for me was that I wanted to get the payload and I didn't have this file. It wasn't on virus total at that point in time. It's there now I think. But we can get the payload from the other files. Those unnamed droppers here they actually are no droppers though. But you will see what I will explain to you why that is. Here I took the third dropper, dropper right here and unpacked the payload. So how did I do that? First off I analyzed this with products analyzer and this is actually quite quite good malware to learn from because this file right here it's not obfuscated and that makes it quite easy for beginners I would say. Alright so if you take a look at this first off, first off the visualization will show you that this huge resource part and these resources are packed. So it could be that these contain the actual payload or maybe they contain something else and here we can also see yeah the entropy is quite high for the resource section and there are the imports now in the import listing you will find imports that are very typical for injection of well either of code or code injection and they are also listed in the anomalies section, anomalies list and all of these together they paint a pretty clear picture of what kind of injection is happening right here. So we have a create process which will be called first then to create another process usually in suspended mode then they call virtual alloc to get some memory from this other process and then use write process memory on that allocated memory to write the data into the form process and then using create remote thread they will execute this other process as and also tell them where to start the execution like create remote thread takes an address parameter that says where to start execution. So with that we can already try to find the right way. Also check out this process injection chart if you haven't already so in this case it would be like this way using create process and then one of those either this or that. Though we didn't see the unmet view of section in there. Write process memory and create remote thread so we guess it's this way. I will start this in 6x62dbG and we have a tab with symbols here you go to that and click on colon32.dll there's the create process export double click and now you can set a break point on that because it should be called first if they use that for the injection so let's just try this and run. Okay it opens up an image the images I explain in the article in case you're interested and now we are here at this location we see it wants to create a process named simd.exe the process is not there yet use the regret there's no check process for that but it will be there once we are at this location so let's run until that and step over and now you see simd.exe is there. Okay we will step two times so we step out of the create process call and at this point we see the neatly written code for the injection part right so it calls create process virtual look write process memory and create remote thread so those are the main APIs used for the injection and there are two APIs you can use to get the code that is being injected now write process memory has the buffer which contains the data that should be written to the other process so here you can see the code in the buffer and create remote thread has start address where the code execution was started in the other process so that's also where your code has been written to that was injected so both of them are possible and I think we should take the second one so we can continue debugging on the other process so let's do that and run to this create women's thread call we can see this is the address where the code execution was start and this address is not for the current process but for the other process right it's for the simd.exe so we want to attach to this other process before we continue we open up another instance of that and say attach simd.exe attach and now what was the address again we go to that address 26000 this might be a different address if you try this on your machine so even if you try it several times every time will be a different address so just take that one and 26000 what am I doing okay we will go to expression right and that's the address we place a break point right here go to the rogue red sample and say just run okay now it terminated rogue red terminated we can see now rogue red is indeed not there anymore but simd.exe is still running and we also stopped execution at the break point that we set so here we are I had one bad thing happening I pressed run and I had no break point so I have to I had to redo the first part again we are at the great remote thread call again so 1900 is the location this time we are already set the break point and here we are so here we are now from the article we know that this is shellcode which will decode PE file so somewhere in the article that will say so that's the part there once executed the shellcode will decode the PE file which is the payload we want so we are looking for a loop that will decode PE image and such a loop will have some kind of decoding decrypting operation which is interesting for us okay so if we step through the code we see the first loop right here and there's also an XOR operation and that points at ESI and ESI is here 19003F that will be a different address for you but if you look here it's starting here so the decoding operation F starting kind of here the decoding operation affects the code that follows right after so we can simply see how the instructions change right below and that's not the PE file that's being decoded there simply set a break point after the loop and to jump out of it and then you see okay it just decrypted these instructions below which might be part of the decryption process okay we will step through and see what we find here's another loop but this loop doesn't do anything just move some data from somewhere to somewhere not interesting we set a break point here to jump out of the loop okay we jump into this call and see look out for the more XOR operations here that's interesting okay you see here's the loop that goes up to the XOR operation so this is an interesting one again ESI plus the counter so the counter will increase every time and that's the location we will follow in our dump one and set a break point here that didn't work please set a break point I guess that's what happened before that and then set a break point after the loop in case you jump out of it and if you press F9 and look into the hex view you can see how this PEMH is being decrypted so this is what we want remove the break point jump out of the loop and you see our PEMH right here that's also in 19.0 something in my case again and your computer will be different address but take note of that address and then find that area in the memory map that's here oh sorry here right click and dump to file so we say dumped.exe and just close debugger that anymore and open this app in the hex editor because you see that the PEMH starts later in the memory dump so we remove the junk before that yes remove that and save that and now we have our payload to verify you may want to look for some stuff you find in the article for example there is a mention of Dropbox API so simply search for that Dropbox okay can't find it so check the unicorn string say search direction all and there it is so okay that's indeed our payload and we made we did it so that's what I wanted to show you in this article again I think you may want to proceed analyzing this payload and see if you also come to the same conclusions as this article does I think articles are a great way to learn analyzing malware because you can compare what you find in there and you can also find and sometimes you find addresses in the screenshots so or in the explanation so you can find the same location or you search for strings that you find in the article to find the same location and compare all right that's it for today thanks for watching and I hope to see you next time