Monday, March 18, 2013

Detected suspicious payload/shellcode into linuxfr.org/images/sections/46.png

Quttera investigation engine statistics of the detected payload

Offset of the detected payload: 0

Payload emulation counters:

WRITES_TO_PROCESS_STACK_MEMORY15
BUFFER_INSIDE_WRITES_COUNT0
REFERENCES_TO_PROCESS_INTERNALS0
BUFFER_OUTSIDE_WRITES_COUNT6
FAR_JUMPS_COUNT0
FULLY_INITIALIZED_INSTRUCTIONS92
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES0
PROC_CALLS_INSIDE_INV_BUFFER0
BUFFER_OUTSIDE_READS_COUNT3
UNDEFINED_DIRECT_CALLS0
JUMPS_INSIDE_INV_BUFFER3
CORRECTLY_PARSED_INSTRUCTIONS100
MEMORY_MODIFYING_MATH_INSTRUCTIONS0
BUFFER_INSIDE_READS_COUNT0
SYSTEM_CALLS_COUNT0
UNRECOGNIZED_CALL_TARGETS0
REFERENCES_TO_PROCESS_IMPORTS0
CORRECT_PROCEDURES_CALLS0
EIP_RETRIEVAL_INSTRUCTIONS0
JUMPS_TO_PROCESS_INTERNALS0
EXECUTED_ARITHMETIC_INSTRUCTIONS36
CALLS_TARGETED_IMPORTS_SECTION0
UNRECOGNIZED_JUMP_TARGETS0
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS72
REFERENCES_TO_PROCESS_EXPORTS0
EXECUTES_BITS_OPERATING_INSTRUCTIONS0
IMMEDIATE_OPERANDS_INSTRUCTIONS0
INDIRECT_BUFFER_REFERENCES21
MAX_WRITTEN_MEMORY_BLOCK0
CORRECTLY_EXECUTED_INSTRUCTIONS100
READS_FROM_PROCESS_STACK_MEMORY15
CALLS_TARGETED_EXPORTS_SECTION0


Detection disassembly:

MOV DS:[EAX + 0x4E] (0x0000004E),EDX (0x00000000) ;random write instruction
INC EDI (0x00000000)
OR EAX (0x00000000),0x000A1A0A
ADD DS:[EAX] (0x000A1A0A),AL (0x0A) ;random write instruction [suspicious memory write instruction]
OR EAX (0x000A1A0A),0x52444849
ADD DS:[EAX] (0x524E5A4B),AL (0x4B) ;random write instruction [suspicious memory write instruction]
ADD DS:[ECX] (0x00000000),AL (0x4B)
ADD DS:[EAX] (0x524E5A4B),AL (0x4B) ;random write instruction [suspicious memory write instruction]
XOR DS:[EAX] (0x524E5A4B),ECX (0x00000000) ;random write instruction
ADD EAX (0x524E5A4B),DS:[EAX] (0x524E5A4B) ;random read instruction
ADD DS:[EAX] (0x524E5A4B),AL (0x4B) ;random write instruction [suspicious memory write instruction]
MOV DL (0x00),0x0B
XOR AL (0x4B),0xB6
ADD DS:[EAX] (0x524E5AFD),AL (0xFD) ;random write instruction [suspicious memory write instruction]
ADD DS:[ECX] (0x00000000),AL (0xFD)
JNB 0x52 ;random read instruction
INC EDI (0x00000001)
INC EDX (0x0000000B)
ADD DS:[ESI + 0xE91CCE] (0x00E91CCE),CH (0x00) ;random write instruction
ADD DS:[EAX] (0x524E5AFD),AL (0xFD) ;random write instruction [suspicious memory write instruction]
OR DS:[EAX + 0x48] (0x524E5B45),ESI (0x00000000) ;random write instruction
POP ECX (0x00000000)
JNB 0x00
ADD DS:[EBX] (0x00000000),CL (0x00)
ADC DS:[EAX] (0x524E5AFD),EAX (0x524E5AFD) ;random write instruction
ADD DS:[EBX] (0x00000000),CL (0x00)
ADC DS:[ECX] (0x00000000),EAX (0x524E5AFD)
JNLE 0x64 ;random read instruction
INC EAX (0x524E5AFD)
INC ECX (0x00000000)
INC ECX (0x00000001)
INC ECX (0x00000002)
INC ESP (0x0983652F)
INC ESP (0x09836530)
INC ESP (0x09836531)
INC EBP (0x00000000)
INC EBP (0x00000001)
INC EBP (0x00000002)
INC ESI (0x00000000)
INC ESI (0x00000001)
INC ESI (0x00000002)
INC EDI (0x00000002)
INC EDI (0x00000003)
INC EDI (0x00000004)
DEC EAX (0x524E5AFE)
DEC EAX (0x524E5AFD)
DEC EAX (0x524E5AFC)
DEC EDX (0x0000000C)
DEC EDX (0x0000000B)
DEC EDX (0x0000000A)
DEC EBX (0x00000000)
DEC EBX (0xFFFFFFFF)
DEC EBX (0xFFFFFFFE)
DEC ESP (0x09836532)
DEC ESP (0x09836531)
DEC ESP (0x09836530)
DEC EBP (0x00000003)
DEC EBP (0x00000002)
DEC EBP (0x00000001)
DEC ESI (0x00000003)
DEC ESI (0x00000002)
DEC ESI (0x00000001)
DEC EDI (0x00000005)
DEC EDI (0x00000004)
DEC EDI (0x00000003)
PUSH EAX (0x524E5AFB)
PUSH EAX (0x524E5AFB)
PUSH EAX (0x524E5AFB)
PUSH ECX (0x00000003)
PUSH ECX (0x00000003)
PUSH ECX (0x00000003)
PUSH EDX (0x00000009)
PUSH EDX (0x00000009)
PUSH EDX (0x00000009)
PUSH EBX (0xFFFFFFFD)
PUSH EBX (0xFFFFFFFD)
PUSH EBX (0xFFFFFFFD)
PUSH ESP (0x098364FF)
PUSH ESP (0x098364FB)
PUSH ESP (0x098364F7)
PUSH EBP (0x00000000)
PUSH EBP (0x00000000)
PUSH EBP (0x00000000)
PUSH ESI (0x00000000)
PUSH ESI (0x00000000)
PUSH ESI (0x00000000)
POP EAX (0x524E5AFB)
POP EAX (0x00000000)
POP EAX (0x00000000)
POP EDX (0x00000009)
POP EDX (0x00000000)
POP EDX (0x00000000)
POP EBX (0xFFFFFFFD)
POP EBX (0x098364F7)
POP EBX (0x098364FB)
POP ESP (0x098364FF)
POP ESP (0xFFFFFFFD)
POP ESP (0x00000000)
POP EBP (0x00000000)
POP EBP (0x00000000)