Quttera web security blog: Detected suspicious payload/shellcode into linuxfr.org/images/sections/46.png

Quttera investigation engine statistics of the detected payload

Offset of the detected payload: 0

Payload emulation counters:

WRITES_TO_PROCESS_STACK_MEMORY	15
BUFFER_INSIDE_WRITES_COUNT	0
REFERENCES_TO_PROCESS_INTERNALS	0
BUFFER_OUTSIDE_WRITES_COUNT	6
FAR_JUMPS_COUNT	0
FULLY_INITIALIZED_INSTRUCTIONS	92
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES	0
PROC_CALLS_INSIDE_INV_BUFFER	0
BUFFER_OUTSIDE_READS_COUNT	3
UNDEFINED_DIRECT_CALLS	0
JUMPS_INSIDE_INV_BUFFER	3
CORRECTLY_PARSED_INSTRUCTIONS	100
MEMORY_MODIFYING_MATH_INSTRUCTIONS	0
BUFFER_INSIDE_READS_COUNT	0
SYSTEM_CALLS_COUNT	0
UNRECOGNIZED_CALL_TARGETS	0
REFERENCES_TO_PROCESS_IMPORTS	0
CORRECT_PROCEDURES_CALLS	0
EIP_RETRIEVAL_INSTRUCTIONS	0
JUMPS_TO_PROCESS_INTERNALS	0
EXECUTED_ARITHMETIC_INSTRUCTIONS	36
CALLS_TARGETED_IMPORTS_SECTION	0
UNRECOGNIZED_JUMP_TARGETS	0
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS	72
REFERENCES_TO_PROCESS_EXPORTS	0
EXECUTES_BITS_OPERATING_INSTRUCTIONS	0
IMMEDIATE_OPERANDS_INSTRUCTIONS	0
INDIRECT_BUFFER_REFERENCES	21
MAX_WRITTEN_MEMORY_BLOCK	0
CORRECTLY_EXECUTED_INSTRUCTIONS	100
READS_FROM_PROCESS_STACK_MEMORY	15
CALLS_TARGETED_EXPORTS_SECTION	0

Detection disassembly:

MOV DS:[EAX + 0x4E] (0x0000004E),EDX (0x00000000)	;random write instruction
INC EDI (0x00000000)
OR EAX (0x00000000),0x000A1A0A
ADD DS:[EAX] (0x000A1A0A),AL (0x0A)	;random write instruction [suspicious memory write instruction]
OR EAX (0x000A1A0A),0x52444849
ADD DS:[EAX] (0x524E5A4B),AL (0x4B)	;random write instruction [suspicious memory write instruction]
ADD DS:[ECX] (0x00000000),AL (0x4B)
ADD DS:[EAX] (0x524E5A4B),AL (0x4B)	;random write instruction [suspicious memory write instruction]
XOR DS:[EAX] (0x524E5A4B),ECX (0x00000000)	;random write instruction
ADD EAX (0x524E5A4B),DS:[EAX] (0x524E5A4B)	;random read instruction
ADD DS:[EAX] (0x524E5A4B),AL (0x4B)	;random write instruction [suspicious memory write instruction]
MOV DL (0x00),0x0B
XOR AL (0x4B),0xB6
ADD DS:[EAX] (0x524E5AFD),AL (0xFD)	;random write instruction [suspicious memory write instruction]
ADD DS:[ECX] (0x00000000),AL (0xFD)
JNB 0x52	;random read instruction
INC EDI (0x00000001)
INC EDX (0x0000000B)
ADD DS:[ESI + 0xE91CCE] (0x00E91CCE),CH (0x00)	;random write instruction
ADD DS:[EAX] (0x524E5AFD),AL (0xFD)	;random write instruction [suspicious memory write instruction]
OR DS:[EAX + 0x48] (0x524E5B45),ESI (0x00000000)	;random write instruction
POP ECX (0x00000000)
JNB 0x00
ADD DS:[EBX] (0x00000000),CL (0x00)
ADC DS:[EAX] (0x524E5AFD),EAX (0x524E5AFD)	;random write instruction
ADD DS:[EBX] (0x00000000),CL (0x00)
ADC DS:[ECX] (0x00000000),EAX (0x524E5AFD)
JNLE 0x64	;random read instruction
INC EAX (0x524E5AFD)
INC ECX (0x00000000)
INC ECX (0x00000001)
INC ECX (0x00000002)
INC ESP (0x0983652F)
INC ESP (0x09836530)
INC ESP (0x09836531)
INC EBP (0x00000000)
INC EBP (0x00000001)
INC EBP (0x00000002)
INC ESI (0x00000000)
INC ESI (0x00000001)
INC ESI (0x00000002)
INC EDI (0x00000002)
INC EDI (0x00000003)
INC EDI (0x00000004)
DEC EAX (0x524E5AFE)
DEC EAX (0x524E5AFD)
DEC EAX (0x524E5AFC)
DEC EDX (0x0000000C)
DEC EDX (0x0000000B)
DEC EDX (0x0000000A)
DEC EBX (0x00000000)
DEC EBX (0xFFFFFFFF)
DEC EBX (0xFFFFFFFE)
DEC ESP (0x09836532)
DEC ESP (0x09836531)
DEC ESP (0x09836530)
DEC EBP (0x00000003)
DEC EBP (0x00000002)
DEC EBP (0x00000001)
DEC ESI (0x00000003)
DEC ESI (0x00000002)
DEC ESI (0x00000001)
DEC EDI (0x00000005)
DEC EDI (0x00000004)
DEC EDI (0x00000003)
PUSH EAX (0x524E5AFB)
PUSH EAX (0x524E5AFB)
PUSH EAX (0x524E5AFB)
PUSH ECX (0x00000003)
PUSH ECX (0x00000003)
PUSH ECX (0x00000003)
PUSH EDX (0x00000009)
PUSH EDX (0x00000009)
PUSH EDX (0x00000009)
PUSH EBX (0xFFFFFFFD)
PUSH EBX (0xFFFFFFFD)
PUSH EBX (0xFFFFFFFD)
PUSH ESP (0x098364FF)
PUSH ESP (0x098364FB)
PUSH ESP (0x098364F7)
PUSH EBP (0x00000000)
PUSH EBP (0x00000000)
PUSH EBP (0x00000000)
PUSH ESI (0x00000000)
PUSH ESI (0x00000000)
PUSH ESI (0x00000000)
POP EAX (0x524E5AFB)
POP EAX (0x00000000)
POP EAX (0x00000000)
POP EDX (0x00000009)
POP EDX (0x00000000)
POP EDX (0x00000000)
POP EBX (0xFFFFFFFD)
POP EBX (0x098364F7)
POP EBX (0x098364FB)
POP ESP (0x098364FF)
POP ESP (0xFFFFFFFD)
POP ESP (0x00000000)
POP EBP (0x00000000)
POP EBP (0x00000000)

Quttera web security blog

Pages

Monday, March 18, 2013

Detected suspicious payload/shellcode into linuxfr.org/images/sections/46.png

Quttera investigation engine statistics of the detected payload

Offset of the detected payload: 0

Payload emulation counters:

Detection disassembly:

No comments:

Post a Comment

emergency
249$ /yr
1 domain
Initial Response Time within 4 hrs.
Manual Malware Removal / Full Website Audit
Blacklisting removal
Web Application Firewall (WAF)
Dedicated Malware Analyst
Create Account

economy
149$ /yr
1 domain
Initial Response Time within 12 hrs.
Malware clean-up
Blacklisting removal
24/7 Access to Cybersecurity Professionals
Create Account