Monday, March 18, 2013

Executable code similar to shellcodes decoding procedures detected into http://lattices.qcdoc.bnl.gov/qcdoc3.bmp 

======== Payload investigation statistics ========


Suspicios payload offset:       117882

Emulation attribute name   Value
=======================================================
WRITES_TO_PROCESS_STACK_MEMORY            17
-------------------------------------------------------
BUFFER_INSIDE_WRITES_COUNT                0
-------------------------------------------------------
REFERENCES_TO_PROCESS_INTERNALS           0
-------------------------------------------------------
BUFFER_OUTSIDE_WRITES_COUNT               0
-------------------------------------------------------
FAR_JUMPS_COUNT                           0
-------------------------------------------------------
FULLY_INITIALIZED_INSTRUCTIONS            95
-------------------------------------------------------
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES        0
-------------------------------------------------------
PROC_CALLS_INSIDE_INV_BUFFER              0
-------------------------------------------------------
BUFFER_OUTSIDE_READS_COUNT                0
-------------------------------------------------------
UNDEFINED_DIRECT_CALLS                    0
-------------------------------------------------------
JUMPS_INSIDE_INV_BUFFER                   0
-------------------------------------------------------
CORRECTLY_PARSED_INSTRUCTIONS             100
-------------------------------------------------------
MEMORY_MODIFYING_MATH_INSTRUCTIONS        0
-------------------------------------------------------
BUFFER_INSIDE_READS_COUNT                 0
-------------------------------------------------------
SYSTEM_CALLS_COUNT                        0
-------------------------------------------------------
UNRECOGNIZED_CALL_TARGETS                 0
-------------------------------------------------------
REFERENCES_TO_PROCESS_IMPORTS             0
-------------------------------------------------------
CORRECT_PROCEDURES_CALLS                  0
-------------------------------------------------------
EIP_RETRIEVAL_INSTRUCTIONS                0
-------------------------------------------------------
JUMPS_TO_PROCESS_INTERNALS                0
-------------------------------------------------------
EXECUTED_ARITHMETIC_INSTRUCTIONS          36
-------------------------------------------------------
CALLS_TARGETED_IMPORTS_SECTION            0
-------------------------------------------------------
UNRECOGNIZED_JUMP_TARGETS                 0
-------------------------------------------------------
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS       100
-------------------------------------------------------
REFERENCES_TO_PROCESS_EXPORTS             0
-------------------------------------------------------
EXECUTES_BITS_OPERATING_INSTRUCTIONS      0
-------------------------------------------------------
IMMEDIATE_OPERANDS_INSTRUCTIONS           0
-------------------------------------------------------
INDIRECT_BUFFER_REFERENCES                40
-------------------------------------------------------
MAX_WRITTEN_MEMORY_BLOCK                  0
-------------------------------------------------------
CORRECTLY_EXECUTED_INSTRUCTIONS           94
-------------------------------------------------------
READS_FROM_PROCESS_STACK_MEMORY           25
-------------------------------------------------------
CALLS_TARGETED_EXPORTS_SECTION            0
-------------------------------------------------------


More about quttera investigation engine here



 ======== Detection disassembly ======== 

PUSH ECX (0x00000000)  
DEC EBP (0x00000000)   
POP EBP (0xFFFFFFFF)   
PUSH EDX (0x00000000)  
DEC ESI (0x00000000)   
POP EBP (0x00000000)   
PUSH EBX (0x00000000)  
DEC EBP (0x00000000)   
POP EDI (0x00000000)   
PUSH ESP (0x0988652F)  
DEC ESI (0xFFFFFFFF)   
POP EDI (0x00000000)   
PUSH ESP (0x0988652F)  
DEC ESI (0xFFFFFFFE)   
POP ESI (0xFFFFFFFD)   
PUSH ESP (0x0988652F)  
DEC EBP (0xFFFFFFFF)   
PUSHAD                 
PUSH ESP (0x0988650B)  
DEC EDI (0x0988652F)   
PUSHAD                 
PUSH ESP (0x098864E7)  
DEC EDI (0x0988652E)   
POP ESI (0x0988652F)   
PUSH EDX (0x00000000)  
DEC ESP (0x098864E3)   
PUSHAD                 
PUSH ESP (0x098864C2)  
DEC EDI (0x0988652D)   
POP ESI (0x098864E7)   
PUSH EDX (0x00000000)  
DEC EBP (0xFFFFFFFE)   
POPAD                  
PUSH EBP (0x098864E7)  
DEC EDI (0x00000000)   
POPAD                  
PUSH EBP (0x00000000)  
DEC EDI (0x098864E7)   
PUSHAD                 
PUSH ESP (0x098864D6)  
DEC ESI (0x00000000)   
PUSHAD                 
PUSH ESP (0x098864B2)  
DEC ESI (0xFFFFFFFF)   
PUSHAD                 
PUSH ESP (0x0988648E)  
DEC ESI (0xFFFFFFFE)   
POP EDI (0x098864E6)   
PUSH EBX (0x88652F09)  
DEC EBP (0x00000000)   
POP EDI (0x0988648E)   
PUSH EBX (0x88652F09)  
DEC EDI (0x88652F09)   
POP ESI (0xFFFFFFFD)   
PUSH EDX (0xFFFFFE09)  
DEC ESI (0x88652F09)   
POP EDI (0x88652F08)   
PUSH EBX (0x88652F09)  
DEC EDI (0xFFFFFE09)   
POP EDI (0xFFFFFE08)   
PUSH EBX (0x88652F09)  
DEC ESI (0x88652F08)   
POP EDI (0x88652F09)   
PUSH ECX (0x8864F7FF)  
DEC ESP (0x0988648A)   
POP ESI (0x88652F07)   
PUSH EAX (0x00000009)  
DEC EBX (0x88652F09)   
POP EBP (0xFFFFFFFF)   
DEC EDI (0x88652F09)   
DEC EDX (0xFFFFFE09)   
POP EBP (0x00000009)   
DEC EDI (0x88652F08)   
DEC EBX (0x88652F08)   
POP EBP (0x8864E688)   
DEC EDI (0x88652F07)   
DEC ESP (0x09886495)   
POP EBP (0xFFFFFE09)   
DEC EDI (0x88652F06)   
DEC ESP (0x09886498)   
POP ESP (0x09886497)   
DEC ESI (0x64F7FF00)   
DEC EBX (0x88652F07)   
POP EDX (0xFFFFFE08)   
DEC ESI (0x64F7FEFF)   
DEC EDX (0x00000000)   
POP EBX (0x88652F06)   
DEC EDI (0x88652F05)   
DEC EDX (0xFFFFFFFF)   
POP EBX (0x00000000)   
DEC EDI (0x88652F04)   
DEC EDX (0xFFFFFFFE)   
POP ECX (0x8864F7FF)   
DEC EBP (0x0000FFFF)   
DEC ECX (0x00000000)   
POP EAX (0x00000009)   
DEC ESP (0x9E000000)   
DEC ECX (0xFFFFFFFF)   
POP EDX (0xFFFFFFFD)   
DEC ESI (0x64F7FEFE)
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)