Monday, March 18, 2013

Executable code similar to shellcodes decoding procedures detected into http://lattices.qcdoc.bnl.gov/qcdoc3.bmp

======== Payload investigation statistics ========
Suspicios payload offset: 117882 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 17 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 0 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 95 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 0 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 36 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 100 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 40 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 94 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 25 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here


 ======== Detection disassembly ======== 

PUSH ECX (0x00000000)  
DEC EBP (0x00000000)   
POP EBP (0xFFFFFFFF)   
PUSH EDX (0x00000000)  
DEC ESI (0x00000000)   
POP EBP (0x00000000)   
PUSH EBX (0x00000000)  
DEC EBP (0x00000000)   
POP EDI (0x00000000)   
PUSH ESP (0x0988652F)  
DEC ESI (0xFFFFFFFF)   
POP EDI (0x00000000)   
PUSH ESP (0x0988652F)  
DEC ESI (0xFFFFFFFE)   
POP ESI (0xFFFFFFFD)   
PUSH ESP (0x0988652F)  
DEC EBP (0xFFFFFFFF)   
PUSHAD                 
PUSH ESP (0x0988650B)  
DEC EDI (0x0988652F)   
PUSHAD                 
PUSH ESP (0x098864E7)  
DEC EDI (0x0988652E)   
POP ESI (0x0988652F)   
PUSH EDX (0x00000000)  
DEC ESP (0x098864E3)   
PUSHAD                 
PUSH ESP (0x098864C2)  
DEC EDI (0x0988652D)   
POP ESI (0x098864E7)   
PUSH EDX (0x00000000)  
DEC EBP (0xFFFFFFFE)   
POPAD                  
PUSH EBP (0x098864E7)  
DEC EDI (0x00000000)   
POPAD                  
PUSH EBP (0x00000000)  
DEC EDI (0x098864E7)   
PUSHAD                 
PUSH ESP (0x098864D6)  
DEC ESI (0x00000000)   
PUSHAD                 
PUSH ESP (0x098864B2)  
DEC ESI (0xFFFFFFFF)   
PUSHAD                 
PUSH ESP (0x0988648E)  
DEC ESI (0xFFFFFFFE)   
POP EDI (0x098864E6)   
PUSH EBX (0x88652F09)  
DEC EBP (0x00000000)   
POP EDI (0x0988648E)   
PUSH EBX (0x88652F09)  
DEC EDI (0x88652F09)   
POP ESI (0xFFFFFFFD)   
PUSH EDX (0xFFFFFE09)  
DEC ESI (0x88652F09)   
POP EDI (0x88652F08)   
PUSH EBX (0x88652F09)  
DEC EDI (0xFFFFFE09)   
POP EDI (0xFFFFFE08)   
PUSH EBX (0x88652F09)  
DEC ESI (0x88652F08)   
POP EDI (0x88652F09)   
PUSH ECX (0x8864F7FF)  
DEC ESP (0x0988648A)   
POP ESI (0x88652F07)   
PUSH EAX (0x00000009)  
DEC EBX (0x88652F09)   
POP EBP (0xFFFFFFFF)   
DEC EDI (0x88652F09)   
DEC EDX (0xFFFFFE09)   
POP EBP (0x00000009)   
DEC EDI (0x88652F08)   
DEC EBX (0x88652F08)   
POP EBP (0x8864E688)   
DEC EDI (0x88652F07)   
DEC ESP (0x09886495)   
POP EBP (0xFFFFFE09)   
DEC EDI (0x88652F06)   
DEC ESP (0x09886498)   
POP ESP (0x09886497)   
DEC ESI (0x64F7FF00)   
DEC EBX (0x88652F07)   
POP EDX (0xFFFFFE08)   
DEC ESI (0x64F7FEFF)   
DEC EDX (0x00000000)   
POP EBX (0x88652F06)   
DEC EDI (0x88652F05)   
DEC EDX (0xFFFFFFFF)   
POP EBX (0x00000000)   
DEC EDI (0x88652F04)   
DEC EDX (0xFFFFFFFE)   
POP ECX (0x8864F7FF)   
DEC EBP (0x0000FFFF)   
DEC ECX (0x00000000)   
POP EAX (0x00000009)   
DEC ESP (0x9E000000)   
DEC ECX (0xFFFFFFFF)   
POP EDX (0xFFFFFFFD)   
DEC ESI (0x64F7FEFE)