Monday, March 18, 2013

Quttera investigation engine successfully detected exploit for CoolPlayer+ Portable 2.19.2


Payload source: http://1337day.com/exploits/19116

======== Payload investigation statistics ========

Suspicios payload offset:       0

Emulation attribute name   Value
=======================================================
WRITES_TO_PROCESS_STACK_MEMORY            0
-------------------------------------------------------
BUFFER_INSIDE_WRITES_COUNT                23
-------------------------------------------------------
REFERENCES_TO_PROCESS_INTERNALS           0
-------------------------------------------------------
BUFFER_OUTSIDE_WRITES_COUNT               0
-------------------------------------------------------
FAR_JUMPS_COUNT                           0
-------------------------------------------------------
FULLY_INITIALIZED_INSTRUCTIONS            99
-------------------------------------------------------
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES        1
-------------------------------------------------------
PROC_CALLS_INSIDE_INV_BUFFER              0
-------------------------------------------------------
BUFFER_OUTSIDE_READS_COUNT                2
-------------------------------------------------------
UNDEFINED_DIRECT_CALLS                    0
-------------------------------------------------------
JUMPS_INSIDE_INV_BUFFER                   25
-------------------------------------------------------
CORRECTLY_PARSED_INSTRUCTIONS             100
-------------------------------------------------------
MEMORY_MODIFYING_MATH_INSTRUCTIONS        0
-------------------------------------------------------
BUFFER_INSIDE_READS_COUNT                 23
-------------------------------------------------------
SYSTEM_CALLS_COUNT                        0
-------------------------------------------------------
UNRECOGNIZED_CALL_TARGETS                 0
-------------------------------------------------------
REFERENCES_TO_PROCESS_IMPORTS             0
-------------------------------------------------------
CORRECT_PROCEDURES_CALLS                  0
-------------------------------------------------------
EIP_RETRIEVAL_INSTRUCTIONS                1
-------------------------------------------------------
JUMPS_TO_PROCESS_INTERNALS                0
-------------------------------------------------------
EXECUTED_ARITHMETIC_INSTRUCTIONS          23
-------------------------------------------------------
CALLS_TARGETED_IMPORTS_SECTION            0
-------------------------------------------------------
UNRECOGNIZED_JUMP_TARGETS                 0
-------------------------------------------------------
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS       0
-------------------------------------------------------
REFERENCES_TO_PROCESS_EXPORTS             0
-------------------------------------------------------
EXECUTES_BITS_OPERATING_INSTRUCTIONS      0
-------------------------------------------------------
IMMEDIATE_OPERANDS_INSTRUCTIONS           0
-------------------------------------------------------
INDIRECT_BUFFER_REFERENCES                23
-------------------------------------------------------
MAX_WRITTEN_MEMORY_BLOCK                  0
-------------------------------------------------------
CORRECTLY_EXECUTED_INSTRUCTIONS           100
-------------------------------------------------------
READS_FROM_PROCESS_STACK_MEMORY           1
-------------------------------------------------------
CALLS_TARGETED_EXPORTS_SECTION            0
-------------------------------------------------------


More about quttera investigation engine here


 ======== Detection disassembly ======== 

JMP 0x4E                                                  ;random read instruction
JMP 0x4E                                                  ;random read instruction
JMP 0x4E                                                  ;random read instruction
FCMOVBE ST0 (0x0000000000000000),ST6 (0x0000000000010000)  
FNSTENV [ESP - 0xC] (0x09904523)                           
MOV EAX (0x00000000),0xF765BD3A                            
POP ESI (0x00000000)                                       
XOR ECX (0x00000000),ECX (0x00000000)                      
MOV CL (0x00),0x32                                         
XOR DS:[ESI + 0x17] (0xBF9B5F23),EAX (0xF765BD3A)         ;investigation buffer write instruction
ADD EAX (0xF765BD3A),DS:[ESI + 0x17] (0xBF9B5F23)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F0C),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F27),EAX (0xED48BA28)         ;investigation buffer write instruction
ADD EAX (0xED48BA28),DS:[ESI + 0x17] (0xBF9B5F27)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F10),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F2B),EAX (0xEDD2A324)         ;investigation buffer write instruction
ADD EAX (0xEDD2A324),DS:[ESI + 0x17] (0xBF9B5F2B)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F14),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F2F),EAX (0x7732A324)         ;investigation buffer write instruction
ADD EAX (0x7732A324),DS:[ESI + 0x17] (0xBF9B5F2F)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F18),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F33),EAX (0xDC04D509)         ;investigation buffer write instruction
ADD EAX (0xDC04D509),DS:[ESI + 0x17] (0xBF9B5F33)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F1C),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F37),EAX (0x67352794)         ;investigation buffer write instruction
ADD EAX (0x67352794),DS:[ESI + 0x17] (0xBF9B5F37)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F20),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F3B),EAX (0xB9C033E6)         ;investigation buffer write instruction
ADD EAX (0xB9C033E6),DS:[ESI + 0x17] (0xBF9B5F3B)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F24),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F3F),EAX (0xE232BEFA)         ;investigation buffer write instruction
ADD EAX (0xE232BEFA),DS:[ESI + 0x17] (0xBF9B5F3F)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F28),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F43),EAX (0x087D7609)         ;investigation buffer write instruction
ADD EAX (0x087D7609),DS:[ESI + 0x17] (0xBF9B5F43)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F2C),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F47),EAX (0xC8AF753A)         ;investigation buffer write instruction
ADD EAX (0xC8AF753A),DS:[ESI + 0x17] (0xBF9B5F47)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F30),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F4B),EAX (0x4510B1E6)         ;investigation buffer write instruction
ADD EAX (0x4510B1E6),DS:[ESI + 0x17] (0xBF9B5F4B)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F34),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F4F),EAX (0x0630DDE8)         ;investigation buffer write instruction
ADD EAX (0x0630DDE8),DS:[ESI + 0x17] (0xBF9B5F4F)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F38),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F53),EAX (0xCD31EBB7)         ;investigation buffer write instruction
ADD EAX (0xCD31EBB7),DS:[ESI + 0x17] (0xBF9B5F53)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F3C),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F57),EAX (0x2484DC99)         ;investigation buffer write instruction
ADD EAX (0x2484DC99),DS:[ESI + 0x17] (0xBF9B5F57)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F40),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F5B),EAX (0xAF952F24)         ;investigation buffer write instruction
ADD EAX (0xAF952F24),DS:[ESI + 0x17] (0xBF9B5F5B)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F44),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F5F),EAX (0x7F966B66)         ;investigation buffer write instruction
ADD EAX (0x7F966B66),DS:[ESI + 0x17] (0xBF9B5F5F)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F48),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F63),EAX (0x050EABF1)         ;investigation buffer write instruction
ADD EAX (0x050EABF1),DS:[ESI + 0x17] (0xBF9B5F63)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F4C),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F67),EAX (0x065920B1)         ;investigation buffer write instruction
ADD EAX (0x065920B1),DS:[ESI + 0x17] (0xBF9B5F67)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F50),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F6B),EAX (0x4EE47181)         ;investigation buffer write instruction
ADD EAX (0x4EE47181),DS:[ESI + 0x17] (0xBF9B5F6B)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F54),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F6F),EAX (0x6F3CFC99)         ;investigation buffer write instruction
ADD EAX (0x6F3CFC99),DS:[ESI + 0x17] (0xBF9B5F6F)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F58),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F73),EAX (0xAC20CF9A)         ;investigation buffer write instruction
ADD EAX (0xAC20CF9A),DS:[ESI + 0x17] (0xBF9B5F73)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F5C),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F77),EAX (0x37555AE3)         ;investigation buffer write instruction
ADD EAX (0x37555AE3),DS:[ESI + 0x17] (0xBF9B5F77)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F60),0xFC                                  
LOOP 0xF5                                                 ;random read instruction
XOR DS:[ESI + 0x17] (0xBF9B5F7B),EAX (0x368730E4)         ;investigation buffer write instruction
ADD EAX (0x368730E4),DS:[ESI + 0x17] (0xBF9B5F7B)         ;investigation buffer read instruction
SUB ESI (0xBF9B5F64),0xFC