Payload source: http://1337day.com/exploits/19116 ======== Payload investigation statistics ======== Suspicious payload offset: 0 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 0 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 23 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 0 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 99 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 1 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 2 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 25 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 23 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 1 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 23 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 23 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 100 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 1 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here
======== Detection disassembly ======== JMP 0x4E ;random read instruction JMP 0x4E ;random read instruction JMP 0x4E ;random read instruction FCMOVBE ST0 (0x0000000000000000),ST6 (0x0000000000010000) FNSTENV [ESP - 0xC] (0x09904523) MOV EAX (0x00000000),0xF765BD3A POP ESI (0x00000000) XOR ECX (0x00000000),ECX (0x00000000) MOV CL (0x00),0x32 XOR DS:[ESI + 0x17] (0xBF9B5F23),EAX (0xF765BD3A) ;investigation buffer write instruction ADD EAX (0xF765BD3A),DS:[ESI + 0x17] (0xBF9B5F23) ;investigation buffer read instruction SUB ESI (0xBF9B5F0C),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F27),EAX (0xED48BA28) ;investigation buffer write instruction ADD EAX (0xED48BA28),DS:[ESI + 0x17] (0xBF9B5F27) ;investigation buffer read instruction SUB ESI (0xBF9B5F10),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F2B),EAX (0xEDD2A324) ;investigation buffer write instruction ADD EAX (0xEDD2A324),DS:[ESI + 0x17] (0xBF9B5F2B) ;investigation buffer read instruction SUB ESI (0xBF9B5F14),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F2F),EAX (0x7732A324) ;investigation buffer write instruction ADD EAX (0x7732A324),DS:[ESI + 0x17] (0xBF9B5F2F) ;investigation buffer read instruction SUB ESI (0xBF9B5F18),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F33),EAX (0xDC04D509) ;investigation buffer write instruction ADD EAX (0xDC04D509),DS:[ESI + 0x17] (0xBF9B5F33) ;investigation buffer read instruction SUB ESI (0xBF9B5F1C),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F37),EAX (0x67352794) ;investigation buffer write instruction ADD EAX (0x67352794),DS:[ESI + 0x17] (0xBF9B5F37) ;investigation buffer read instruction SUB ESI (0xBF9B5F20),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F3B),EAX (0xB9C033E6) ;investigation buffer write instruction ADD EAX (0xB9C033E6),DS:[ESI + 0x17] (0xBF9B5F3B) ;investigation buffer read instruction SUB ESI (0xBF9B5F24),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F3F),EAX (0xE232BEFA) ;investigation buffer write instruction ADD EAX (0xE232BEFA),DS:[ESI + 0x17] (0xBF9B5F3F) ;investigation buffer read instruction SUB ESI (0xBF9B5F28),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F43),EAX (0x087D7609) ;investigation buffer write instruction ADD EAX (0x087D7609),DS:[ESI + 0x17] (0xBF9B5F43) ;investigation buffer read instruction SUB ESI (0xBF9B5F2C),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F47),EAX (0xC8AF753A) ;investigation buffer write instruction ADD EAX (0xC8AF753A),DS:[ESI + 0x17] (0xBF9B5F47) ;investigation buffer read instruction SUB ESI (0xBF9B5F30),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F4B),EAX (0x4510B1E6) ;investigation buffer write instruction ADD EAX (0x4510B1E6),DS:[ESI + 0x17] (0xBF9B5F4B) ;investigation buffer read instruction SUB ESI (0xBF9B5F34),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F4F),EAX (0x0630DDE8) ;investigation buffer write instruction ADD EAX (0x0630DDE8),DS:[ESI + 0x17] (0xBF9B5F4F) ;investigation buffer read instruction SUB ESI (0xBF9B5F38),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F53),EAX (0xCD31EBB7) ;investigation buffer write instruction ADD EAX (0xCD31EBB7),DS:[ESI + 0x17] (0xBF9B5F53) ;investigation buffer read instruction SUB ESI (0xBF9B5F3C),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F57),EAX (0x2484DC99) ;investigation buffer write instruction ADD EAX (0x2484DC99),DS:[ESI + 0x17] (0xBF9B5F57) ;investigation buffer read instruction SUB ESI (0xBF9B5F40),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F5B),EAX (0xAF952F24) ;investigation buffer write instruction ADD EAX (0xAF952F24),DS:[ESI + 0x17] (0xBF9B5F5B) ;investigation buffer read instruction SUB ESI (0xBF9B5F44),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F5F),EAX (0x7F966B66) ;investigation buffer write instruction ADD EAX (0x7F966B66),DS:[ESI + 0x17] (0xBF9B5F5F) ;investigation buffer read instruction SUB ESI (0xBF9B5F48),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F63),EAX (0x050EABF1) ;investigation buffer write instruction ADD EAX (0x050EABF1),DS:[ESI + 0x17] (0xBF9B5F63) ;investigation buffer read instruction SUB ESI (0xBF9B5F4C),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F67),EAX (0x065920B1) ;investigation buffer write instruction ADD EAX (0x065920B1),DS:[ESI + 0x17] (0xBF9B5F67) ;investigation buffer read instruction SUB ESI (0xBF9B5F50),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F6B),EAX (0x4EE47181) ;investigation buffer write instruction ADD EAX (0x4EE47181),DS:[ESI + 0x17] (0xBF9B5F6B) ;investigation buffer read instruction SUB ESI (0xBF9B5F54),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F6F),EAX (0x6F3CFC99) ;investigation buffer write instruction ADD EAX (0x6F3CFC99),DS:[ESI + 0x17] (0xBF9B5F6F) ;investigation buffer read instruction SUB ESI (0xBF9B5F58),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F73),EAX (0xAC20CF9A) ;investigation buffer write instruction ADD EAX (0xAC20CF9A),DS:[ESI + 0x17] (0xBF9B5F73) ;investigation buffer read instruction SUB ESI (0xBF9B5F5C),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F77),EAX (0x37555AE3) ;investigation buffer write instruction ADD EAX (0x37555AE3),DS:[ESI + 0x17] (0xBF9B5F77) ;investigation buffer read instruction SUB ESI (0xBF9B5F60),0xFC LOOP 0xF5 ;random read instruction XOR DS:[ESI + 0x17] (0xBF9B5F7B),EAX (0x368730E4) ;investigation buffer write instruction ADD EAX (0x368730E4),DS:[ESI + 0x17] (0xBF9B5F7B) ;investigation buffer read instruction SUB ESI (0xBF9B5F64),0xFC
No comments:
Post a Comment